Is ProtonMail lying about their encryption? In response to Nadim Kobeissi and LiveOverflow

Protonmail has become the most popular privacy-focused email provider and acts as a number one alternative to Gmail's advertiser-focused business model. Yahoo and other major email providers are at the forefront of encrypted email providers. Protonmail has also recently faced harsh criticism for its alleged false security claims, misleading advertising and alleged lack of technical safeguards to protect user data, security researcher Nadine Cabeza and YouTuber named Life Overflow have presented in self-proclaimed arguments. be nothing less than a factual truth.

protonmail

should abandon its webmail service due to the technical limits of the JavaScript-based implementation of PGP

encryption

in webmail, as

protonmail

leaves competition to Gmail as the invasive Travis model that presents claims that lead people to believe that protonmail is not what they signed up for. some serious red flags protonmail responded to this article on reddit, eventually leading to a heated debate between a protonmail representative and Nadeem himself and the dean's main argument is that the cryptographic architecture of protonmails ultimately does not ensures end-to-end

encryption

for most users. users, the majority of users are those who log into Proton Mail through its website rather than a native app on Android or iOS.

Nadeem assumes this even though Proton Mail doesn't publish statistics on how its users log into

their

accounts, so why should protonmail? they don't provide the same level of security for your web bang lab as they do for your smartphone apps the reason is technical but easy to understand it's about trust Like protonmail provides an easy to use interface to exchange encryption keys using the PGP protocol , the highest standard available for securing communications today, the problem with PGP was that its implementation was often too technical and time-consuming for the end user after the NSA leaks; However, more developers began creating software to make secure PGP encryption available to the masses, hence services like signal and protonmail. to light like protonmail signal also provides an easy-to-use interface for secure end-to-end encryption using PGP, but unlike protonmail signal it does not provide a web-based interface, you can use the Signal mobile or desktop apps, but not There is no service accessible through a The protonmail web browser that offers an email service started with a webmail and only later developed mobile amplifiers and recently began offering a desktop bridge that works with traditional email clients.

The problem with proton mails webmail service is that every time you log in to

their

website, you have to completely trust protonmail that the JavaScript running your browser implements PGP correctly and doesn't try to steal your private keys and read your messages. . This problem is limited with smartphone applications because each new version of an application must be signed by the author and the platform which in this case is protonmail as the author and Google Play Store or Apple App Store as platforms with mobile applications, the users they can check if they receive the same binary for a particular version as everyone else due to differences in levels. trustworthy webmail services are objectively less secure than desktop and smartphone applications, that is, if you expect that protonmail will try to execute a malicious JavaScript that will allow them to read your emails without being detected, the fact that email web being less secure than native apps is not new and protonmail has been saying that since day one in their model thread article, protonmail explains this problem and even openly says that protonmail is for average people who want to protect themselves against mass surveillance, but it is not for the next Edward Snowden, protonmail successfully achieves this mission because the NSA cannot manipulate its servers to read plain text emails, as is the case with Gmail, yes, who is Apple or Microsoft, where protonmail and Nadeem's difference is that Nadeem says that end-to-end encryption is not possible in webmail and protonmail should not. call their webmail end-to-end encrypted If you're questioning the team's decision to highlight their proton mail in their analysis, your skepticism is a point despite the fact that all of this criticism directed at proton mail applies to any web application that offers end-to-end encryption, including popular services like WhatsApp or Wire and all webmail services with end-to-end encryption, such as Noda and Mailbox.

None of that is mentioned in your article, it is not good practice to present such general arguments. that instant encryption is not possible in webmail, direct your criticism at a single provider and then present your opinion as a well-established fact among industry leaders. Nadeem and live overflow seem to have the problem that protonmail mentions end-to-end encryption on their website. Encryption is the first feature they list in their security details along with zero access to user data, which means we do not have the technical ability to decrypt your messages and as a result we cannot hand over your data to third parties with Protonmail privacy.

It's not just a promise, it's mathematical and short, but other email providers with similar PGP webmail implementations, such as Noda, and Mailbox also heavily market end-to-end encryption, Mailbox They even have an article where they explain that it is probably better for users who are not tech savvy. To trust mailbox servers instead of your own smartphones, the point is that email providers like protonmail should be free to advertise end-to-end encrypted email while also offering a secure email service. webmail, while inviting new users to register for an encrypted web application. They're more likely to let them use more secure native apps, and that's fine, as long as they're transparent about it.

Unfortunately, the team refuses to accept his arguments as opinions about the design rather than facts that he even duplicates. down on this on reddit and the overflow of life backs it up. The proton males' argument against the article says that this is just an opinion. He says Nadine draws the line here arbitrarily. The team's opinion is that as he writes, no webmaster application could do it, but that's a bit of a stretch. unfair this quote is not the root of Nadine's argument it is quite an extreme position but he takes his position as a result of his argument this is not a topic conclusion conclusions can also be opinions it is better if your opinion is based on rigorous research in scientific methods but it is still an opinion considering the fact that Ana considers that the document links directly to her company's website where she offers security audits and that her analysis does not provide anything new that has not been discussed years ago, this document calls into question its credibility and bias rather than Proton Mills' cryptographic design.

Normally, this type of criticism wouldn't be a major problem, but it is dangerous because it causes some people to make false equivalences between Gmail and Protonmail when there are fundamental security differences between the two Google employees and even third parties. Third party developers have been reading your Gmail messages, no one is reading your Protonmail emails. Google is a partner of the NSA. Protonmail is based in Switzerland outside of US or EU jurisdictions and partners without oversight agencies. Emails sent to and from Gmail are still sent as postcard emails. sent to and from protonmail are sent as sealed envelopes Gmail tracks your online activities outside of Google protonmail does not track you, having different opinions and security designs is very welcome Nadeem is free to think that webmail encryption can never be enough secure and protonmail is free to implement end-to-end encryption on webmail to the best of their ability.

The choice of who to trust what data is up to you. In fact, I agree with both the signals and the protonmail zapper. I prefer to use protonmail for my email account. than Gmail at any time, but I choose to use Signal as much as I can when I want to talk to my closest friends and family because they recognize the limits of webmail security. Protonmail and other encrypted email providers are providing an essential service to the world. The art is mental in the tech giants' advertising business model by offering email that is not read by government agencies, advertisers or company employees.

They are helping make end-to-end encryption popular among the masses. Some people still need a website. -based email service and if they want more privacy, it is much more useful to recommend protonmail or indicate a-- than to say that no webmail is secure enough. The fact is that if you sign up for protonmail or tanoda they are not

lying

to you. Even when they say your provider can't read your end-to-end encrypted emails, technically protonmail or tanoda could try to trick you into running malicious JavaScript in your web application, but it's you the end user who would have to run If you create an account and then you never use your web apps, but only native apps on your phone or desktop, then the attack surface of your encrypted email provider greatly decreases, so what can you get out of this if you need to use email electronic?

If you're unsure about exchanging PGP keys manually, use privacy-focused open source email services that will handle end-to-end encryption. Use native apps instead of web apps whenever you can, but if you need a PGP implementation where you don't. If you have to trust your provider that much, then using signal will always be superior, whether proton meals to Nova or any other encrypted email service the security design is not good enough for you, depends on your model of threat and opinion, but to make mass surveillance economical. and privacy invasive advertising is unworkable and good enough for you.