Proton will no longer post on Mastodon
-
Will be missed /s
-
Privacy isn’t particularly good in the fediverse. Any federated instance can track you as much as they want without you ever knowing or consenting.
Self hosting Lemmy is straightforward. Then subscribe to all communities and now you have a treasure trove of data to mine. If you modify the code a bit you can do more like keep deleted posts around or surveil user activities in real time.
-
Security is hardly a binary property.
Given you mention the specific technical setup, I would say yes - that is secure against most risks relevant for most people.
At least, it's totally fine according to my own threat model, where I looked specifically at broswer-based encryption vs "manual" encryption (I.e. using PGP tools locally).
-
Especially since reddit is quite ban happy about political narratives right now, gearing the site like with Facebook, who only pushes right wing.
-
Reddit allows more control and is much aggressive in banning people sitewide as of recently. If you attempt to report a comment on reddit, you can get banned instead by the mod
-
They will leave Blue sky for twitter once , people find out as well
-
And reddit has been extra aggressive in allowing mods ban users more easier too, as of this month. Now some mods are "cahoots with admins"
-
I predict they will mostly be on X and Meta platform
-
On a platform, that will ban you if you look at it wierd
-
They wrote that they don't want to "write and forget" but engage with people (as they do on Reddit, for better or worse).
I think it's opinable, but it sounds reasonable to me. What is the value of having an official account which just reposts one-way communication already published on the blog and on the newsletter? Anybody can build such a bot, but it's not "presence" the way I interpret it. -
It is nuanced, but having the ability to selectively serve malicious javascript stealing keys to specific people only on one access is considerable issue in practice, compared to distributing binary where you would generally have the same binary for everyone and you are able to archive and analyse it.
-
Well, yes-ish.
An organization with resources to coerce or compromise Proton or similar wouldn't have trouble identifying individual users "well enough" (trivially, IP address). At that point there is absolutely nothing stopping a package distributor to serve different content by IP. Not even signatures help in this context, as the signature still comes from the same party coerced or compromised.
Also most people won't (or are unable to) analyze every code change after every update, which means in practice detection is even more unlikely for OS packages than it is for web pages (much easier to debug code and see network flows). The OS attack surface is also much broader.
In general anyway, this is such a sophisticated attack (especially the targeted nature of it) that it's not relevant for the vast, vast majority of people.
If you deal with super sensitive data you can build your proton client directly, or simply use the bridge (which ultimately is exactly like other client-side tooling), so for those very rare corner cases where this threat is relevant, a solution exists. Actually, in those cases you probably don't want to use mail in general.
So my question is, who is the threat actor you are concerned about?All in all I think that labeling "insecure" the setup for this I think is not accurate and can paint a wrong picture to people less technically competent.
-
Well, we have to carry info to the masses so that we don't repeat the story of BlueSky, where yesterday the moderators deleted a not-so-dangerous video but reopen after an uproar. It's the same Twitter, side view.
So far, I'm only getting minuses.
-
Bridge did not exist back then.
As for it being sophisticated attack, I think it is relative.
Regardless, if Proton said it did not matter to most people, I would respectfully disagree. They did not. They claimed it is not at all less secure than a native app, which is BS.
-
Sure, but at least the fediverse doesn't try to fill your browser of ads and tracking cookies
-
To be fair, the only platform I've been banned from is Mastodon... because of political ideas
-
I can see a threat model already from 2014.
Anyway, I think it's a tradeoff that it's hard to assess quantitatively, as risk is always subjective.
From where I stand, the average person using native clients and managing their own keys has a much higher chance to be compromised (by far simpler vectors), for example.
On the other hand, someone using a clean OS, storing the key on a yubikey and manually vetting the client tool can resist to sophisticated attacks better compared to using web clients.I just don't see this as hill to die on either way. In fact, I also argue in my blog post that for the most part, this technical difference doesn't impact the security sufficiently to make a difference for the average user.
I guess you disagree and that's fine.
-
That's not what privacy means. Mastodon is incredibly transparent that everything you do publicly is public - the threat model is very clear here.
Also you can't compare public tool used for tool interactions to a suite of private tools that is Proton or any other service.
Finally if all of the data is available public for anyone to access this means it's not exclusive to bad actors like ad machines, government spies etc.
-
Moving all my shit across Outlook to Proton took forever, I swear I'll shoot a mf if I have to move email providers AGAIN
-
Thank you for the correction.
Sender and recipient can’t be encrypted e2e. How would the server know to whom deliver the email if those are encrypted and not visible to it?
"End-to-end" is a bit of a misnomer in this case. Both Proton and Tuta apply encryption after receiving email in the general case, since email is not sent with E2EE across different providers (in general). Both Proton and Tuta can see your incoming email (body and all) from external servers in the general case — they just don't store it that way. (This is different when sending email between two Proton users or two Tuta users.)
