I’ve been using Proton Mail and VPN for a while now, and I’m just wondering how everyone else feels about them. I have this kind of inherent alight distrust of them just because they seem like they offer a lot for free and kind of have a Big Tech vibe about them, but there’s nothing for me to really substantiate that distrust with, its mostly just a feeling. That being said, I do use their services as mentioned and they work pretty well, even on the free teir. So aside from that one instance where they gave that guy’s info to the feds, is there any reason not to trust them with my data?

  • hperrin@lemmy.world
    link
    fedilink
    arrow-up
    5
    arrow-down
    1
    ·
    edit-2
    1 year ago

    You very much do have to trust them. They make the client you’re using.

    If someone injects malicious code into their client, it can transmit your mail unencrypted, or even just transmit your private key. Will they inject malicious code into their own client? Almost definitely not. The chances are basically zero. But if they get hacked and someone else does, then it’s the same result.

    Also, unless all email you receive is encrypted with OpenPGP, you’re still trusting ProtonMail to encrypt it for you before they put it in their database.

    So yes, you still have to trust them.

      • hperrin@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        1 year ago

        Tor Browser only protects your IP address.

        Emails received from outside senders are only end to end encrypted if the sender is using OpenPGP or S/MIME. Otherwise, Proton receives them in plain text (the TLS encryption is terminated at their SMTP server). They promise that they don’t look at them before encrypting them for storage, but you have to trust that promise.

        Injecting malicious code means either XSS or if their build pipeline gets hacked. These companies release builds through a pipeline (usually download source -> download dependencies -> build from source -> package -> sign -> notarize (for Apple) -> release), and anywhere along that pipeline can be vulnerable. They might update a dependency that got hacked and now they’re hacked too. One of their build servers might get hacked and now they’ve released a malicious build. You’re trusting them to verify not only their code and their build servers, but also every dependency update. That’s potentially millions of lines of code per year to vet. It’s probably fine, but you’re still trusting them.

        As for whether an attack is their fault, it really doesn’t matter. The end result is your leaked data. They could do everything they possibly can to protect you, but they could still get hacked. You are trusting them when you use their service. I believe they’re trustworthy, which is why I’ve been using their service for years.

        A note about me: I know all of this because I have worked in big tech for ~11 years (Facebook, Google, then LinkedIn), I wrote an end to end encrypted messenger (called Tunnelgram, now discontinued), and I wrote my own email service over the past two years (called Port87).

    • mo_ztt ✅@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      Wait… okay, I think we’re talking about two different things.

      Emails you send or receive are not private. End of story. That’s nothing to do with the provider; they’re just not. SMTP is from the stone age of internet when nothing was private, and the attempts to graft a layer of encryption on top of it are from the bronze age, when encryption wasn’t very standardized or well-tested against real threats, and all of that shows. Even if you put a significant amount of work into grafting full end-to-end PGP encryption on top of the best your provider can do to keep your emails private, it doesn’t work. Emails are not private.

      What I assumed you were interested in was in separating your non-private collection of emails from your real world identity. Proton + Tor will do that, bang on. If you’re trying to send and receive messages which are genuinely private, use one of the fairly good options which can do that (Signal or Matrix maybe). If you’re trying to send and receive your non-private emails without it being linked to your real world identity, use Proton + Tor. If you’re trying to send and receive SMTP emails without people being able to read them, you need to rethink what you want, because you’re not going to be able to get that.

      • hperrin@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Proton can be anonymous, yes, just like every other email service. I think OP was wondering more about how they protect your privacy when you’re using them non-anonymously. I could be wrong though.

        But yeah, don’t use email if you don’t trust your email provider. Setting up your own email server for receiving mail isn’t too hard. Most ISPs don’t block incoming traffic on port 25, only outgoing traffic. It’s the sending part that sucks when you run your own server. Even if your ISP doesn’t block outbound port 25, your IP is probably already on several spam blacklists. :(

        • mo_ztt ✅@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          But yeah, don’t use email if you don’t trust your email provider.

          Not sure how much more I can simplify this: The “if you don’t trust your email provider” has no place in this sentence. Don’t use email if you need the content of your messages to be private. If someone’s looking at Proton because they think it’ll keep their emails private, then yes, that’s a bad idea. But that’s not because of the “Proton” part of that sentence; it’s because of the “emails” part, and setting up your own SMTP service will do nothing to remedy that (in fact it’ll make things worse because it’ll put your own IP address into the “Received-By” headers of every email you send out).

          • hperrin@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            If you’re communicating with someone you know who’s also running their own email server, there is no problem with using email. Email is a good protocol, and it runs over TLS.

            • mo_ztt ✅@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              I’m not trying to argue or anything, but I think you should read this for a quite good overview of the issues involved with trying to secure SMTP email. You can also read any number of expert opinions saying the same thing, if you don’t believe me or that article.

              If you’re communicating with someone you know who’s also running their own email server, there is no problem with using email.

              So, basically, never. I’ve run several SMTP servers in my time. I’m having trouble thinking of an example of when I might have been communicating from one of them to someone else who also ran their own secure SMTP server. If you’re trying to set up a secure end-to-end communication channel with one specific person which involves work on both your ends, it’d be way easier and more secure to use some other transport protocol at that point.

              Email is a good protocol

              It is. 100%. Sorry if I gave the impression I didn’t think it was. For all its age and some amount of minor stone-age baggage it brought with it, SMTP is genuinely quite well-designed and still serves its purpose 43+ years later, which is incredibly impressive. That purpose is, insecure but reliable and interoperable communication.

              it runs over TLS.

              Yeah, so does your HTTP connection with Proton. That doesn’t mean the end-result system keeps your messages secure, any more than using HTTPS means Proton is secure.

              You can read the article I linked to above, but basically the short version is that email is by the design of the protocol subject to being stored or transmitted unencrypted at various intermediate places as it’s being sent around, in ways that are by the design of the protocol impossible to prevent.

              You’re not required to agree with me; you can think what you want, but that’s how I see it.

              • hperrin@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                I mean, pretty much everything in that article applies to HTTP too. SMTP basically always runs through TLS now. If you ever get anything over an unencrypted connection, it’s almost 100% likely to just be spam. So mostly that article is complaining about your email being unencrypted on your provider’s server. Well, your Facebook messages are stored unencrypted too. So are your Slack messages. And Discord. And Twitter DMs.

                I wrote and run the email service Port87, so I’m pretty familiar with how this all works. Email through a third party is about as secure as any other messenger. It’s not like Outlook.com is any less trustworthy than Discord.

                I don’t need to trust anyone to use Port87, because I wrote it, but my users have to trust me, just like Google’s users had to trust me when I worked there, and Facebook’s users had to trust me when I worked there. You trust thousands of people when you use these companies’ products.

                If someone is looking for end to end encrypted communication, I agree, they are probably better suited by another protocol. SMTP is really good at what it’s designed to do.

                • mo_ztt ✅@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  1 year ago

                  If someone is looking for end to end encrypted communication, I agree, they are probably better suited by another protocol. SMTP is really good at what it’s designed to do.

                  I agree with this. I’ll pretty much leave it at that.