[s_dev]

https://techcrunch.com/2021/09/06/protonmail-logged-ip-addre...

The controversy here is is that Prontonmail announced they didn't do something, log IPs for example and then when compelled by law enforcement-- somehow had a log of IPs. I use Protonmail but there is no way for me to ensure they are E2E just like there is no way to ensure they don't log IPs. This why faith and trust are so important. "Real security" people don't need faith just Math but for the rest of us we need an off the shelf solution that's good enough.

[tragictrash]

They actually claim no IP logging by default, not that they don't log IPs at all. If you're worried about that, use tor.

If you're looking for a service that ignores law enforcement requests, I don't think proton is for you.

[blitzar]

If you're looking for a service that ignores law enforcement requests, I don't think services anywhere are for you.

[yabones]

Exactly. I don't know why people think that they can pay somebody to break the law on their behalf. There's no jurisdiction on the planet where privacy law is stronger than search warrants. Even selfhosting everything won't get you very far, as law enforcement can still just come into your house. Proton is simply a compromise that most users find acceptable.

[blitzar]

There is a large portion of the privacy community for whom services should take a bullet in the face before handing over the data they hold.

Its hard to take anyone who raises the "IP logging" seriously anyway - the situation is perfectly clear and rational and they are either shilling for some cause or just plain stupid. Proton is transparent, and people are free to read for themselves just how they operate. https://proton.me/news/transparency-report

Sometimes they dont even wait for the court order: In July 2017, we received a request for assistance from British police in the case of the kidnapping of Chloe Ayling. In light of the fact that we were able to verify that the kidnappers were, in fact, using a Proton Mail account, and the fact that the first 48 hours are the most critical in kidnapping cases, we rendered assistance to law enforcement before the signed order was delivered to us, but with the understanding that the court order was in the process of being sent.

Yet the commenters never complain about this or cases where a minor was at risk. They just claim there is a controversy because they turned on ip logging for one account at the behest of a court order.

To be honest Proton as a product I am not particularly drawn to - encrypting email takes two, and there are not many people who are equiped to recieve my secure emails!

[tragictrash]

Actually, every inbound email is encrypted at storage with your public key. Still can be ready on the way in, but once it's stored, it's encrypted. Much better than other providers imo.

[blitzar]

And all those emails are probably also sitting on google/microsoft server.

Electronic two party communication is inherently insecure - you can encrypt in transit, at rest, military grade, quantum proof - but if the other party gets to do whatever they want with it. Print it, forward it, save it etc.

[sedeki]

Feel free to correct me on this, but in terms of ProtonMail's E2E, it's done entirely client-side (= in JavaScript), at least in the web UI. This was claimed on PM's website a while back iirc.

So I believe this makes the claim "true E2E" more believable. Or at least verifiable - because it's just JS.

[mgerdts]

I think the key criticism here is that since they deliver the code (javascript) that handles the keys, they could easily replace the code with a version that leaks/harvests your private key. Once your private key is known by someone that also has your ciphertext, that party can get the plaintext.

[sedeki]

Yeah, I saw this type of argument after I made my original comment that you responded to.

While this argument undeniably makes sense, I guess it boils down to what assumptions are made about the user.

Like, if we assume that the user is this paranoid, then why couldn't they just check the JS file/bundle with a local copy that is verified? Think of a Chrome extension or whatever.

We still run the JS locally on our own computers.

[tentacleuno]

> Like, if we assume that the user is this paranoid, then why couldn't they just check the JS file/bundle with a local copy that is verified?

Well for one, the code is minified. That makes it a lot harder to inspect, so therefore it's substantially harder to make sure that the code isn't doing something malicious.

Plus then of course, should the JS file served from Proton's servers be updated, you'd need to diff the changes (which, in the context of minified code, is not easy) to ensure nothing dodgy is added.

[sedeki]

I assume that, realistically, the JS is verified by outside experts (and not by the user), and that a check on the user's part would simply be comparing a calculated hash to a given one.

I understand that this might not be how things are really done at PM (i.e. do they provide a hash? probably not) so my arguments may be hypothetical, but it doesn't render them invalid in the larger context imo.

[mgerdts]

If the trusted web service is under law enforcement order to decrypt mail of a particular user, a version of the JavaScript code that breaks the encryption could be delivered to only that user. No third party experts will be aware of this special version so no red flags can be raised by these third parties.

In contrast if an app does not download code, the eavesdropping will require a new version of the app to hit the app store. Third party experts may review this and raise red flags.

This is the first time I felt that an app had a privacy advantage over a browser interface.

[charcircuit]

It's more believable, but in theory there could be a secret store of unencrypted emails that have been sent to ProtonMail's email servers.

[WallyFunk]

You can turn of IP logs in the Protonmail webapp. I do that as a small precaution, but if the authorities want your IP, they will get it, and in the worst case compel Proton to deploy a compromised webapp frontend where emails can be seen in the clear. But you'd have to be a really juicy target for that to happen, and most people aren't juicy targets.