Hey everyone, how do you evaluate the company Proton AG, the owner of Proton Mail and Proton Pass? I’m in the process of migrating some accounts to their platform, but I’ve always been wary of using a password solution, especially after the LastPass incident. I used to use Keepass stand alone, but it’s quite cumbersome. So, how do you assess their credibility and security? Just saying that it’s Swiss and has scientists doesn’t really help, lol. Thanks!

  • Dremor@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I’m not a proton employee, so I can’t give you the exact process used, but basically Protonmail probably uses asymmetrical encryption to encrypt incoming emails as soon as they receive it.

    Asymmetrical encryption uses two keys. A public one, and a private one, both linked together by two one-way mathematical function. The public one can be used by anyone to encrypt a message using said one-way function, but cannot be decrypted without using the private key, which is itself encrypted by your password (which is both unknown to Proton, that why you cannot recover your data if you forget your password), and probably other parameters like your main Protonmail email address.

    Now, on the client side, your password (and any other parameters) are used to locally decrypt the private key, which in return is used to locally decrypt the data send by Protonmail servers.

    Sure, it isn’t true E2E encryption, but it is the closest to it you can get while talking with another server that do not support E2E encryption.

    But there is more. If you send an email to another Protonmail client, said email will be truly E2E encrypted as both client will have access to each other public key, allowing them to encrypt the message on the client side, which will prevent Protonmail from ever read it. If I’m not mistaken, sames goes with any PGP enabled client (like Thunderbird with the Enigmail addon).

    • Avid Amoeba
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Right. So they could store them encrypted this way but they still have the opportunity to copy them at the intake point as you suggest. All of this make sense and I agree it’s probably the closest you can get to E2E with email without employing some OTG encryption that both sender and receiver participate in. Thanks for the musings!