I want to learn about PGP and how to encrypt email. Someone sells that service, great. And it is not like I cannot send normal emails to anyone else.
I don’t disagree with you, I believe it as well. PGP is it stands is cumbersome.
The thing is that could’ve still implemented a easy-to-use, “just login and send email” type of web client and abstracted the user from the PGP complexities while still delivering everything over IMAP/SMTP.
They are using the same standard, not some made up version of SMTP (when sending to other servers, I assume any email from client A to client B both being Proton customer never leave their server, so no need for a new protocol).
You assume correctly, but when your mail client is trying to send an email instead of using SMTP to submit to their server, you’re using a proprietary API in a proprietary format and the same goes for receiving email.
This is well documented and to prove it further if you want to configure Proton in a generic mail client like Thunderbird then you’re required to install a “birdge”, a piece of software that essentially simulates a local IMAP and SMPT server (that Thunderbird communicates with) and then will convert those requests into requests their proprietary API understands. There are various issues with this approach the most obvious one is that it is an extra step, there’s also the issue that in iOS for eg. you’re forced to use their mail app because you can’t run the bridge there.
The bridge is an afterthought to support generic email clients and generic protocols, only works how and where they say it should work and may be taken away at any point.
while being fully open source using open standards
Delivering your data over proprietary APIs doesn’t count as “open standards” - sorry.
Would it be inaccurate to say that your fear is that Proton pulls an “Embrace, Extend, Extinguish” move?
No, it isn’t. But they never “embraced” as there was never direct IMAP to their servers, instead it’s a proprietary API serving data in a proprietary format.
I also see how that would make Proton like WhatsApp, which has its own protocol and locks its users in.
The problem isn’t that taking down the bridge would make Proton like WhatsApp. It’s the other way around, when they decided to build their internals with proprietary protocols and solutions instead eg. IMAP+SMTP they became the WhatsApp. Those things shouldn’t be addons or an afterthought, they should be bult into the core.
This clearly shows that making open solutions ranks very low their company and engineering priority list. If it was at the top they would’ve built it around IMAP instead.
I could download an archive of everything I have on Proton without a hitch.
Yes you can, but the data will come in more property formats hard to upload to anywhere else - at least for some of the data. They’ve improved this situation but it’s still less than ideal. In the beginning they would export contacts and calendars in some JSON format, I see they moved to vCard and iCal now.
Okay, here are a few thoughts:
- Companies like blame someone when things go wrong, if they chose open-source there’s isn’t someone to sue then;
- Buying proprietary stuff means you’re outsourcing the risks of such product;
- Corruption pushes for proprietary: they might be buying software that is made by someone that is close to the CTO, CEO or other decision marker in the company, an old friend, family or straight under the table corruption;
- Most non-tech companies use services from consulting companies in order to get their software developed / running. Consulting companies often fall under the last point that besides that they have have large incentives from companies like Microsoft to push their proprietary services. For eg. Microsoft will easily provide all of a consulting companies employees with free Azure services, Office and other discounts if they enter in an exclusivity agreement to sell their tech stack. To make things worse consulting companies live of cheap developers (like interns) and Microsoft and their platform makes things easier for anyone to code and deploy;
- Microsoft provider a cohesive ecosystem of products that integrate really well with each other and usually don’t require much effort to get things going - open-source however, usually requires custom development and a ton of work to work out the “sharp angles” between multiple solutions that aren’t related and might not be easily compatible with each other;
- Open-source requires a level of expertise that more than half of the developers and IT professionals simply don’t have. This aspect reinforces the last point even more. Senior open-source experts are more expensive than simply buying proprietary solutions;
- If we consider the price of a senior open-source expert + software costs (usually free) the cost of open-source is considerable lower than the cost of cheap developers + proprietary solutions, however consider we are talking about companies. Companies will always prefer to hire more less expensive and less proficient people because that means they’re easier to replace and you’ll pay less taxes;
- Companies will prefer to hire services from other companies instead of employees thus making proprietary vendors more compelling. This happens because from an accounting / investors perspective employees are bad and subscriptions are cool (less taxes, no responsibilities etc);
- The companies who build proprietary solutions work really hard to get vendors to sell their software, they provide commissions, support and the promises that if anything goes wrong they’ll be there. This increases the number of proprietary-only vendors which reinforces everything above. If you’re starting to sell software or networking services there’s little incentive for you to go pure “open-source”. With less companies, less visibility, less professionals (and more expensive), less margins and less positive market image, less customers and lesser profits.
Unfortunately things are really poised and rigged against open-source solutions and anyone who tries to push for them. The “experts” who work in consulting companies are part of this as they usually don’t even know how to do things without the property solutions. Let me give you an example, once I had to work with E&Y, one of those big consulting companies, and I realized some awkward things while having conversations with both low level employees and partners / middle management, they weren’t aware that there are alternatives most of the time. A manager of a digital transformation and cloud solutions team that started his career E&Y, wasn’t aware that there was open-source alternatives to Google Workplace and Microsoft 365 for e-mail. I probed a TON around that and the guy, a software engineer with an university degree, didn’t even know that was Postfix was and the history of email.
Sure, you’re using a bridge they develop and they can away or break at any point. It’s not the best ideal. Why support a company that is actively trying to turn open protocols into more closed stuff? Makes no sense. That type of non-sense is what got us into the situation we’ve now with WhatsApp and other messengers.
Any e-mail service that doesn’t provide standard IMAP/SMTP directly to their servers and uses custom protocols is yet another attempt at vendor lock-in and nobody should use it.
What Proton is doing is pushing for vendor lock-in at any possible point so you’re stuck with what they deem acceptable because it’s easier for them to build a service this way and makes more sense from a business / customer retention perspective. Proton is doing to e-mail about the same that WhatsApp and Messenger did to messaging - instead of just using an open protocol like XMPP they opted for their closed thing in order to lock people into their apps. People in this community seem to be okay with this just because they sell the “privacy” cool-aid.
People complain when others use Google or Microsoft for e-mail around here, but at least in those providers you can access your e-mail through standard protocols. How ironic it is to see privacy / freedom die hard fans suddenly going for a company that is far less open than the big providers… just because of marketing. :)
Proton is just a company that wants profits and found out there was a niche of people who would buy into everything that they label as “encryption” and “privacy” no matter what the cost. They’ve learnt how to weaponize “privacy” to push more and more vendor lock-in. Not even Apple does this bullshit.
Now, I can see anyone commenting “oh but they have to it because of security” - no they don’t. That’s bullshit.
Any generic IMAP/SMPT provider + Thunderbird + PGP will provide the same level of security that Proton does - that is assuming they didn’t mess their client-side encryption/decryption or key storage in some way. PGP makes sure all your e-mail content is encrypted and that’s it, doesn’t matter if it’s done by Thunderbird and the e-mails are stored in Gmail OR if it’s done by the Proton bridge and the e-mails are on their servers, the same PGP tech the only difference is the client. So, no, there isn’t the reason to do it the way they do it besides vendor lock-in.
It’s funny how people completely lost their minds when they could see a potential connection between what he said and some political side while those same people are perfectly fine with ignoring what’s really wrong with Proton and its marketing - even though it all goes against their core beliefs of “privacy” “security” “open-source” etc.
Edit to include what I didn’t have time to type:
Any e-mail service that doesn’t provide standard IMAP/SMTP directly to their servers and uses custom protocols is yet another attempt at vendor lock-in and nobody should use it.
What Proton is doing is pushing for vendor lock-in at any possible point so you’re stuck with what they deem acceptable because it’s easier for them to build a service this way and makes more sense from a business / customer retention perspective. Proton is doing to e-mail about the same that WhatsApp and Messenger did to messaging - instead of just using an open protocol like XMPP they opted for their closed thing in order to lock people into their apps. People in this community seem to be okay with this just because they sell the “privacy” cool-aid.
People complain when others use Google or Microsoft for e-mail around here, but at least in those providers you can access your e-mail through standard protocols. How ironic it is to see privacy / freedom die hard fans suddenly going for a company that is far less open than the big providers… just because of marketing. :)
Proton is just a company that wants profits and found out there was a niche of people who would buy into everything that they label as “encryption” and “privacy” no matter what the cost. They’ve learnt how to weaponize “privacy” to push more and more vendor lock-in. Not even Apple does this bullshit.
Now, I can see anyone commenting “oh but they have to it because of security” - no they don’t. That’s bullshit.
Any generic IMAP/SMPT provider + Thunderbird + PGP will provide the same level of security that Proton does - that is assuming they didn’t mess their client-side encryption/decryption or key storage in some way. PGP makes sure all your e-mail content is encrypted and that’s it, doesn’t matter if it’s done by Thunderbird and the e-mails are stored in Gmail OR if it’s done by the Proton bridge and the e-mails are on their servers, the same PGP tech the only difference is the client. So, no, there isn’t the reason to do it the way they do it besides vendor lock-in.
That doesn’t guarantee 100% privacy on a densely populated area anymore. Nowadays you’ve stuff like Amazon Sidewalk and who knows who’s partner and what devices are in it.
That doesn’t guarantee 100% privacy on a densely populated area anymore. Nowadays you’ve stuff like Amazon Sidewalk and who knows who’s partner and what devices are in it.
Okay, but then the TV is still running all the same spyware.
Update: just disabling wifi doesn’t guarantee 100% privacy anymore on a densely populated area. Nowadays you’ve stuff like Amazon Sidewalk and who knows who’s partner and what devices are in it.
you have to comply with police orders to moderate your platform…
Your points are fair however, where does it stop? If the police says “make it all plaintext” then what happens? It is a police request after all.
This thing where chat platforms and others “need” to comply with police / govt orders and remove content is very tricky… should platforms really censor everything the govts ask for? What if it is a group chat about a corrupt political party in power (with proof)? The govt will say it is CSAM, them Signal will shut it down and our democracies are gone.
To make it really clear: I’m not for breaking the law, and I don’t think that content should be on such platforms. The problem is that once you start removing that content the precedent will be abused to remove other actually important stuff because “it is CSAM” and the E2EE doesn’t have ways to check if is is really CSAM nor should it be the judge of the content.
Telegram doesn’t use encryption. Everything is in clear text. Nobody needs a back door to get access. Not even governments. It’s all just out in the open
This isn’t even true, Telegram isn’t IRC. Like any modern application, uses SSL (encapsulated in MTProto) to protect connections. Govts will only have access if they manage to compromise those certificates, like your bank’s website.
This has nothing to do with the ability for the company to see what users do, but with the fact that govts can order Signal and others to hand user data, ban chats and whatnot while Telegram simply ignores requests like those.
Govts aren’t pissed about the fact that Telegram might be an accessory to a crime, they’re pissed because they can’t compromise it. Do you remember the FBI vs Apple situation, they wanted backdoors / access to E2EE stuff and Apple was refusing to provide and they went against one of the largest tech companies out there. Do you really believe that the US govt just went after Apple but wouldn’t go after a small company like Signal? This looks shady - almost like there’s a security vulnerability / backdoor in Signal they can use whenever they want.
I agree with you, but just think about this:
signal, a truly secure messenger, will comply with data requests and will send the authorities everything they have about a user, which is really not that much to begin with.
A govt asks Signal for info on a user, then Signal hands over a bunch of IP logs, metadata and a few encrypted messages that are still pending delivery or something on their servers.
Do you remember the FBI vs Apple situation, they wanted backdoors / access to E2EE stuff and Apple was refusing to provide and they went against one of the largest tech companies out there. Do you really believe that the US govt just went after Apple but wouldn’t go after a small company like Signal? This looks shady - almost like there’s a security vulnerability / backdoor in Signal they can use whenever they want.
Why would they go after the “not E2EE” chat but not after the “unbreakable and private” one? Telegram delivers trust, users trust that they won’t share any info to govts. Signal only delivers a promise that their E2EE will be enough to make the information govts get useless.
This whole Telegram story is absolutely unrelated to chat control
Chat control is exactly about baking backdoors and providing govts full access to chat logs etc. something that Telegram would never be okay with. They don’t even reply to govts requests most of the time, let alone be compromised at that level.
the answer from my perspective is quite simple. Noncompliance. If telegram had complied to local laws, like the others have and continue to do, he would not have gotten in trouble.
Exactly you’re getting there. Now let me ask something, if Facebook/Apple/Signal/Matrix comply with such laws how private are they? Those companies will happily censor chats and hand records to the govt, Telegram won’t.
Now you can argue that they do hand info the the govts but it is all encrypted and whatnot… do you really trust there aren’t backdoors there? Or cleaver ways to get around it like what we saw with push notifications or macOS analytics?
Govts are only after Telegram because they can’t infiltrate the company, ask for data etc. If Signal was really as secure and private like everyone says it is then their executives would already be in jail and whatnot for “enabling criminal activities”.
Telegram isn’t E2E encrypted and the telegram company can access all your messages, however, just think about the bigger picture there. How come that the E2E encrypted WhatsApp, Signal and whatnot never had their CEOs arrested for not moderating content / enabling criminal activity? Think about that.
If you don’t turn on the secret chat feature it wont be, yes. However if E2EE was the only deciding factor for a gov to go against an App then they woudln’t be going after Telegram. The fact that govts are going so hard at telegram simply proves that even when the company has access to all our chats they don’t actually provide them to said govts.
I’m not saying telegram is good from a security perspective, I’m just saying that event without E2EE and all the modern wonders govts can’t still get in because the company doesn’t indulge their requests.
Yes, that’s precisely the problem there. You can use PGP with any generic IMAP provider and that will work just fine with handheld devices. There are multiple mail clientes capable of doing and all your mail is still encrypted on the server. Proton just made an alternative implementation that forces you into proprietary systems because it’s more convenient for them.
Those kinds of setups with servers encrypting your mail and still delivering over IMAP are fairly easy to implement, here’s an example. They simply decided to go all proprietary.
On a generic mail system SMTP is used in two places: 1) from your mail client to your provider and 2) between your provider and other providers. Proton is NOT using SMPT for the first step, making it non-standard and much more closed.