Proton literally have a page on their website explaining the instances of them collecting data for the feds lmao. What do people expect? They're a company operating in the legal jurisdiction of a European country.
Yeah that was me. And this I'll admit this is some disappointing shit. But all they were able to turn over to the feds was an ip address, they had zero access to the content on the account. Which is a hell of a lot better then most email providers can say. I almost added something about using a vpn in my post because the ip address visibility is a known thing. It even mentioned it in the article I linked.
But seriously if you can recommend another email provider that has end to end encryption and no ability to track my ip I would love to know. I'll switch immediately.
Which is absurd. ProtonMail can easily access your emails if they want to and spend the tiniest of efforts. Fundamentally, you read your emails by decrypting them with a private key. That key is (supposedly) unlocked via your password. They already have the locked private key - they store it for you. All they need to do is also store your password (or a hash of it, if they do that first) - like when you type it into their websites every time you log in. They don't even have to put this functionality in JS, they can just intercept requests in their back end and clip out the password / the hash of it.
ProtonMail is a third party to which you have to give credentials and you are trusting them to not do these things and "trust me bro" is generally bad security.
A properly secure version would require the use of an open source native client whose releases are signed and verifiable. The client would fetch emails (better hope the senders use encryption) and you would unlock them with a private key that ProtonMail has never and will never see. ProtonMail claims to do something like this in your browser but cannot make such ironclad guarantees about signed releases, thus ensuring that any snooping code would be revealed and noticed by others as part of any release.
deleted by creator
Proton literally have a page on their website explaining the instances of them collecting data for the feds lmao. What do people expect? They're a company operating in the legal jurisdiction of a European country.
Yeah that was me. And this I'll admit this is some disappointing shit. But all they were able to turn over to the feds was an ip address, they had zero access to the content on the account. Which is a hell of a lot better then most email providers can say. I almost added something about using a vpn in my post because the ip address visibility is a known thing. It even mentioned it in the article I linked.
But seriously if you can recommend another email provider that has end to end encryption and no ability to track my ip I would love to know. I'll switch immediately.
Project Veritas famously has an @protonmail.com email address. ;) Just sayin'.
Hitler was famously a vegetarian.
spoiler
I don't get your point.
Which is absurd. ProtonMail can easily access your emails if they want to and spend the tiniest of efforts. Fundamentally, you read your emails by decrypting them with a private key. That key is (supposedly) unlocked via your password. They already have the locked private key - they store it for you. All they need to do is also store your password (or a hash of it, if they do that first) - like when you type it into their websites every time you log in. They don't even have to put this functionality in JS, they can just intercept requests in their back end and clip out the password / the hash of it.
ProtonMail is a third party to which you have to give credentials and you are trusting them to not do these things and "trust me bro" is generally bad security.
A properly secure version would require the use of an open source native client whose releases are signed and verifiable. The client would fetch emails (better hope the senders use encryption) and you would unlock them with a private key that ProtonMail has never and will never see. ProtonMail claims to do something like this in your browser but cannot make such ironclad guarantees about signed releases, thus ensuring that any snooping code would be revealed and noticed by others as part of any release.