I'm just a girl, incrementing the counter on the number of times I have been sent a plaintext email from a Protonmail user telling me that the message is encrypted.
-
I'm just a girl, incrementing the counter on the number of times I have been sent a plaintext email from a Protonmail user telling me that the message is encrypted.
@evacide yeah like, have we stopped pretending encrypted email is actually a viable thing that works and doesn't break apart if you as much as look at it wrong yet? no? O well, I keep hoping the world will learn eventually, but hope is fading fast
-
I'm just a girl, incrementing the counter on the number of times I have been sent a plaintext email from a Protonmail user telling me that the message is encrypted.
@evacide Can you expand on that? ProtonMail loudly claims to be e2e encrypted to me, but the claims seem less than credible if mails is sent to a proton.me address from an unencrypted place like gmail
-
Do you think Proton's marketing is a bit confusing here? They keep saying their emails are encrypted, I assume what they mean is that they keep the info encrypted on their server. And maybe they also use end-to-end encryption if both the sender and recipient are using Protonmail - tho I'm not really sure about this one so correct me if I'm wrong.
@futureisfoss @evacide they definitely don't do as good a job as they used to in explaining the limitations of their encryption setup. They used to be very explicit in their marketing that end-to-end encrypted email only worked between two proton users and that for everything else, the email was just encrypted at rest. The marketing still alludes to that, but it no longer explicitly says it. For email to non-proton users, they offer PGP (meh) and a password protected email scheme.
-
@evacide Can you expand on that? ProtonMail loudly claims to be e2e encrypted to me, but the claims seem less than credible if mails is sent to a proton.me address from an unencrypted place like gmail
@davecb @evacide They are very clear in their marketing and documentation that e2e only works if you are sending between Proton addresses. They are more important as a Google alternative... I wish they would focus on that instead.
(Edit: to be clear, this is a response to @davecb . I know @evacide knows what she's talking about.)
-
I'm just a girl, incrementing the counter on the number of times I have been sent a plaintext email from a Protonmail user telling me that the message is encrypted.
@evacide but I thought PGP was bad
-
I'm just a girl, incrementing the counter on the number of times I have been sent a plaintext email from a Protonmail user telling me that the message is encrypted.
@evacide State of the art ROT-26 encryption.
-
R relay@relay.infosec.exchange shared this topic
-
Do you think Proton's marketing is a bit confusing here? They keep saying their emails are encrypted, I assume what they mean is that they keep the info encrypted on their server. And maybe they also use end-to-end encryption if both the sender and recipient are using Protonmail - tho I'm not really sure about this one so correct me if I'm wrong.
Exactly. The key is that all protonmail emails are encrypted at rest on their servers and they do not have a backdoor into them like Microsoft, Google, yahoo, etc etc.
-
@evacide State of the art ROT-26 encryption.
@rmd1023 pfft, I have switch to ROT-4082 years ago
-
@davecb @evacide They are very clear in their marketing and documentation that e2e only works if you are sending between Proton addresses. They are more important as a Google alternative... I wish they would focus on that instead.
(Edit: to be clear, this is a response to @davecb . I know @evacide knows what she's talking about.)
-
@CAWguy I would think it's possible...
As a former PM, I'd wonder if competitive position and/or deeply embedded technical differences make it a tough sell, though. -
@evacide
I know that all too well. For example, pharmacies that say, "You can send it to me by email. We have a secure address!"
I had to send some private information to an accountant recently. Their proposal was to email it in an encrypted spreadsheet and then email the password in a separate message. Their other proposal was to use WhatsApp, which is not compatible with either ethics or self-defence.
In other news, we are changing accountants.
-
@CAWguy @wcbdata @evacide This is just slightly automated pgp and has basically all the same ergonomic issues. Encryption is lost the instant anyone forwards or ccs someone outside the network and there's no way to fix that without purpose built clients. At that point you might as well be using chatmail or signal.
-
@CAWguy I would think it's possible...
As a former PM, I'd wonder if competitive position and/or deeply embedded technical differences make it a tough sell, though.@wcbdata ‘Competitive position’ would have been my first guess. With encryption set aside, each platform would then be exposed to competing on the best features and user experiences.
-
@CAWguy @wcbdata @evacide Most eMail is encrypted in transit across the network/internet. SMTPS (SSL/TLS encrypted mail delivery using certificates for verifying identities & negotiating encryption keys) has been a thing for a long time.
It's the eMail provider that's the issue. Once the message is received, the server itself has a plain-text copy, even if the backend storage has filesystem-level encryption.
The real solution is for all eMail clients to have PGP/GPG, with a directory server that publishes public keys.
That way you can query the directory server with my eMail address, receive my public key, then encrypt your message with that key, and then it traverses all of the internet plumbing in an encrypted format that only the intended recipient can decrypt.
The percentage of people who do this is very, very small in the context of the entire internet.
-
@CAWguy @wcbdata @evacide Most eMail is encrypted in transit across the network/internet. SMTPS (SSL/TLS encrypted mail delivery using certificates for verifying identities & negotiating encryption keys) has been a thing for a long time.
It's the eMail provider that's the issue. Once the message is received, the server itself has a plain-text copy, even if the backend storage has filesystem-level encryption.
The real solution is for all eMail clients to have PGP/GPG, with a directory server that publishes public keys.
That way you can query the directory server with my eMail address, receive my public key, then encrypt your message with that key, and then it traverses all of the internet plumbing in an encrypted format that only the intended recipient can decrypt.
The percentage of people who do this is very, very small in the context of the entire internet.
@JustinDerrick Thanks for the long description. So would this small percentage of people using this setup be due to a network effect/getting friends to comply issue, or do most people simply not care about privacy?
-
@JustinDerrick Thanks for the long description. So would this small percentage of people using this setup be due to a network effect/getting friends to comply issue, or do most people simply not care about privacy?
@CAWguy You'd have to get everyone you know to leave their webmail providers, and only receive eMail with specific physical devices (phone / laptop / desktop). I haven't been able to get anyone I know to give up their webmail accounts, even by offering them free hosting and vanity addresses on my mail server.
-
@CAWguy You'd have to get everyone you know to leave their webmail providers, and only receive eMail with specific physical devices (phone / laptop / desktop). I haven't been able to get anyone I know to give up their webmail accounts, even by offering them free hosting and vanity addresses on my mail server.
@JustinDerrick Those are definitely many steps too far! I merely suggested using Signal at a small non-profit where I volunteer, and I could see the eye rolls at me.
-
@JustinDerrick Those are definitely many steps too far! I merely suggested using Signal at a small non-profit where I volunteer, and I could see the eye rolls at me.
@CAWguy Yeah, many years ago, I presented info about Signal to a nearby non-profit. Their President still sends stuff through SMS, even after having made it a requirement for their entire team to start using Signal.
The inertia of bad habits is very difficult to overcome.
-
I'm just a girl, incrementing the counter on the number of times I have been sent a plaintext email from a Protonmail user telling me that the message is encrypted.
@evacide rot26-encrypted
-
"Military grade encryption" is another one
Actually anything "military-grade" is almost always used as a marketing term, not just in tech products.Personally I always try to use noncommercial alternatives where I can, like Mastodon for example. It's so much saner when they're not trying to sell you something, like the listings here - https://www.directory.trade-free.org
And people should donate to these good projects to support them.
@futureisfoss @jjacobsson @evacide A friend is in the US navy and told me "military grade" means "outdated, hard to use, developed by the lowest bidder contractor".
