[lvh]

Article is light on the details, but ProtonMail has published some here: https://protonmail.com/blog/protoncalendar-security-model/

> This calendar key will then be symmetrically encrypted (PGP standard) using a 32-byte passphrase that is randomly generated on your device. Once it is encrypted, your calendar key will be stored on the ProtonCalendar backend server.

32-byte passphrase: might be fine, depending on what those bytes are; the interesting question is how much entropy it got generated from.

> Each member of a calendar will have a copy of the same passphrase that is encrypted and signed using their primary address key. The signature ensures that no one, not our server or any third-party adversary, changed the passphrase.

This is where it gets weird. Why do both? The obvious way to encrypt with an ECC key comes with authentication for free. Signing mostly has negative privacy implications. (I think the answer is "we incorrectly decided PGP was a good idea a long time ago and now we are stuck with its problems, which include being wrong about authenticators".)

> The invited member, if they decide to join the calendar, can decrypt the passphrase using their address key. They can also verify that the signature on the passphrase belongs to your email address key. This lets the invited member cryptographically verify that you invited them. To accept the invitation, ProtonCalendar will then pin the passphrase for the invited member by replacing your signature with one created using their own email address key. This signature will later be used by the invited member to verify the passphrase at each application start.

Again, with designs less than twenty years old you can do that without a signature.

> To accept the invitation, ProtonCalendar will then pin the passphrase for the invited member by replacing your signature with one created using their own email address key. This signature will later be used by the invited member to verify the passphrase at each application start.

what

I'm reviewing the attendee scheme next, but I need more coffee first.

[anaphor]

What are your thoughts on Protonmail's security in general?

Specifically this part from their whitepaper https://pbs.twimg.com/media/EKpHwB-WwAE4YN0?format=png&name=...

This is a bad idea right? We aren't supposed to decrypt then verify usually, correct? I'm told this is standard for implementations of OpenPGP, but it just seems like a horrible design (of course OpenPGP itself is probably bad).

https://protonmail.com/docs/business-whitepaper.pdf

[lvh]

I didn't write https://latacora.micro.blog/2019/07/16/the-pgp-problem.html (the writing is too good, a giveaway that it's a 'tptacek joint) but I did review it and helped shape its contents and generally subscribe to its message :) In particular you are correct, and specifically GPG's MDC thing is some weird nonsense that does not deserve to be in use in 2019, let alone being in a product that describes itself as having top-notch security.

(Mostly I think I get why Protonmail does what it does, but GPG+email is a losing horse. It also doesn't help that protonmail addresses are a mild predictor for content not worth reading. I haven't quite had Popehat's experience of protonmail being a proxy for overt, virulent white supremacy, but... certainly have seen it be a proxy for poorly informed opinions on security :-))

[Klonoar]

Setting aside the technical issues for a moment, your last point is interesting to me.

One of the things that bugs me about security/privacy discussions is the rampant paranoia and misinformation, and it tends to be the louder voice in the discussions lately. I have to wonder if Protonmail being such a visible figure means that it attracts people who're inclined to fall under the aforementioned.

i.e, the people who use Protonmail for mostly innocuous reasons just don't say anything, so the poorly informed bits float to the top.

It's like apartment ratings, I guess - nobody writes a rating for a good one.

Disclaimer: I interviewed with PM last year and was offered a role, but for various life reasons didn't take it. They're pretty smart people though so I'm inclined to give the team the benefit of the doubt - I don't think any of this influences my comment above, but worth noting.

[Skunkleton]

When I decided to ditch google a while back I considered switching to proton mail. Their marketing resonated with what I was looking for. After some thought I realized that email is fairly insecure by design. Even if proton mail fixed all of the security issues associated w/ email it all goes out the door the moment I communicate with a non-proton-mail address. Almost all of my friends and family use gmail, and most of the volume of email I receive comes from businesses. For my usecases, proton mail is basically security theater.

What's worse, proton mail makes many dubious claims. They claim that "All emails are secured automatically with end-to-end encryption." This is clearly false. They state that "ProtonMail's infrastructure resides in Europe's most secure datacenter, underneath 1000 meters of solid rock." Ok, cool, but how does that benefit me? The emails are already end-to-end encrypted (but not really). Am I expecting commandos to raid a datacenter and steal my encrypted emails? They say that "Our story begins where the web was born, at CERN." Again, who cares?

End-to-end encrypted email is not on my list of must-haves (or even on my list of wants). When I need a secure communication channel, I use Signal. Proton mail overstates what they provide, and they spend a lot of effort on frankly useless security measures.

[lvh]

Maybe! Certainly other environments with an emphasis on anonymity, pseudonymity or privacy in general have turned out to be terrible cesspools. But on the other hand, Signal and Whatsapp aren't. It's also not necessarily a broadcast-vs-1on1 problem: while I'm often frustrated with HN, it takes care of the white supremacists pretty effectively.