this post was submitted on 07 May 2024
103 points (90.6% liked)

Technology

34914 readers
184 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.


Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.


Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
top 20 comments
sorted by: hot top controversial new old
[–] [email protected] 72 points 6 months ago (3 children)

This is non-news, like all tech companies, they are bound by law to do this. It happens more than 6000 times per year for Proton. However, this user just had bad opsec. Proton emails are all encrypted and cannot be read unless law enforcement gets your password, which Proton does not have access to. Even if Proton hands over all data.

[–] [email protected] 16 points 6 months ago

Often they just need the user behavior data such as login date and time

[–] [email protected] 6 points 6 months ago* (last edited 6 months ago) (2 children)

Email in transit is not encrypted. At least not encrypted by anything that the government can't compel the company to hand over. Your password as best can only lockdown the mailbox itself. Not the receipt/sending of emails.

Edit: The point being is that if you're a person of interest, the government can just watch your activity until they get what they want. And Proton doesn't really have anything they can do about it other than a canary page I suppose.

Edit2: to make it even more clear, I'm talking about MTAs communicating with each other. Proton being one party would have the keys to their side of the communication which is sufficient to decode the whole lot.

[–] [email protected] 8 points 6 months ago (1 children)

Email in transit is not encrypted

That there is what I call horse shite. SMTPS and STARTTLS are a thing and if you are using a provider who doesn't use it you need to change.

[–] [email protected] 9 points 6 months ago (1 children)

That still requires the email to be in clear text before it gets re-encrypted by Proton mail. SMTPS gets terminated at your email provider's boundary.

[–] [email protected] 4 points 6 months ago (1 children)
[–] [email protected] 3 points 6 months ago

Pgp does not encrypt the whole email, only part of it.

[–] [email protected] 0 points 6 months ago (1 children)

IF TLS is used AND configured optimally on both ends, THEN the in transit message contents should be very secure, in that transient session keys were used.

I would be interested to know how often those two preconditions hold true though.

Of course, this is only one small link in the chain. There aint no magic bullet.

[–] [email protected] 0 points 6 months ago (1 children)

Proton would have the key. A government that is already compelling them to hand over your account can simply be compelled to provide the TLS keys. The point is that government doesn't have to compel proton for at rest storage, but can compel for in transit interception.

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

Read up on perfect forward secrecy and TLS.

And yes, a jurisdiction could compel them to break their security, depending on laws and ability to threaten.

[–] [email protected] 0 points 6 months ago (1 children)

"read up on pfs"
"Pfs doesn't matter"

Literally this post.

[–] [email protected] 0 points 6 months ago (1 children)

PFS matters where a party hasn't already been compromised. Not so hard.

[–] [email protected] 0 points 6 months ago* (last edited 6 months ago)

This whole discussion is about a government forcing Proton mail to take actions. Telling me to "read up on pfs" is irrelevant by your own admission. ProtonMail can be compelled to give up their keys, or to hand them over for all current/future transactions.

So once again...

“read up on pfs”
“Pfs doesn’t matter”
Literally this post.

You cannot rely on MTAs to transmit ANYTHING securely in the context of this discussion. Period. There is no E2E when there's an MTA involved unless you're doing GPG/PGP or S/MIME. Nobody does this though... Like literally nobody. I've got both setup and have NEVER had an encrypted email go through because nobody else does it. It doesn't matter what Proton claims to support.

That's it. Telling anyone to read up on anything when they're 100% correct is asinine.

Email in transit is not encrypted. At least not encrypted by anything that the government can’t compel the company to hand over.

Edit:

Email in transit is not encrypted. At least not encrypted by anything that the government can’t compel the company to hand over.

This is what I originally said. It was clear. I don't know why you're arguing otherwise.

[–] [email protected] 5 points 6 months ago (1 children)

Yeah, OPSEC is really important and over the years many people got caught because of bad OPSEC. PomPomPurin, the guy who ran BreachForums is a pretty good example of this: https://youtu.be/1fZWHeHICws

[–] [email protected] 0 points 6 months ago

Here is an alternative Piped link(s):

https://piped.video/1fZWHeHICws

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[–] [email protected] 14 points 6 months ago

https://mastodon.social/@protonprivacy/112401461102514792 May 07, 2024, 19:29

The name/address of the terrorism suspect was actually given to police by Apple, not Proton. The terror suspect added their real-life Apple email as an optional recovery address in Proton Mail. Proton can't decrypt data, but in terror cases Swiss courts can obtain recovery email.

[–] [email protected] 12 points 6 months ago (1 children)

Oof. So you need a recovery email that is not easily traceable if you need one at all. Thats tough.

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

I just have none at all

However i have a recovery phone number and gave them my payment information so theres that

[–] [email protected] 1 points 6 months ago

Got it. So its a persec issue? I guess ist depends on your threat level. the persons they are arresting seem to be activists. The question is how destructive their activism was. Not because they somehow deserve to be arrested. i cant judge that. But because they should consider better persec in that case. Its still sad to read that a privacy oriented email provider gives our your info.

[–] [email protected] 6 points 6 months ago

That's why second backup email is optional.