Comment on Proton is transitioning towards a non-profit structure | Proton
Asudox@lemmy.world 2 months agoYou upload your private key to the cloud. Encrypted or not, this is a bad idea. No thanks. They can do the signing with my public key and then I’ll do the decryption with my own private key locally without them storing it.
sudneo@lemm.ee 2 months ago
An encrypted key is a useless blob. What matters is the decryption key for that key, which is your password (or a key derived from it, I assume), which is client side.
They can’t sign with your public key. Signing is done using your private one, otherwise nobody can verify the signature.
Either way:
You can do it using the bridge, exactly like you would with any client-side tooling.
endofline@lemmy.ca 2 months ago
It’s still insecure. They decryption process is still in the proton company hands and they could add some client specific code to log the password on the fly. Proton is obliged to follow the swiss law and I can imagine situation that police asks proton (+ gag order ) to log certain data for specific clients like passwords and ips. Still private keys are better to be stored separately. You can sync them easily if you with with either rsync or rclone
sudneo@lemm.ee 2 months ago
It’s not “insecure”, it’s simply a supply chain risk. You have the same exact problem with any client software that you might use. There are still jurisdictions, there are still supply chain attacks. The posture is different simply by a small tradeoff: business incentive and size for proton as pluses vs quicker updates (via JS code) and slower updates vs worse security and dependency on a handful of individuals in case of other tools.
Any software that makes the crypto operations can do stuff with the keys if compromised or coerced by law enforcement to do so.
In any case, if this tradeoff doesn’t suit you, the bridge allows you to use your preferred tool, so this is kinda of a moot point.
The main argument for me is that if you rely on mail and gpg not to get caught by those who can coerce proton, you are already failing.
endofline@lemmy.ca 2 months ago
I used bridge for many years. It was totally unusable - 1) you cannot delete emails with it ( deleted emails were coming back ), 2) synchronization issues so it made me move to another “plain and simple” email provider offering pop3 and imap and also gpg integration ( but without that e2e hype talk )
Asudox@lemmy.world 2 months ago
Exactly. There’s no justification for them storing the private key online for “convenience”. And key generation happens in the browser with JS. Which means it is possible to send backdoored JS to easily copy the private key.
sudneo@lemm.ee 2 months ago
There is a reason: simplicity. Either you do all the key management yourself, which in practice means 98% of the people won’t do it at all, or you implement a solution like they did and increase the risk of a small % (see my other comment) but you cover every customer.
endofline@lemmy.ca 2 months ago
Especially with the fact that: 1) deminificafion of the javascript code is not simple 2) you cannot “freeze” the code version you use. Still your computer does allow it ( minus the windows which follows the Microsoft thinking way, kidding about windows updates )
Asudox@lemmy.world 2 months ago
Yeah mb. Mixed private keys with public keys. Edited original comment.