Technology
This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.
Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.
Rules:
1: All Lemmy rules apply
2: Do not post low effort posts
3: NEVER post naziped*gore stuff
4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.
5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)
6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist
7: crypto related posts, unless essential, are disallowed
view the rest of the comments
There’s no vendor lock in until you realize your emails are essentially hostage of their apps and a bridge that may be shutdown at any point. If you can’t simply setup a regular email client then there’s vendor lock in, not even Microsoft does that.
They say the reason for needing their bridge is the encryption at rest, but I feel like the better way to handle wanting to push email privacy forward would be to publish (or better yet coordinate with other groups on drafting) a public standard that both clients and competing email servers could adopt for an email syncing protocol for that sort of zero-access encryption that requires users give their client a key file. A bridge would be easier to swallow as a fallback option until there's wider client support rather than as the only way.
A similar standard for server-to-server communication, like for automatic pgp key negotiation, would be nice too.
Still, Proton has a easy to access data export that doesn't require a bridge client or subscription or anything. I think that's required by GDPR. It's manual enough to not be an effective way to keep up-to-date backups in case you ever abruptly lose access but it's good enough to handle wanting to migrate to another provider.
I agree 100% with your ideia. The best path for this would've been for them to actually design that system you describe and THEN implement it on Dovecot and Postfix in their own fork or a Dovecot extension / Postfix add-on so others would start using them. Eventually after some times and other providers also optionally supporting the thing an RFC could be written. This is the usual course we see with protocols/extensions and is what should've happened here.
I want to share another thing, before Snowden there was Lavabit, they also did "encryption at rest" and the user password involved for some parts of the information and it was proven to be effective. It wasn't a perfect model but it was certainly better than the havoc Proton did to e-mail by opening the precedent that is okay not to run on standard protocols.
What Proton is doing to e-mail is about the same that WhatsApp, Messenger and others did to messaging - instead of just using an open protocol like XMPP they opted for their closed thing in order to lock people into their apps. People in this community seem to be okay with this just because they sell the "privacy" cool-aid.
I'm not sure if this is required. Any decent e-mail server uses TLS to communicate these days, so everything in transit is already encrypted.
Yes, they have it because GDPR does require it. It works, but it's not a real time sync alternative to anything and it is some kind of vendor lock-in.
As I said in other comments, not using standard protocols only makes thing worse. I used iOS as an example, for Android you can get a bridge but that’s just going to be one more thing going for your battery.
Now, consider this, there’s a TON of situation where having a standard SMTP-capable provider is interesting. Maybe you’re running in iOS, maybe you want to have an ESP32 to send a few emails, or some custom software in your computer. All those use cases are impossible or require more coding and more non-standard solutions just because Proton decided to be the first provider ever not to use standard protocols.
In transit, yes, but not end-to-end.
One feature that Proton advertises: when you send an email from one Proton mail account to another Proton address, the message is automatically encrypted such that (assuming you trust their client-side code for webmail/bridge) Proton's servers never have access to the message contents for even a moment. When incoming mail hits Proton's SMTP server, Proton technically could (but claims not to) log the unencrypted message contents before encrypting it with the recipient's public key and storing it. That undermines Proton's promise of Proton not having access to your emails. If both parties involved in an email conversation agree to use PGP encryption then they could avoid that risk, and no mail server on either end would have access to anything more than metadata and the initial exchange of public keys, but most humans won't bother doing that key exchange and almost no automated mailers would.
Some standard way of automatically asking a mail server "Does
user@proton.me
have a PGP public key?" would help on this front as long as the server doesn't reject senders who ignore this feature and send SMTP/TLS as normal without PGP. This still requires trusting that the server doesn't give an incorrect public key but any suspicious behavior on this front would be very noticeable in a way that server-side logging would not be. Users who deem that unacceptable can still use a separate set of PGP keys.Here's what I think: if they actually do everything with open standards and PGP by the book, why can’t they provide IMAP/SMTP access to everyone who wants it BUT add the disclaimer that you’ve to use a PGP compatible e-mail client and configure it to deal with the encryption… they could even configure their submission to refuse any email that isn't PGP encrypted to improve things further. The fact that they don't do this leads me to believe that they either a) aren't actually doing everything as "by the book PGP" and there might be security issues or b) they're "privacy" as a catch all excuse in order to push a bit of vendor lock-in.
Their market niche is privacy conscientious people and those same people tend be to computer savvy and I bet half of them would mind setting up PGP on Thunderbird and use Proton without a bridge. Everyone else could still use their apps, web or the bridge.
I had assumed their reasoning for not taking that approach might be related to metadata at rest, but it seems they don't use "zero access" encryption for metadata even at rest so I have no idea what technical justification they could have for not supporting IMAP with PGP handled by the email client. The fact that they restrict bridge access to paying subscribers only doesn't help them avoid lock-in impressions either.
Great find, even worse than what I was thinking. Like you I was also under the assumption they applied some kind of encryption to all metadata as well.