Hacker News new | ask | show | jobs
by sudonim 4394 days ago
And none of the employees are US citizens that can be compelled by the US government in a way that they're not allowed to talk about it (even to other employees) to compromise the security of the service?

I'm not sure that having a Swiss company makes any difference in a case where people have ties to the US. Does anyone else know better than me on this topic?

edit: It looks like the goal is that you don't even have to trust protonmail: "For this reason, we are also unable to do password recovery. If you forget your decryption password, we cannot recover your data." https://protonmail.ch/pages/security_details.php
3 comments
reitanqild 4394 days ago
There are some clues to be found on the page: "ProtonMail is developed both at CERN and MIT and is headquartered in Geneva, Switzerland. We were semifinalists in 2014 MIT 100K startup launch competition and are advised by the MIT Venture Mentoring Service." ProtonMail is developed both at CERN and MIT and is headquartered in Geneva, Switzerland. We were semifinalists in 2014 MIT 100K startup launch competition and are advised by the MIT Venture Mentoring Service.
link
Xylakant 4394 days ago
> It looks like the goal is that you don't even have to trust protonmail.

Sorry to say, but that goal is unachievable with that setup. They provide you with the code that does the decryption. It's a simple thing to enable that code to send back the decryption password and store it on their servers. So every time you decrypt a message, you'd either have to evaluate all the javascript they send your browser, or put your messages at risk.

There's a similar problem with GPG/SMIME implementations: I have to trust the people writing that decryption code, but that's a bit simpler - they can't easily target me directly and the churn is much lower.

link
e12e 4394 days ago
I don't think you need to worry too much about the US secret services (directly). But you can worry about the Swiss secret services. And probably by extension the German and French secret services. Which means you have to (by extension) worry about the US secret services anyway.

Note that France and Germany probably have much more direct dealings with Switzerland than the US has -- so pressure from these governments/the EU is more likely to hold sway, than any direct pressure from the US (but, as with all things, if a nation state consider you a legitimate it's probably game over anyway).

[edit: see other comment wrt MIT -- I was probably too optimistic.]

link