Paul Cantrell
Given Proton Mail’s fashiness coming out of the woodwork, lots of folks are looking at switching away — but they have a reasonable concern: Aren’t Proton Mail’s privacy features special, different from a normal mail provider?
AFAICT, the answer is yes in •theory•, but you aren’t giving up that much in •practice•.
Short 🧵 surfacing notes I put in a reply — and likely containing inaccurations about Proton Mail, so please correct me if you have better info!
1/
Paul Cantrell
In practice, email is pretty much all encrypted in transit these days (almost all SMTP and IMAP happen over SSL/TLS). You don’t need to worry about random third parties on the internet scanning your emails in transit.
Email, however, is not end-to-end encrypted: your own email provider (Gmail, your ISP, whatever) can see all your messages. Many actively scan your email to profile you. (This also applies to the email providers of the •recipients• of your emails.)
This is the problem Proton Mail claims to fix.
2/
Paul Cantrell
The problem is that Proton Mail can’t fully fix it. Their E2E encryption requires active participation of both the sender and the receiver: https://proton.me/support/password-protected-emails
That means:
- No communication initiated by the other party is going to use it. Your bank account password recovery link isn’t E2E encrypted.
- If you want to keep a conversation you started with a human encrypted, the recipient has to use a clunky web portal to read & reply.
3/
Paul Cantrell
- If the recipient of your communication quotes what you said in a normal email without using the Proton Mail web portal, oops! no longer encrypted.
- They say Proton-to-Proton emails are E2E encrypted, but there has to be an asterisk next to that: their SMTP server •must• get plaintext from my mail client, however briefly.
- And the whole time, you just have to trust that this apparently fash-friendly company’s opaque software is doing what they say it’s doing.
4/
Paul Cantrell
I honestly see no advantage of Proton Mail over just saying “let’s take this conversation to a secure platform (e.g. Signal).” And if you do that, you’re using a protocol that was actually •designed• for E2E encryption instead of trying to bolt it on the side.
I am not a Proton customer, so I may be missing something here. Am I?
If I do understand correctly, it seems like the security benefit of Proton Mail is mostly theoretical, weak sauce in practice.
5/
Paul Cantrell
In particular, if you use Proton Mail, a hostile government wants to surveil your email, and Proton Mail (with its quisling CEO) decides to oblige:
- They can still surveil everything sent to you by other parties.
- They can still surveil anything you compose in your email client (e.g. Mail app on your phone).
- They can still backdoor their own product offerings (which is likely to go undetected without an open protocol with multiple clients).
- I suspect (but don't know) that their architecture that supports webmail also makes blanket surveillance possible.
6/
Paul Cantrell
Here’s an in-depth analysis of Proton Mail’s security architecture as of 2021:
https://eprint.iacr.org/2018/1121.pdf
It’s highly technical, but here’s the headline: “As it stands, ProtonMail does not meet its self-professed security goals when these are subjected to analysis.”
Maybe they’ve fixed things since 2021 — but fundamentally, Proton Mail is trying to make a pig fly here; email protocol just weren’t designed for E2E encryption. There will always be leaks, slips, gaps.
7/
Paul Cantrell
You might like Proton Mail because of quality of service, or privacy policy, or not hosted in the US, or other reasons like that. Fine.
But AFAICT, there is not a compelling technical argument for their service •in realistic practice• being significantly more secure or resilient to server-side surveillance than any other credible email provider.
Again, if somebody with deeper knowledge of Proton Mail’s technical guts has better info, please let me know.
/end
Paul Cantrell
@PublicWolf
Pobox, since the late 90s (!), which was bought by Fastmail in 2015 and has remained excellent since then.
Wolf 2.0
@inthehands Thank you for that well-composed thread.
May I ask what you use for email?
John Mark Ockerbloom
@inthehands Not only is email not technically designed for E2E, it's not really socially designed for it. Given that email addresses get shared with various people and organizations, and they're common vectors for spam, phishing, and the like, I'd assume most email users *want* their ISP to be able to scan and filter that stuff out, rather than try to do it themselves. But that means it can't be E2E, and the users have to have a certain level of trust in their ISP.
Paul Cantrell
@nesaro
Indeed.
https://hachyderm.io/@inthehands/113838859295776093
nesaro
@inthehands A few reasons I use protonmail (I might be wrong):
* android apps apk available
* Swiss based not US based
* Their privacy policy doesn't have marketing/profiling
But obviously disappointed with the CEO positions.
Paul Cantrell
@greycat
Sure. You probably know more than I do on the topic, so please correct anything I posted that looks sus.
Picks
@inthehands@hachyderm.io as a former email quasi-professional I've always had some concerns along these lines, so thanks for this thread!
Stu
@inthehands I wasn't sure where in this thread to reply, but I was told yesterday that the "secret sauce" bit to Proton (and Tuta) is that only you have the decryption key to read the contents of your email. For example, I read Tuta's security page yesterday and their email search index is on your machine, because they can't do it.
So, it's slightly better than what is obviously a protocol never intended for private communication. Having said that, I did prefer that my email was sat outside of US jurisdiction (Cloud Act) vs having to go through an international warrant.
Good thread, thanks for putting it together. Email is definitely one of those things that are old enough that people won't know this stuff. That everything is encrypted in transit is something I learned, actually.
Wolf 2.0
@inthehands Thank you! Very kind of you to reply.
I'd been trying to choose between Tuta and Proton, but just yesterday was told of Fastmail.
Thank you again!
Paul Cantrell
@PublicWolf
To be clear: using Fastmail is basically just saying, “feh, email isn’t designed for E2E encryption, I just have to trust my provider.” Which I think is the correct answer, but…just to be clear.
Tuta attempts to solve the same problem as Proton Mail, but is much much more explicit about where the E2E encryption boundary lives. That makes it more annoying, but probably also more secure in practice (because you’re very clear about what is and isn’t encrypted).
Paul Cantrell
@august
Per the security paper above, it’s not clear to me that the secret key really •is• secret from the provider at all times.
Regardless, I would expect that the ingress problem means that a very large portion of traffic is available for subpoena in practice.
August
@inthehands You’re correct that mail ingress / egress is exposed to the email provider, but with E2EE the provider must be intentionally and covertly wiretapping you the whole time. Most companies who receive court subpeonas are able to hand over your entire archive of data at any time, but the scope of what’s available to E2EE providers may be significantly less since your archive is stored with keys they don’t have.
Arp Laszlo • Comics • ADHD
@inthehands I switched to Proton because I didn’t want Google knowing everything about me, and because DIY mail servers are a pita wrt email driver. But I’d consider an alternative if a good one existed. I’ve heard of Tuta but I dunno much about them.
Paul Cantrell
@rommix0
Through the 🎶 magic 🎶 of 🎶 reading 🎶
ROMMIX
@inthehands kinda hard to have a valid opinion about something if you don't use it.
Paul Cantrell
@august
Yeah. I think the difference is that Proton does a lot of work to make the encryption a bit more invisible. I'm not sure that’s a good thing: in a context where lots/most of the traffic isn’t encrypted, creating a more porous boundary between what •is• and what isn't doesn’t seem great.
August
@inthehands Oh that’s a good point, I misunderstood that you were looking at this specific feature, rather than the overall benefit of using an E2EE provider when 99.9% of emails one sends / receives is not E2EE.
idk how their passphrase-locked mail is technically different than something like https://wormhole.app
Paul Cantrell
@august
Exactly. It’s really trust, not technology, that they are selling. That was the core product. And now….
August
@inthehands I completely agree that it’s a weird and niche product category, because there aren’t many people who would pay significantly more for an objectively worse email client experience, under the promise that subverting this ONE confidentiality trust point would result in the complete collapse of their product and that they are full of employees who would whistleblow at the first whiff of it. That trust is a fragile and political thing and Proton’s founder really tarnished it
Paul Cantrell
A very good point from @august here:
https://macaw.social/@august/113839019107602863
Proton Mail’s core product isn’t really technology; it’s •trust•.
And with a few rash words, their CEO has severely damaged that core product.
Yes, it was only a few words — but what else do we have to go on? If they’re doing something shady behind closed doors, we won't know about it under until far, far too late. The best we can do is just assume that where there’s smoke there’s fire.
Paul Cantrell
@sdwilsh
Ah, that is useful, thank you! My understanding had been that the local bridge was optional, but indeed, looks like you •have• to use their mobile app.
Shawn Wilsher
@inthehands I didn't think this is quite correct. They don't have an SMTP server that they host. You can run a bridge locally that let's you use a standard client, but they do not host an SMTP (or IMAP) server.
Chris Mackay 🇨🇦
@inthehands @august As Alex Lindsay pointed out in the latest episode of TWiT (https://overcast.fm/+AAZarRN184U) — in the context of Sonos — trust arrives on foot, but leaves by horse.
Paul Cantrell
@tantramar @august
That’s a great quote.
Sophie Schmieg
@inthehands @august don't forget that in the case of using a web interface, you have no guarantees that the JavaScript sent to you is the same JavaScript that was sent to someone else, or even the same that was sent to you yesterday. So if you want to target an individual, you can just ship a special version of the code that includes a line saying "and now send the private key unencrypted to the NSA", and you're unlikely to ever notice.
With downloaded apps such as signal (even signal desktop), this attack is far more difficult to pull off (but not mitigated fully if you want updates regularly)
Paul Cantrell
@scrottie
Bottom line is (1) you •have• to trust someone somewhere if you want secure communication, and (2) there’s basically no upper limit to the amount of paranoia about technology that can find technical justification if you’re willing to speculate.
I don’t •necessarily• assume, for example, that Broadcomm is backdoored. Passive void “considered” doing a lot of work there; considered by whom? But if I were, say, doing human rights work targeted by a hostile state actor…then yeah, I would have to start working under the assumption that Broadcomm could be compromised. No upper limit.
scrottie (he/him/they)
@inthehands Someone suggested in response to my thread that this might be badjacketing of ProtonMail to shepherd people to less secure things; that makes me wonder if ProtoMail itself wasn't an attack to steer people away from GPG.
scrottie (he/him/they)
@inthehands with things like Signal, the platform you're running it on may be the weakest link. Broadcom etc broadband processors are considered back doored even if you install a 3rd party Android fork and trust the 3rd party app store's apk.
scrottie (he/him/they)
@inthehands That doesn't give you privacy on who you are talking to (and also doesn't guard against disclosure after recipients have decrypted email from you) and the whole identity thing is bad as much as some people like key singing parties. But it isn't a black box, and doesn't attempt to do dodgy key escrow like stuff that ProtonMail does. So maybe I'll go put my public key in my profile or something again. "Move discussion elsewhere" is a good idea but it's also often observed that...
scrottie (he/him/they)
@inthehands Pardon the footnote, and in no way to meant to defend ProtonMail (I did a "fuck ProtonMail" post the other day), but LTS/SSL is great for protecting you from random baddies but not powerful state actors. We believe the NSA has the power to crack the popular recommended ECDSA curves used, and VeriSign has just signed certs for the FBI, which is a massive backdoor. I don't know if GPG/PGP's encryption has held up, but that was what we were using (and some people still do) for E2E email
ShadSterling
@inthehands the basic problem with that kind of “encrypted” “email” is that it’s only one of those at a time; it’s either encrypted end-to-end and delivered some other way, or it’s encrypted per-hop and delivered as email. None of those services do both at once. It should be possible to do both at once using GPG or S/MIME, but for that to actually work every provider would have to handle it well, and AKAIK none do.
It still baffles me that banks haven’t been pushing this
Helge Heß
@inthehands Email has e2ee since essentially forever. The claim it not being designed for this is a little misleading.
Is it supported well? No! Why? Because the vendors either want your data or promote a different platform for secure communication.
Paul Cantrell
@helge
Agreeing in general spirit, is there an e2ee layer for email that’s part of the protocols, and not a bolt-on like GPG?
Paul Cantrell
@fluchtkapsel
As other replies point out, there’s already S/MIME and GPG.
The thing is:
- Any E2EE is a pain, wrecks UX, and most people don’t care enough to put up with it
- Overcoming the UX challenges is a massive tech + design + org lift
- Users don’t care enough and large players have strong incentives against
So, as usual, it’s not just smart people and the right tech; it’s social systems too.
Fluchtkapsel
@inthehands That made me ask myself: If some smart people were to design a secure, E2E supporting, distributed mail system, how would that look? Maybe some people already have and nobody noticed?
Tuta
@nazokiyoubinbou @heymarkreeves @inthehands Tuta is not part of the 5 Eyes; we only hand out data if we receive a warrant from a German judge. Plus, all data is end-to-end encrypted and we can't decrypt it. This might also be of interest to you: https://tuta.com/blog/fourteen-eyes-countries
Tuta
@heymarkreeves @inthehands Thanks for recommending our private email service. Any questions, we're here to help! :)
Nazo
@Tutanota @heymarkreeves @inthehands I have one: what protections do you offer to your users against "Five Eyes"?
Mark Reeves
@inthehands And @Tutanota as another option.
Paul Cantrell
@helge @fluchtkapsel
Larger point stands, but:
> This is like saying Signal is bolted on IPv4
That’s a bit of a strawman. IPv4 isn’t a text messaging protocol. There’s not a default version of Signal-like functionality on IPv4.
The problem with email is that there •is• a de facto default, and it’s insecure. Thus the change friction.
I mean, this was the case with https, and it took how long for https to become the new de facto default?? And that was (I think) an easier problem.
Helge Heß
@fluchtkapsel @inthehands This is like saying Signal is bolted on IPv4 which was never meant to be secure. Sorry, but this is non-sense. Both PGP and S/MIME are perfectly viable and proven standards to provide proper E2EE.
But as usual standards have to be *implemented* and made usable. E.g. Apple has done the former, but didn't invest in the latter.
It works for Signal and WhatsApp because they are silos. That's not necessary w/ email.
Fluchtkapsel
@inthehands I know of those, and the security provided by them is only bolted on a system never meant to be secure. There are so many issues: conflating encryption with authentication, insecure by default, key management, no group recipient encryption support with changing members (e.g. mailing lists), additional devices are hard to authorize.
Looking at instant messengers, modern messengers like Signal or WhatsApp solved a lot of the issues of their predecessors. I'd like to know how mail would look if it were to be designed today with all we know.
Paul Cantrell
@lispi314
CEO made posts about how Dems were too corporate, praised JD Vance and said Republicans are the best hope to rein in big tech or some crap along those lines. Deleted posts but not before torches and pitchforks were out.
LisPi
Paul Cantrell
@tobinbaker
The Proton CEO made posts about how Dems were too corporate, praised JD Vance and said Republicans are the best hope to rein in big tech or some crap along those lines. Deleted posts but not before torches and pitchforks were out.
Tobin Baker
@inthehands Sorry, I don't know the subtext and can't find any recent controversies on google?
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.