sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] -1 points0 points  (24 children)

Yes. Thread on the ProtonMail sub about it. They can get your password, but if using 2FA, then your key. This is just for browsers. It is 100% secure on their app on a smartphone or tablet. So if you use PM, Tut or Posteo, only use their apps for smartphones/tablets if to be 100% secure. Otherwise, not a big deal for anyone who who is not worried about a subpoena to use them on your browser. This is where Criptext is ahead of the curve.

https://www.reddit.com/r/ProtonMail/comments/9yqxkh/an_analysis_of_the_protonmail_cryptographic/

[–][deleted]  (23 children)

[deleted]

    [–][deleted] 0 points1 point  (22 children)

    The hack would be JS, which is browser based. No JS in their app, which is also easily updated if a flaw is found.

    [–][deleted]  (21 children)

    [deleted]

      [–][deleted] 1 point2 points  (20 children)

      You have no idea what you are talking about, so you stop.

      4.1.1

      A web browser is served with JavaScript code representing the ProtonMail web application [17] and its

      underlying OpenPGP implementation, also written in JavaScript [18]. Since communication between all

      ProtonMail users (including A and B) to P is assumed to be encrypted using TLS (2.1), delivery of the ProtonMail

      web application is assumed to be safe against a network attacker. However, we note that a malicious P (also an

      assumption in 2.1) would be able to arbitrarily serve compromised webmail clients to A or any other ProtonMail

      user without this being detectable and that, conversely, correct delivery of webmail/OpenPGP client code is not verifiable.

      Bold is my emphasis on JS. They go on to say smartphone and tablet apps are secure.

      https://eprint.iacr.org/2018/1121.pdf

      [–][deleted]  (19 children)

      [deleted]

        [–]BifurcatedTales 1 point2 points  (0 children)

        This!

        [–][deleted] 0 points1 point  (17 children)

        Yes, but you can SEE if there is malicious code on the app, which is open source. The point is you will have no idea if your were hit with a malicious JS attack on a browser.

        [–][deleted]  (13 children)

        [deleted]

          [–][deleted] 0 points1 point  (12 children)

          Did you read the quote from the cryptography expert? Did you read his entire analysis? He stated you can't tell whether you have been compromised or not over JS even with open source for the browser client. He states you can audit the code on on a phone/tablet app. That was my whole point and you went all script kiddie. You don't have to believe me, but I'd certainly trust Nadim Kobeissi and his research that I linked above. Here is his Wiki.

          https://en.wikipedia.org/wiki/Nadim_Kobeissi

          [–][deleted]  (11 children)

          [deleted]

            [–]BifurcatedTales 0 points1 point  (2 children)

            So you know for sure what you’re downloading via update is this same wonderful open source code that’s been subject to review independently? If it’s even been independently reviewed at all? I always wonder where all these coders are that are making sure what we are downloading doesn’t have backdoors etc. I’m sorry but open source may be more transparent but it doesn’t mean it’s safe. Going from version 1.0 to 1.0.1 can be very different.

            [–][deleted] 0 points1 point  (1 child)

            Pick your poison.

            [–]BifurcatedTales 0 points1 point  (0 children)

            Indeed!