An Analysis of the ProtonMail Cryptographic Architecture

oh look another anti shill campaign against protonmail i am very shocked

>I'm just quoting other people and don't actually know anything

Not everyone on Jow Forums is permanently retarded, just most. Glow in the darks have hooks in and/or between every major provider. Unless you're doing protonmail -> protonmail you're almost certainly getting sniffed, and even then I wouldn't rely on it 100%. Encrypting and signing your mail with pgp and distributing your public key in person or on a known secure side channel is still the easiest way to guarantee the highest level of privacy when using email.

it's not secure because of push model instead of pull model

>inb4 Protonmail Electron app to replace the webapp
the future gets brighter every day

How fucking retarded are you? No. It's not secure because 99% of the mail you receive came from outside protonmail's servers, so they weren't encrypted with your public key. Push/pull has nothing to do with it. Push can be easily implemented while maintaining secrecy.

well protonmail is way more secure than outlook & gmail so i dont fucking care.

mailfence.com/en

Less known, supports pgp
Small down to earth Dev team

proton has the most paid shills of any vpn/email provider.

>using meme mail provider with no encryption instead of using any botnet provider with PGP
The state of neo/g/

Actually or is this just one more scam

>a simple bug triggers translation
>HURRRRR THEY ARE SPYING ON US
Why are these people so asininely stupid?

What kind of email provider doesn't support PGP?
>paid
Nothing is stopping you from using PGP with Protonmail. What do you recommend, user?

Ok so if I understand it correctly, the protonmail devs say your mail is secure even if the servers are compromised, yet if the servers were compromised, then they could send you some malicious javascript that steals your private key as soon as you log in, because there is no way to verify the integrity of a webapp. Is that right?

>using anything other than cock.li
you faggots don’t deserve to post here

if you use gpg + mutt with gmail it literally doesn't fucking matter if google can read the data or not, because they can't decrypt it.

If you're worried about your normiebook emails going there or whatever just get fasmail or something. This whole cuck-ton mail thing was for dumb normies who want to play mr robot since the beginning.

>Hi, ProtonMail team here. We have responded to this more fully here: reddit.com/r/ProtonMail/comments/9yqxkh/an_analysis_of_the_protonmail_cryptographic/

>The short version is the following:

>The key question being debated is whether or not web applications can constitute end to end encryption. Nadim's opinion (and it's just an opinion) is that, "no webmail-style application could". His viewpoint is that E2EE is not possible with web clients, period, end of discussion. This is a rather extreme position to take as it would also apply to the web versions of Whatsapp or Wire, for instance.

>ProtonMail, like Whatsapp and Wire, offers apps on Linux, Windows, MacOS, iOS, and Android. Like Whatsapp and Wire, we also offer a web app. The major opinion Nadim is expressing here is that we should offer all the above, minus the web-app, because in his opinion, you can't do end-to-end encryption in a webapp. Obviously Whatspp and Wire do not share this opinion, and neither do we.

>Our position is that the modern internet user demands a webapp, and we don't believe the threat model of web-apps is so fundamentally different from an iOS app, that we need to take the step of not offering a web-app at all.

Tldr OP is a fag. Both OPs.

Improvements go in small steps. If you use protonmail rather than Gmail you are already on the right path.

Stop complaining and help your fellow users.

>botnetmail is as """secure""" as whatsapp.

Are ProtonMail in full damage control mode after getting hacked? Luckily I only use them to sign up my fake insta accounts. What kind of actual retard expects a meme company to be secure.

t. JIDF

What's more surprising about this whole ordeal is seeing how many zealous fans this service has.

>using proprietary placebo is the right path to security.
There's nothing inherently wrong with using botnets like Gmail if you make sure nothing ever leaves your machine unencrypted.
You should never trust some meme service to do your security for you.

>after being hacked

Yeah and I hacked the pentagon, the Iranian missile program, and your mom.

Making funnies to not have to discuss the intricacies of getting hacked. Sign of nervousness.

How much are they paying you to tell people protonmail got hacked?

Oh that's right $20. They literally pay $20 in bitcoin to tell people they hacked protonmail. So legitimate.

>minimum 7 characters
why

What if that was actually a false flag by protonmail themselves in order to make people disregard any actually real hacks or privacy issues?

Attached: 1539474186369.jpg (598x714, 303K)

You crazy bruh. Damage controller game on fleek bruh. GG

>tfw user hacked ZOG and antiZOG and other user's mom
true lawful chaotic

They do this in every thread that pops out in leddit.

I know, it looks incredibly suspicious, an innocent company wouldn't be CTRing the fuck out leddit and the chanz.

You're right.
But they're actually paid to seed fud

The problem is fucking nobody uses pgp so your mail will be unreadable to everyone and nobody will encrypt the mail sent to you.

Are you clinically fucking retarded? The answer is yes. If you give people a gmail address they will send you unencrypted email guaranteed. Even if everything is encrypted, Google is still capturing metadata like who you communicate with, how much email you send, what times of day you send it, the size of messages, etc. If you use the botnet at all, they're using you back.

making me sad desu chief

Is this really better? It doesnt seem opem source but it is cheaper and has calender.

The concept of ProtonMail doesn't even fucking work. If they don't have your password, how the fuck do they encrypt your incoming mail in a way that they can't read it anymore afterwards? Not even public encryption can solve that.

what the fuck is asymmetric encryption anyway lol sounds gay

>communicates with people who don't use encryption and calls other people retarded.
Also
>somehow implying that the protonmail botnet (the subject of the thread) doesn't collect metadata.
If you're concerned with metadata leakage, then obviously you're on a different threat model on which anything but self-hosted email fails against.
By the way, I didn't advocate for using Gmail, and I don't personality use it myself. I was merely pointing out that to get message content confidentiality, the email provider is irrelevant.
But if you are communicating with people who don't use encryption, you've already lost.

When mail comes in, it's not encrypted because email is total shit (unless you're sending protonmail -> protonmail in which it's end to end encrypted). Protonmail immediately encrypts the message with your public key on arrival and doesn't store a plaintext copy. Your private key is encrypted symmetrically with the mailbox password, so once the message has been encrypted they can't decrypt it.
The worry is that since the client is doing the decryption of the private key, and a web client could easily be compromised by xss or on the server, the web client is inherently insecure. I agree, use the mobile app or desktop bridge instead.

>My bank
>My attorney
>Political mailing lists
>My family
>My non-autistic friends
>Essentially every single service ever
Don't be a retard. Nobody encrypts their mail. Protonmail isn't selling my metadata for profit because I pay them not to. I don't self host because it's a royal pain in the ass to stay off block lists even if you're not sending spam. All I really care about is that the provider isn't storing plaintext mail, and they promise to not sell me out to advertisers. There are many services which fill these requirements, I just happen to use pm.

>opinion
ProtonMail team detected? He does a pretty good job putting everything together.

No, he didn't. Dude clearly is trying to hurt their reputation with unfounded allegations.

>We also thank music composer Toby Fox for motivating this work

>Our position is that the modern internet user demands a webapp
based on fucking what

Attached: C4T4etgUkAADgK3.jpg (262x265, 9K)

>communicates with people who don't use encryption and calls other people retarded.
Absolutely 1337 and h4xx0r-pilled.

Attached: 4d7.png (700x700, 825K)

Nazis and anti-semites are not welcome on Jow Forums.