this post was submitted on 14 Sep 2023
28 points (100.0% liked)

Technology

59511 readers
2817 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Hey everyone, how do you evaluate the company Proton AG, the owner of Proton Mail and Proton Pass? I'm in the process of migrating some accounts to their platform, but I've always been wary of using a password solution, especially after the LastPass incident. I used to use Keepass stand alone, but it's quite cumbersome. So, how do you assess their credibility and security? Just saying that it's Swiss and has scientists doesn't really help, lol. Thanks!

top 13 comments
sorted by: hot top controversial new old
[–] Overwrite7445@lemmy.ca 18 points 1 year ago (2 children)

I would suggest looking into other options for PW managers like bitwarden. Having email, calendar, drive, VPN, and PW manager all from one provider just means there is a single point of failure.

[–] Dremor@lemmy.world 7 points 1 year ago (1 children)

All Proton services are e2e encrypted, so even if they are breached, there is little data available without having to crack each user keys.

Still, the password manager is still new, and there is still a lot to iron out. So I would advise against using it as main password manager. But it is promissing.

[–] avidamoeba@lemmy.ca 2 points 1 year ago (2 children)

Err how is mail E2E encrypted when mail isn't typically E2E encrypted? It has to reach a mailbox. If that mailbox isn't on your computer, then it's on Proton's.

[–] Hauskrampf@ttrpg.network 3 points 1 year ago

That's why you need to install the proton mail bridge if you want to use it with apps like thunderbird. Of course, Emails not send from or too another proton account are not encrypted, but that's something proton can't change... Although you can put a password on your emails, so only people who know that password can access the mail, but that's more of a workaround than a fix.

[–] Dremor@lemmy.world 2 points 1 year ago (1 children)

I'm not a proton employee, so I can't give you the exact process used, but basically Protonmail probably uses asymmetrical encryption to encrypt incoming emails as soon as they receive it.

Asymmetrical encryption uses two keys. A public one, and a private one, both linked together by two one-way mathematical function. The public one can be used by anyone to encrypt a message using said one-way function, but cannot be decrypted without using the private key, which is itself encrypted by your password (which is both unknown to Proton, that why you cannot recover your data if you forget your password), and probably other parameters like your main Protonmail email address.

Now, on the client side, your password (and any other parameters) are used to locally decrypt the private key, which in return is used to locally decrypt the data send by Protonmail servers.

Sure, it isn't true E2E encryption, but it is the closest to it you can get while talking with another server that do not support E2E encryption.

But there is more. If you send an email to another Protonmail client, said email will be truly E2E encrypted as both client will have access to each other public key, allowing them to encrypt the message on the client side, which will prevent Protonmail from ever read it. If I'm not mistaken, sames goes with any PGP enabled client (like Thunderbird with the Enigmail addon).

[–] avidamoeba@lemmy.ca 1 points 1 year ago

Right. So they could store them encrypted this way but they still have the opportunity to copy them at the intake point as you suggest. All of this make sense and I agree it's probably the closest you can get to E2E with email without employing some OTG encryption that both sender and receiver participate in. Thanks for the musings!

[–] stealth_cookies@lemmy.ca 4 points 1 year ago

I agree, keep your password manager, 2FA, and email all on separate services so at least there is some protection from getting your accounts stolen if they get access to one of them.

[–] Steve@communick.news 15 points 1 year ago (1 children)

especially after the LastPass incident.

Which one?

Serously, I think LastPass has the worst security record for any password manager. Ever. And I think they're the only who sold to some management company.

Proton is solid. So is Bitwarden.

[–] treefrog@lemm.ee 12 points 1 year ago (1 children)

Bitwarden user checking in.

Very happy with it.

[–] Appoxo@lemmy.dbzer0.com 7 points 1 year ago

Also Bitwarden. Like the app.
Management of the records is annoying though.

Sync between devices is really reliable.

[–] Dremor@lemmy.world 8 points 1 year ago

I uses Proton services for a long time, and am a paid user for more than 6 years (and more if you count when I was on the free version). I never had any problem with them, and had at worst a day of downtime when they got ddos some years ago.

Services are solid and well designed, feedback are listened to, only downside is a closed-source backend (but the frontend is open-source, if I recall well).

Only thing to take into account. If you loose your password somehow, you loose all your data. So keep the recovery keys very preciously.

[–] d3Xt3r@lemmy.nz 3 points 1 year ago

I used to use Keepass stand alone, but it's quite cumbersome.

How is it cumbersome, also, have you checked out KeePassXC? It's, IMO, much better than the official KeePass app.

[–] CriticalMiss@lemmy.world 3 points 1 year ago

Unless you’re a big company, they won’t give two craps about you. If you’re a large company you can ask to audit them and reveal some of their security practices. Chances are if they don’t just talk the talk but also walk the walk they’ve been already audited by a third party, which if you choose to trust can be enough in your case. The reality is you cannot know what goes on in their backend, you can only know what’s going on in your backend.