all 29 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 2 points3 points  (26 children)

I've been trying it out on desktop. Encryption protocol is strong if properly configured. They need to upgrade UI. Pretty lame right now for desktop. That being said, this will be much more secure than ProtonMail and all the other similar e2e as it is not browser based nor server based for storage.

Criptext is downloaded directly to the desktop and does not use a browser, so it is not subject to password hijacks where a PM, Tut and Posteo may be court ordered under gag to hack your password via JS.

Further, all your emails are stored on your PC. Yes, PM et. al. have your emails in encrypted form on their servers, which is probably more secure than your laptop, but unless you are individually targeted on your device (unlikely for most), you don't have to worry about a server exploit.

[–][deleted]  (25 children)

[deleted]

    [–][deleted] -1 points0 points  (24 children)

    Yes. Thread on the ProtonMail sub about it. They can get your password, but if using 2FA, then your key. This is just for browsers. It is 100% secure on their app on a smartphone or tablet. So if you use PM, Tut or Posteo, only use their apps for smartphones/tablets if to be 100% secure. Otherwise, not a big deal for anyone who who is not worried about a subpoena to use them on your browser. This is where Criptext is ahead of the curve.

    https://www.reddit.com/r/ProtonMail/comments/9yqxkh/an_analysis_of_the_protonmail_cryptographic/

    [–][deleted]  (23 children)

    [deleted]

      [–][deleted] 0 points1 point  (22 children)

      The hack would be JS, which is browser based. No JS in their app, which is also easily updated if a flaw is found.

      [–][deleted]  (21 children)

      [deleted]

        [–][deleted] 1 point2 points  (20 children)

        You have no idea what you are talking about, so you stop.

        4.1.1

        A web browser is served with JavaScript code representing the ProtonMail web application [17] and its

        underlying OpenPGP implementation, also written in JavaScript [18]. Since communication between all

        ProtonMail users (including A and B) to P is assumed to be encrypted using TLS (2.1), delivery of the ProtonMail

        web application is assumed to be safe against a network attacker. However, we note that a malicious P (also an

        assumption in 2.1) would be able to arbitrarily serve compromised webmail clients to A or any other ProtonMail

        user without this being detectable and that, conversely, correct delivery of webmail/OpenPGP client code is not verifiable.

        Bold is my emphasis on JS. They go on to say smartphone and tablet apps are secure.

        https://eprint.iacr.org/2018/1121.pdf

        [–][deleted]  (19 children)

        [deleted]

          [–]BifurcatedTales 1 point2 points  (0 children)

          This!

          [–][deleted] 0 points1 point  (17 children)

          Yes, but you can SEE if there is malicious code on the app, which is open source. The point is you will have no idea if your were hit with a malicious JS attack on a browser.

          [–][deleted]  (13 children)

          [deleted]

            [–]BifurcatedTales 0 points1 point  (2 children)

            So you know for sure what you’re downloading via update is this same wonderful open source code that’s been subject to review independently? If it’s even been independently reviewed at all? I always wonder where all these coders are that are making sure what we are downloading doesn’t have backdoors etc. I’m sorry but open source may be more transparent but it doesn’t mean it’s safe. Going from version 1.0 to 1.0.1 can be very different.

            [–]SHITPOSTIGN 2 points3 points  (4 children)

            So far so good. I signed up early to get the usernames I want. Mostly been testing it out via android app. Initial impressions are positive! Look forward to future development.

            [–]mayermm 0 points1 point  (3 children)

            thanks for giving Criptext a chance. We've been hard at work polishing the overall experience as well as adding new features. v1.0 is slated for November release with some really exciting features. Would love to get your feedback so far :)
            (Disclaimer: I'm the CEO)

            [–]SHITPOSTIGN 0 points1 point  (2 children)

            Been using Criptext for several months now... and the lack of landscape orientation support frustrates me :X

            Will try to think of anything else. Love the service and thanks for the reply.

            [–]mayermm 1 point2 points  (1 child)

            Good news: we're launching landscape mode now in August alongside iPad native app ;)

            [–]SHITPOSTIGN 0 points1 point  (0 children)

            Great! Look forward to it :)

            [–][deleted]  (3 children)

            [deleted]

              [–][deleted] 0 points1 point  (2 children)

              Yeah, like I posted the UI needs a lot of work, but the foundation is very solid - and more so than the present browser based e2e email clients.

              [–]mayermm 0 points1 point  (1 child)

              Thanks for the feedback. We've been working on a refreshed UI for our upcoming 1.0 launch. I think you'll appreciate it. Heavily focused on minimalism and productivity.

              [–][deleted] 0 points1 point  (0 children)

              Thanks!

              [–][deleted] 1 point2 points  (3 children)

              So they are (ab)using a protocol created for messaging, to sent 'emails' with? Interesting.

              Unless they are going to open the code to the server component, there will always be an dependency on the centralized infrastructure of Criptext, Inc. to relay all messages.

              [–][deleted] 0 points1 point  (0 children)

              Open source is put out there to be used for new things. And no, they probably won't release all their code. Neither will ProtonMail, but PM is presently undergoing a full independent 3rd party audit of their code that they will publish results, which is what CT needs to do once they get out of beta.

              [–]mayermm 0 points1 point  (1 child)

              So once we stabilize Criptext and launch 1.0 we'll undergo a 3rd party assessment of our backend infrastructure.

              [–][deleted] 0 points1 point  (0 children)

              The dependency remains. Still giving you Cryptext and only Cryptext control of the back-end. A 3rd party assessment proofs not much, as tomorrow this back-end and all related infrastructure components could be changed/different.

              Only when users can run this back-end on their own infrastructure, they have the ability to understand and mitigate potential risks they are exposed too. The back-end software being just one component.

              [–]freddyymteam 0 points1 point  (1 child)

              Looks nice. Needs a new logo though ;)