YTread Logo
YTread Logo

Is ProtonMail lying about their encryption? In response to Nadim Kobeissi and LiveOverflow

Is ProtonMail lying about their encryption?  In response to Nadim Kobeissi and LiveOverflow

protonmail

has risen to be the most popular privacy focused email provider acting as a number-one alternative to the advertiser centered business model of Gmail Yahoo and other mainstream email providers being in the forefront of encrypted email providers

protonmail

has also recently faced some harsh criticism over its allegedly false security claims misleading advertising and supposed the lack of technical guarantees to protect user data a security researcher Nadine cabeza and the youtuber by the name of Life Overflow have presented in arguments which they self-proclaimed to be nothing less than an factual truth the

protonmail

should drop its web mail service due to technical limits of JavaScript based implementation of PGP

encryption

in webmail since

protonmail

leaves the competition to the Gmail like Travis invasive model coming up with claims that lead people to believe

protonmail

is not what they signed up for raises some serious red flags

protonmail

responded to this paper on reddit which eventually led to a heated debate between a

protonmail

representative and Nadeem himself and the deans core argument is that proton mails cryptographic architecture ultimately does not guarantee end-to-end

encryption

for the majority of users a majority of users being those who sign into proton mail through

their

website rather than a native app on Android or iOS Nadeem assumes this despite the fact that proton mail doesn't release statistics on how

their

users sign into

their

...
is protonmail lying about their encryption in response to nadim kobeissi and liveoverflow
accounts so why should

protonmail

fail to provide the same level of security for

their

web bang lab as for

their

smartphone apps the reason is technical but simple to understand it's about trust I like

protonmail

provides a user-friendly interface to exchange

encryption

keys using PGP protocol the highest standard available for securing communications today the problem with PGP was that its implementation used to be too technical and time-consuming for the end user after the NSA leaks however more developers began creating software make secure PGP

encryption

available to the masses that's where services like signal and

protonmail

came to light like

protonmail

signal also provides user-friendly interface for secure end-to-end

encryption

using PGP but unlike

protonmail

signal doesn't provide a web-based interface you can use signals mobile or desktop apps but there is no service accessible through a web browser

protonmail

offering an email service started out with a webmail and only later developed mobile amps and just recently started offering a desktop bridge that works with traditional mail clients the problem with proton mails webmail service is that each time you go to sign in to

their

website you have to completely trust

protonmail

that the JavaScript that your browser runs is correctly implementing PGP and is not trying to steal your private keys and read your messages this problem is limited with smartphone apps because each new version of an app has to be...
is protonmail lying about their encryption in response to nadim kobeissi and liveoverflow
signed by the author and the platform which in this case is

protonmail

as the author and Google Play Store or Apple App Store as platforms with mobile apps users can verify whether they receive the same binary for a particular version as everyone else because of the differences in the levels of trust webmail services are objectively less secure than desktop and smartphone apps that is if you expects

protonmail

to try to execute a malicious JavaScript that will let them read your emails without being detected the fact that webmail is less secure than in native apps is not new and

protonmail

has been saying that from day one in

their

thread model article

protonmail

explains this issue and even openly says that

protonmail

is for average people who want to protect themselves against mass surveillance but is not for a next Edward Snowden

protonmail

successfully accomplishes this mission because

their

servers can't be tamped by the NSA to read plaintext emails as is the case with Gmail yeah who Apple or Microsoft where

protonmail

and nadeem differ is that Nadeem things that end-to-end

encryption

is not possible in webmail and

protonmail

should not be calling

their

webmail end-to-end encrypted if you're questioning the team's choice to single out its proton mail in his analysis your skepticism is a point despite the fact that all of this criticism directed as proton mail goes for any web app that offers end-to-end

encryption

including popular services like whatsapp or...
is protonmail lying about their encryption in response to nadim kobeissi and liveoverflow
wire and every webmail service with end-to-end

encryption

like to the Noda and mailbox none of that is mentioned in his paper it's not a good practice to make such a general arguments that instant

encryption

is not possible in webmail direct your criticism on a single provider and then present your opinion as a well-established fact among industry leaders Nadeem and live overflow seem to have a problem that

protonmail

mentions end-to-end

encryption

on

their

website

encryption

is the first feature they list in

their

security details along zero access to user data which means we don't have the technical ability to decrypt your messages and as a result we are unable to hand your data over to third parties with

protonmail

privacy isn't just a promise it is mathematically and short but other email providers with similar webmail implementations of PGP like to the Noda and mailbox also heavily market end to end

encryption

mailbox even has an article where they explain that it's probably better for non tech savvy users to trust the mailbox servers rather than

their

own smartphones the point is that email providers like

protonmail

should be free to advertise end-to-end encrypted email while offering a webmail service at the same time inviting new users to sign up for an encrypted web app is more likely to leave them to use more secure native apps and that's ok as long as they are transparent about it which mailbox to an ánotá and

protonmail

are unfortunately the...
team is refusing to accept his arguments as opinions on design rather than facts he even doubles down on this on reddit and life overflow backs him up proton males argument against the paper is saying that this is just an opinion saying that Nadine draws the line here arbitrarily the team's opinion is that as he writes no webmaster application could but that is a bit unfair this quote is not the root of Nadine's argument it is quite an extreme position to take but he takes his position as a result of his argument this is not themes conclusion conclusions can be opinions too it's better if your opinion is based on a rigorous research in scientific methods but it's still an opinion considering the fact that Ana deems paper directly links to his business website where he offers security audits and that his analysis doesn't state anything new that hasn't been discussed years ago this paper puts into question his credibility and bias rather than proton Mills cryptographic design normally this kind of criticism wouldn't be a major problem but it's dangerous because it makes some people make false equivalencies between Gmail and

protonmail

when there are fundamental security differences between the two Google employees and even third-party developers have been reading your Gmail messages nobody is reading your

protonmail

emails Google is an NSA partner

protonmail

is based in Switzerland outside of the US or EU jurisdictions and partners with no...
surveillance agency emails sent to and from Gmail are still sent as postcards emails sent to and from

protonmail

are sent as a sealed envelopes Gmail is tracking your online activities outside of Google

protonmail

doesn't track you it's very welcome to have different opinions and security designs Nadeem is free to think that web mail

encryption

can never be secure enough and

protonmail

is free to implement end to end

encryption

in webmail as best as they can the choice of who you trust with what data is up to you I actually agree with both signals and

protonmail

zapper jeez I'd rather use

protonmail

for my email account than Gmail at any time but I choose to use signal as much as I can when I want to talk to my closest friends and family because they recognize the limits of webmail security

protonmail

and other encrypted email providers are doing an essential service to the world the art is mental in the advertising business model of the tech giants by offering email that is not being read by government agencies advertisers or company employees they are helping to make end-to-end

encryption

mainstream and popular with the masses some people still need a web-based email service and if they want better privacy it's a lot more useful to recommend

protonmail

or to denote a-- than to say no webmail is secure enough the fact is that if you sign up for

protonmail

or to tanoda you are not being lied to when they say that your end-to-end encrypted emails can't be...
read by your provider technically

protonmail

or tanoda could try to trick you into executing a malicious JavaScript in

their

web app but it's you the end user who would have to run it if you create an account and then never use

their

web apps but only native apps on your phone or desktop then the attack surface from your encrypted email provider is a largely diminished so what can you take away from this if you need to use email but aren't confident with manually exchanging PGP keys then use open source privacy focused email services that will handle end-to-end

encryption

for you use native apps instead of web apps whenever you can but if you need a PGP implementation where you don't have to trust your provider as much then using signal is always going to be superior whether proton meals to the Nova's or any other encrypted email services security design is not good enough for you depends on your threat model and opinion but for making mass surveillance and economical and privacy invasive advertising unfeasible they are and good enough you