Found some info on ProtonMail - apparently is not that secure. And email in general isn’t either, and neither is GPG/PGP (GPG is an open source implementation of PGP)
End to end encryption not really offered by ProtonMail (as of 2018), proven mathematically. https://eprint.iacr.org/2018/1121.pdf
If the provider holds the keys, it is not secure. Hushmail, Canadian firm handed over all emails to US. https://blog.malwarebytes.com/privacy-2/2021/09/protonmail-hands-users-ip-address-and-device-info-to-police-showing-the-limits-of-private-email/ https://www.techdirt.com/articles/20071108/093110.shtml https://www.wired.com/2007/11/encrypted-e-mai/
Hacker news thread about ProtonMail’s security/privacy https://news.ycombinator.com/item?id=28057433
Metadata not secure for email: https://www.schneier.com/blog/archives/2013/07/protecting_e-ma.html https://www.theatlantic.com/technology/archive/2013/06/email-metadata-nsa/313842/ https://www.nbcnews.com/technolog/take-peek-your-email-metadata-feds-do-6C10569544 The metadata is the most valuable part for the NSA, to build networks of people and then catalog & categorize them as threats or not (threats get more surveillance/hacking).
Problems with E2E email encryption (W3 paper): https://www.w3.org/2014/strint/papers/08.pdf
Problems with PGP: https://latacora.singles/2019/07/16/the-pgp-problem.html https://secushare.org/PGP
Different encryption technologies for email: https://en.wikipedia.org/wiki/Email_encryption https://en.wikipedia.org/wiki/Email_privacy StartTLS https://en.wikipedia.org/wiki/STARTTLS Test for StartTLS support: https://ssl-tools.net/mailservers GnuPG https://gnupg.org/ S/MIME https://en.wikipedia.org/wiki/S/MIME DIME/Darkmail (founded by Silent Circle & Lavabit) https://darkmail.info/downloads/dark-internet-mail-environment-december-2014.pdf https://www.pcworld.com/article/2059840/silent-circle-lavabit-unite-for-dark-mail-encrypted-email-project.html https://www.wired.com/2014/07/dark-mail-hides-metadata-from-nsa/ https://www.admin-magazine.com/Archive/2015/25/DIME-and-Dark-Mail-seek-to-change-the-world-of-digital-mail
Comparison of “secure” email providers: https://gist.github.com/ciktion82/dd9a52f6d160686dcf4471e488399b62
Even when I use to use protonmail, we always PGP encrypted the text even if there really wasn’t anything incriminating either. Always assume everything is insecure, it’s really the only way to protect yourself.
PGP has been audited to death by security researchers (mostly people use the open source GPG, IIRC), and the crypto primitives used nowadays are not the original ones anyways. Beyond that, it’s also used for government communications and so a backdoor would be a huge security risk for them.
If PGP was a government op then why did the government investigate Phil Zimmermann for creating the software?
? I’d love to read more. I haven’t been following PGP stuff for years now but I’d still be interested
Obviously I don’t know the details or particulars of what the activist was doing, but I would venture to suggest that a mistake on his part was to do activity that France disliked while logging in from his own IP, instead of via a VPN or Tor. Defense in depth, and all that.
Protonmail allows logins through a tor onion site, after all.
I thought ProtonMail was some kind of CIA honeypot.
Wait, they advertised that they didn’t log IP addresses and then did? What the fuck?
They said they don’t log IP addresses unless ordered to by the Swiss government for a specific individual. And I believe Swiss law allows for the person in question to be notified that their IP addresses are now being logged.
I mean, this all isn’t great but ProtonMail is still gonna be the most private email option available. We don’t have the level of privacy we should have, so we should all act accordingly.
