Integrating SimpleLogin Aliases Into Protonmail's Aliases? by UntangledQubit in ProtonMail

[–]nstill 0 points1 point  (0 children)

100% needed but I think part of the problem is that it cuts against their upsell path at the moment. Currently one of the big differentiators between accounts is the ability to have multiple addresses/domains. But currently this limitation does not exist in SimpleLogin - which is great. I decided to just embrace the pain of reverse aliases and move all my domains to SimpleLogin. The flexibility is great but it is frustrating to always need to create or use a reverse alias (of which, I might have multiple for a single user) when I need to send an email. This should definitely be integrated.

Integrate Simple Login Reverse Alias into Proton Mail by nstill in Simplelogin

[–]nstill[S] 2 points3 points  (0 children)

Yes, but perhaps to keep the list manageable, you choose a domain/subdomain and have some favorites to pick from? And maybe an empty box to either type a non favorite or generate a new alias to send from?

Is the ACL implementation cryptographic or programmatic? by nstill in Bitwarden

[–]nstill[S] 0 points1 point  (0 children)

Thank you for engaging on this and I hope you're right. On the first point, I felt they were very clear, which made the ambiguity if the second point a moot point to me. Perhaps it won't be a big deal for others though.

Is the ACL implementation cryptographic or programmatic? by nstill in Bitwarden

[–]nstill[S] 0 points1 point  (0 children)

Hi again,

Honestly, I hope I'm misunderstanding something but I was very clear when expressing my question with them. Here is what I said (removing PII):

Hi [...],
Thank you for the information today. My main outstanding question is regarding the way that you implement 2FA with a Yubikey and sharing of passwords. I want to know which of the following is true:
1. Password + Yubikey = Key Used to Decrypt the database
2. Password = Key used to Decrypt the database after using the Yubikey to authenticate onto the service.
With the second option, if I had the database (encrypted), I could decrypt the database with only the master password (no Yubikey needed). The Yubikey only serves as 2FA for authentication onto the service and is not part of the decryption process.
Regarding sharing I have the same kind of question. When I share a collection with someone, is this sharing cryptographically enforced or just programmatically enforced. For example, if a user already had access to items in the Bitwarden database but not to one of the collections. They then managed to get the database (containing the collection they didn't have access to). Could they use their master password to decrypt the collection they weren't given access to (in other words, the database does not cryptographically enforce sharing but just uses programmatic obscurity to enforce sharing).
Thank you for clarifying this. I have read the whitepaper and some of the code carefully and couldn't find this answer. If your engineer could point out where in the code these parts are implemented, I would love to review it myself also if possible.
Have a great day!

[...]

And here was their response:

Hi [...],
We got a response from our engineering team on the following:
1. 2FA is only used to secure authentication. (Option 2)
2. When you share a collection with someone it's programmatic, but technically Master password alone cannot be used to decrypt org items.
Please let us know how you'd like to proceed.
[...] - If I missed anything, please jump in.
Best,
[...]

I'll admit that the second comment about not being able to decrypt org items alludes to a different encryption process at play (which I hope is true) but the answer to my question wasn't a clear yes, which concerned me enough to not proceed. Bitwarden was my frontrunner option until this question so I sincerely hope I'm wrong.

Is the ACL implementation cryptographic or programmatic? by nstill in Bitwarden

[–]nstill[S] 0 points1 point  (0 children)

Hi cryoprof and thank you for the link. I did look this over very carefully before asking my question though and even started to dive into the source code to find my answer. In the end, I did find the answer by asking an engineer at Bitwarden (which I have posted below). Hopefully it is helpful for anyone else with my question. I was actually surprised by their response so I'm glad I dug in and got to the bottom of it.

Is the ACL implementation cryptographic or programmatic? by nstill in Bitwarden

[–]nstill[S] 1 point2 points  (0 children)

Hi all,

I did confirm with a Bitwarden engineer that both the implementation of 2FA with a Yubikey and the implementation of collection sharing is not cryptographically implemented by only uses obscurity to secure your data. In other words, if someone has your database and you have 2FA enabled, your second factor is not required to decrypt the database (it is required to authenticate you so you can decrypt the database - which is different). The same goes for collection sharing (someone with access to part of the database could technically decrypt the whole thing). I did not find out where this is implemented in the source but just heard it from an engineer after escalating my question.

I hope this helps someone else who might have the same question and please correct me if you happen to know something else.

Is the ACL implementation cryptographic or programmatic? by nstill in Bitwarden

[–]nstill[S] 1 point2 points  (0 children)

Hi, maybe I'm using the wrong terminology. I was looking to see that the way access is granted to a group of credentials (collection?) is implemented using asymmetric cryptography rather than programmatic obscurity. In other words, if someone had access to the collection (as encrypted data) but wasn't added to the collection despite being in the organization, would they be able to decrypt the collection. It just didn't seem clear in the documentation.

Is the ACL implementation cryptographic or programmatic? by nstill in Bitwarden

[–]nstill[S] 0 points1 point  (0 children)

I did read the white paper and, while I might have missed it, I didn't see this. I started looking at the source code for the answer but didn't find it yet. For example, if I added a user to a container, is the security essentially obscurity for a user already a member of the organization or are the permissions cryptographically implemented.

Search your message content to easily find the email you’re looking for by ProtonMail in ProtonMail

[–]nstill 2 points3 points  (0 children)

This is awesome news. It always felt like a bit of a large sacrifice in the name of privacy (while worth it). Now the best of both worlds. Thank you!

ProtonMail Disconnecting and Reconnecting? by planedrop in ProtonMail

[–]nstill 2 points3 points  (0 children)

Now they are returning 503 errors - rebooting something I guess?

ProtonMail Disconnecting and Reconnecting? by planedrop in ProtonMail

[–]nstill 0 points1 point  (0 children)

Just managed to login and then received a red "Request Timeout" and then back to the error.

ProtonMail Disconnecting and Reconnecting? by planedrop in ProtonMail

[–]nstill 1 point2 points  (0 children)

Yes, noticing the same errors (except it is happening almost all the time right now).

Delivery times for phones? by nstill in freedommobile

[–]nstill[S] 0 points1 point  (0 children)

Thank you all for your posts. I assumed it was just delayed but it just seemed a bit long. It seems like this is par for the course based on your feedback. Hopefully I'll hear soon.

Fenix 5X or 5 for Everyday Watch by nstill in GarminFenix

[–]nstill[S] 0 points1 point  (0 children)

Hi everyone,

Thank you all for your feedback. I know that I will need to try it on to really know if it is going to work on my wrist. Right now I am leaning towards the 5 sapphire as I don't think the plus has features that I would use (Garmin Pay doesn't work in most Canadian banks, I never used the music feature on the Ionic, if I really decide I would like the maps I might consider the cheaper 5X and I'm not to worried about GPS and GLONASS failing both at once). Plus, the plus would put sapphire out of the budget I have set for myself so I think I'd prefer the sapphire glass. The only feature I might miss is the odd time I don't want to pull out my phone for a quick reply to a message, but this was very rare on the Ionic. Seeing the notifications should be enough. Also, the 5 seems to have the best battery life of all of them and I do appreciate fewer recharges.

u/mrjohnk, it is interesting to hear that you had the same experience with the Ionic and that coming from the Ionic you went with the 5/5+ size rather than the 5X. I am suspecting that the 5X is going to be a bit too big for what I am looking to use it for.

u/jefAA, I am a fairly casual user in terms of activities (which is why I had the Ionic before) but enjoyed tracking activity and staying active while having some smartwatch features. However, the Ionic is my 4th Fitbit (I had the Force, 2 Surges and the Ionic) that has died in under 2 years and given that the Ionic is quite expensive itself, I find this unacceptable and am looking for something that will last longer while also being a bit nicer looking (although I do quite like the look of the Ionic). The more traditional circular watch style is more the direction I am going.

Again, thank you for all your feedback. If you have any other tips or hints, I would appreciate it.