Comment on Proton is transitioning towards a non-profit structure | Proton
Asudox@lemmy.world 4 months agoExactly. There’s no justification for them storing the private key online for “convenience”. And key generation happens in the browser with JS. Which means it is possible to send backdoored JS to easily copy the private key.
endof
Especially with the fact that: 1) deminificafion of the javascript code is not simple 2) you cannot “freeze” the code version you use. Still your computer does allow it ( minus the windows which follows the Microsoft thinking way, kidding about windows updates )
sudneo@lemm.ee 4 months ago
There is a reason: simplicity. Either you do all the key management yourself, which in practice means 98% of the people won’t do it at all, or you implement a solution like they did and increase the risk of a small % (see my other comment) but you cover every customer.
Asudox@lemmy.world 4 months ago
That simplicity introduces lots of security and privacy issues.
sudneo@lemm.ee 4 months ago
Introduces some risks in terms of security. Privacy concerns are extremely minimal, because in any case you don’t control the setup of your other interlocutor(s).
Considering that the realistic alternative is not using anything at all and the fact that you have both options with Proton, it’s a win-win scenario.
Asudox@lemmy.world 4 months ago
One of the biggest risks is when someone knows your password. Your PGP encrypted emails that you want noone to see will be available to the attacker. Whereas if no such thing happened, the attacker wouldn’t be able to decrypt the PGP encrypted emails even if the attacker gained access to your account. Manually encrypting your stuff is better than having some random do it for you. It’s really just a tradeoff. Convenience or security? It’s not even hard to manually encrypt emails.