[Jedi72]

Good writeup. Since I can already see not everyone here actually read the article, here are some highlights.

> Law enforcement has always been able to request information from us through the Telecommunications Act with a lawful warrant. Because we have the ability to decrypt all data, there is no need to make changes that circumvent encryption. ... While FastMail is not directly affected, we don’t support this legislation because it carries serious implications for the Australian tech industry.

> Of course, should our users choose to end-to-end encrypt their mail via PGP, we have no way to access that content, even under the AABill. Our blog explains why we have never offered PGP ourselves, and describes third-party PGP tools you can use with FastMail if you wish to manage your own encryption.

The second one in particular highlights to me the fact that whilst there are many downsides to the legislation, any serious culprits i.e. state actors or organised crime have many counter moves, severely limiting the upside - something all tech people knew anyway.

[brongondwana]

Thanks - that's pretty much exactly it. If someone needs end-to-end encryption, it's only safe from intermediate third parties if they aren't trusting software which is updated by those third parties.

So we use effective methods to protect the privacy of our users while performing our civic duty of assisting law enforcement when bad actors use or abuse our platform, and we never pretend to use the bulk of our customers as human shields to protect bad actors trying to hide among them.

[dannyw]

It's weird that you take this stance. It almost feels like you're implying that ProtonMail is a bad actor, and end to end encryption is bad because 'civic duty'. That's like "but terrorism".

I understand that you're not a privacy-first company, but still, your communications haven't been reassuring me. There is extensive documentation (e.g. Yahoo FISA) that ALL content not end-to-end-encrypted is ingested for bulk surveillance and decades-long (if not infinite) retention.

The only solution is 100% end to end encryption, with NO mechanism for unauthorised access (including law enforcement). Like iMessage and Signal. Anything partial of that, while saying you are pro-privacy, is IMHO harmful to privacy.

[grincho]

iMessages are encrypted, but it's Apple who hands the client one or more public keys with which to encrypt them—and that's each time; there is no key pinning. They could easily hand you a public key whose private key they or another malicious party knows. See https://support.apple.com/en-us/HT202303 and especially page 58 of the linked https://www.apple.com/business/docs/iOS_Security_Guide.pdf.

[bad_user]

Most email being transmitted on the Internet is in unencrypted form.

Most people are not on ProtonMail and do not have a PGP key published.

If I were to guess, I’d say that 99%+ emails sent or received by ProtonMail customers are seen by ProtonMail’s servers in unencrypted form.

[kwhitefoot]

> Most email being transmitted on the Internet is in unencrypted form.

Really? I use Hotmail, GMail, and Yahoo, and all of these use TLS so it is encrypted in transit.

[bscphil]

Would Fastmail ever consider verifying signed messages? Authenticity is one of many things gained through using PGP, and implementing it in the Fastmail interface wouldn't lead to the false sense of security that "encrypted" email in the browser supposedly gives.

[brongondwana]

Perhaps - though it leads to either offering a way for users to manage their keychain, or managing those trust relationships ourselves - and of course adds a channel where we could be compelled to lie to users about authentication on the message.

Right now the only authentication signal we display on the website is a green tick if the message came from one of our staff or one of our trusted systems.

[InGodsName]

I wonder why no one has ever made PGP user-friendly.

Some might argue whatsapp or signal or Telegram E2E is exactly that. I talk about the email.

[Niksko]

I'm sure this has been said before, but: "easy" = "i don't have to manage my key" = "insecure because then the existing telecoms act covers this". That's likely the crux of it

[dane-pgp]

ProtonMail say that they've made PGP user-friendly, and I'm inclined to agree with them:

https://protonmail.com/support/knowledge-base/how-to-use-pgp...

"This means that with ProtonMail, anybody can use PGP, regardless of their technical knowledge."

Something like this would make things even more transparent to end users:

https://autocrypt.org/

[bad_user]

Imo ProtoMail is snake oil:

When you’re communicating with email addresses outside of ProtonMail, their servers will see your emails. Your emails might then be encrypted “at rest”, but they’ve passed through their servers unencrypted anyway.

To workaround it, for sending to email addresses without a ProtonMail account, AFAIK they also give the possibility to send a link to a ProtonMail interface for decryption.

And also web interfaces are inherently insecure for E2E encryption, which ProtonMail encourages.

This is not how email is supposed to work.

Speaking of email ProtonMail also doesn’t work via standard IMAP and SMTP. You need an adapter to use classic mail clients and that only works on the desktop.

In other words ProtonMail is anti-standards.

And for me standards are more important than promises of privacy that an email service can’t really meet.

Unless you’re doing PGP or similar, independent of the email service being used, then email is incompatible with encryption.

[Boulth]

> When you’re communicating with email addresses outside of ProtonMail, their servers will see your emails. Your emails might then be encrypted “at rest”, but they’ve passed through their servers unencrypted anyway.

Decryption is done in the browsers so it's not passing through the servers unencrypted. (ProtonMail is one of the biggest contributors to Openpgpjs).

> To workaround it, for sending to email addresses without a ProtonMail account, AFAIK they also give the possibility to send a link to a ProtonMail interface for decryption.

And you can add the recipient PGP key in ProtonMail settings so it's pure PGP. (I've heard that they're working on Web Key Directory support for automatic contact key retrieval)

> And also web interfaces are inherently insecure for E2E encryption, which ProtonMail encourages.

Not strictly true. The problem is web interface hosted on a foreign host. For a secure web interface see e.g. Mailpile.

There are also other ways of minimizing risk like using Mailvelope that communicates with GnuPG through Native Messaging.

> In other words ProtonMail is anti-standards.

Not for all standards for example ProtonMail is very active in OpenPGP mailing list.

For the record I'm not using ProtonMail but I like that they're promoting PGP by showing that it can be made relatively easy. Too much people think that the UI complexity in PGP is intrinsic.

[bad_user]

>> Decryption is done in the browsers so it's not passing through the servers unencrypted.

That cannot be for unencrypted emails, which is how most communications over email are going to be, because:

1. Most people or businesses are not on ProtonMail

2. Usage of PGP is nice, but very few people have published PGP keys

3. Opening a link to view a message is a big problem; personally I ignore such emails, can’t remember the last time that happened

It also doesn’t work for unencrypted emails being sent to you, which are a majority.

If I were to guess 99%+ of emails sent or received by ProtonMail customers are seen by ProtonMail’s servers in unencrypted form.

And this is why ProtonMail is snake oil.

[dane-pgp]

You're accusing ProtonMail of being snake oil because people can send unencrypted emails to ProtonMail users? If it didn't allow receiving such emails, it wouldn't be an email service, so it sounds like "encrypted email service" is something that you have made impossible by definition.

Perhaps, rather than focusing on "most communications over email" (which don't involve ProtonMail's users whatsoever), it's more fair to ask whether ProtonMail enables encrypted communications with non-ProtonMail email users, and what threat models it is reasonably secure against.

You're right, though, that there are trade-offs to be made when it comes to using web-delivered JavaScript (although these problems need to be solved at the web platform layer [0], not unilaterally by a single service provider), and ProtonMail do not exactly advertise their security limitations (and nor do any other webmail providers).

[0] https://tools.ietf.org/html/draft-yasskin-http-origin-signed...

[zaarn]

That's no longer the case, you can set PM to send PGP encrypted mail directly, in which case the mail won't be in cleartext on their servers.

Sending a link with a symmetrically encrypted mail is still possible for users without PGP but those aren't in cleartext on the server either (they are encryped and decrypted) in the client.

(in theory, PM could swap code in the webclients but you can use the Bridge or Android/iOS app to circumvent that hole easily)

[chimeracoder]

> Some might argue whatsapp or signal or Telegram E2E is exactly that. I talk about the email.

These three are not equivalent.

Signal is the gold standard for secure, end-to-end encrypted messaging. The client is open-source, and (at least on Android) builds are reproducible. It's possible to audit the code and confirm that Signal isn't intercepting the messages via side-channel and sending them to Signal's servers, encrypted with a different key. It also notifies you whenever a users's public key has changed (ie, when they switch to a different phone), which protects against someone hijacking your phone number using the telecom system.

WhatsApp does encrypt messages with per-user keys, but it's not end-to-end in the sense that Facebook still manages the keys and could provide you with a compromised key. Facebook also produces the only client, which means that it could easily eavesdrop messages and send them to Facebook's servers via a side-channel. Until recently, WhatsApp also didn't notify you when a user's key had changed. This wasn't a "backdoor" as the Guardian sensationally reported it, but it is a security liability for users looking for secure end-to-end encryption.

Telegram is completely insecure. For starters, group messages on Telegram are sent... in plain text. No encryption whatsoever.