|
|
|
|
|
|
by Andrew_nenakhov
1769 days ago
|
|
|
You are absolutely correct, with some caveats. Browser client can generate keys on clientside and allow to offload them as a file to be used on other devices. Our own web XMPP client does that. But Protonmail does not work like this. Verification is very simple: if you log in on a new device and see all your content while using only login and password to authenticate yourself, then the content stored on a server is NOT encrypted and is readable by server owner. |
|
|
What about if the encryption key is derived from your password? This is common enough for "encrypt file with a password" services, I've personally implemented it in-browser as part of a small project.
Now, having your account password be the same as the email decryption password is also probably a bad idea, but we're far from the server owner being able to read your emails.