Comment by guywithahat
1 day ago
You can disable an account without knowing who owns it, although they do have credit card/payment information now, and I don't think new accounts get encryption services unless they pay.
That said, if your inbox is encrypted, protonmail does so on the client side with a second password. They can maybe delete the account, but proton mail doesn't know what the encrypted data is. What happens to new emails sent to a disabled address is anyone's guess though. Honestly I think they're doing the best they can given the circumstances
>and I don't think new accounts get encryption services unless they pay.
source? Their compare plans page specifically lists "End-to-end encryption" as a feature for their free plan.
https://proton.me/mail/pricing#compare-plans
I thought I made a new account a while ago (as the front end for an OSS project) and it wasn't encrypted, and then when I checked encryption was moved to the paid membership. It looks like I may have just been confused though, because you're right it looks like it's still part of the free tier
You are trusting them. They control the client, how the keys are created/stored, etc. Javascript, etc. If they were to suddenly turn one day, they could.
This is the weakness of cloud services.
It is very possible for them to inject custom JS to a specific user.
You are the bosses at Protonmail, do you want police at 6 am shaking your kids, seize all your devices, loose all agreements with PayPal and Visa/MasterCard, because you want to protect a guy who distributes child pornography or plans a terrorist attack ?
No way, so you tap on the shoulder of the CTO and ask him to push a temporary update or turn on a feature flags, in order to collect the missing information.
This is true for all companies who control the client.
From what we (at least I) know, this wasn't the police in Switzerland waking up senior management.
t was - without anyone admitting to it - probably KrCERT who requested the account suspension. KrCERT don't seem to have any legal jurisdiction in Switzerland.
"KrCERT/CC, which is an internal division of KISA, is a CSIRT with national responsibility and a focal point of contact for Korea on international cybersecurity incident handling." -- https://en.wikipedia.org/wiki/Korea_Internet_%26_Security_Ag...
I'd like to think if they 'tapped on the shoulder of the CTO ' of a company headquartered in Switzerland, he'd say "maybe, come back with an order from a relevant court or security agency in Switzerland and I'll get my team right on that".
Trusting them is almost guaranteed, but it doesn't have to be, sort of. The clients are opensource so you literally clone, audit, and run the clients locally.
Full disclosure, I use Proton and overall trust them so unless I see strong evidence of abuse or lies on their part I'm inclined to post contextualizing comments on stuff like this, b/c well I don't wanna host my own mail server, at least not in prod.
Or just use an open source email client.
I would expect their own apps to be open source, are they not?
Indeed they are: https://github.com/ProtonMail
If you, or someone else, like please audit the repos. Could be cool to see trusted forks of some of the clients.
Using an email client requires a Proton Bridge thing that acts as a local IMAP/SMTP proxy: https://github.com/ProtonMail/proton-bridge
As if disabling the issue tracker and stonewalling pull requests wasn't bad enough, seeing how it is built out of multiple layers that communicate via gRPC was what made me instantly lose all trust in Proton. I don't know who's been doing their hiring but just from one look at that kludge it's evident they've lost the plot altogether.
(There's a third-party alternative called Hydroxide, but it's experimental. Haven't been able to send emails through it from Thunderbird yet, though I've only looked into this for a few hours recently.)