Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

agnos.is Forums

  1. Home
  2. Technology
  3. Proton will no longer post on Mastodon

Proton will no longer post on Mastodon

Scheduled Pinned Locked Moved Technology
157 Posts 81 Posters 825 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D [email protected]

    It is nuanced, but having the ability to selectively serve malicious javascript stealing keys to specific people only on one access is considerable issue in practice, compared to distributing binary where you would generally have the same binary for everyone and you are able to archive and analyse it.

    L This user is from outside of this forum
    L This user is from outside of this forum
    [email protected]
    wrote on last edited by
    #121

    Well, yes-ish.

    An organization with resources to coerce or compromise Proton or similar wouldn't have trouble identifying individual users "well enough" (trivially, IP address). At that point there is absolutely nothing stopping a package distributor to serve different content by IP. Not even signatures help in this context, as the signature still comes from the same party coerced or compromised.

    Also most people won't (or are unable to) analyze every code change after every update, which means in practice detection is even more unlikely for OS packages than it is for web pages (much easier to debug code and see network flows). The OS attack surface is also much broader.

    In general anyway, this is such a sophisticated attack (especially the targeted nature of it) that it's not relevant for the vast, vast majority of people.
    If you deal with super sensitive data you can build your proton client directly, or simply use the bridge (which ultimately is exactly like other client-side tooling), so for those very rare corner cases where this threat is relevant, a solution exists. Actually, in those cases you probably don't want to use mail in general.
    So my question is, who is the threat actor you are concerned about?

    All in all I think that labeling "insecure" the setup for this I think is not accurate and can paint a wrong picture to people less technically competent.

    D 1 Reply Last reply
    0
    • breadguy@fedia.ioB [email protected]

      also nobody really cares about nostr

      P This user is from outside of this forum
      P This user is from outside of this forum
      [email protected]
      wrote on last edited by
      #122

      Well, we have to carry info to the masses so that we don't repeat the story of BlueSky, where yesterday the moderators deleted a not-so-dangerous video but reopen after an uproar. It's the same Twitter, side view.
      So far, I'm only getting minuses. 😏

      1 Reply Last reply
      0
      • L [email protected]

        Well, yes-ish.

        An organization with resources to coerce or compromise Proton or similar wouldn't have trouble identifying individual users "well enough" (trivially, IP address). At that point there is absolutely nothing stopping a package distributor to serve different content by IP. Not even signatures help in this context, as the signature still comes from the same party coerced or compromised.

        Also most people won't (or are unable to) analyze every code change after every update, which means in practice detection is even more unlikely for OS packages than it is for web pages (much easier to debug code and see network flows). The OS attack surface is also much broader.

        In general anyway, this is such a sophisticated attack (especially the targeted nature of it) that it's not relevant for the vast, vast majority of people.
        If you deal with super sensitive data you can build your proton client directly, or simply use the bridge (which ultimately is exactly like other client-side tooling), so for those very rare corner cases where this threat is relevant, a solution exists. Actually, in those cases you probably don't want to use mail in general.
        So my question is, who is the threat actor you are concerned about?

        All in all I think that labeling "insecure" the setup for this I think is not accurate and can paint a wrong picture to people less technically competent.

        D This user is from outside of this forum
        D This user is from outside of this forum
        [email protected]
        wrote on last edited by
        #123

        Bridge did not exist back then.

        As for it being sophisticated attack, I think it is relative.

        Regardless, if Proton said it did not matter to most people, I would respectfully disagree. They did not. They claimed it is not at all less secure than a native app, which is BS.

        L 1 Reply Last reply
        0
        • B [email protected]

          Privacy isn’t particularly good in the fediverse. Any federated instance can track you as much as they want without you ever knowing or consenting.

          Self hosting Lemmy is straightforward. Then subscribe to all communities and now you have a treasure trove of data to mine. If you modify the code a bit you can do more like keep deleted posts around or surveil user activities in real time.

          azalty@jlai.luA This user is from outside of this forum
          azalty@jlai.luA This user is from outside of this forum
          [email protected]
          wrote on last edited by
          #124

          Sure, but at least the fediverse doesn't try to fill your browser of ads and tracking cookies

          1 Reply Last reply
          0
          • A [email protected]

            Lmao that second paragraph. This guy is not just a tool, he's the whole toolbox.

            azalty@jlai.luA This user is from outside of this forum
            azalty@jlai.luA This user is from outside of this forum
            [email protected]
            wrote on last edited by
            #125

            To be fair, the only platform I've been banned from is Mastodon... because of political ideas

            1 Reply Last reply
            0
            • D [email protected]

              Bridge did not exist back then.

              As for it being sophisticated attack, I think it is relative.

              Regardless, if Proton said it did not matter to most people, I would respectfully disagree. They did not. They claimed it is not at all less secure than a native app, which is BS.

              L This user is from outside of this forum
              L This user is from outside of this forum
              [email protected]
              wrote on last edited by
              #126

              I can see a threat model already from 2014.

              Anyway, I think it's a tradeoff that it's hard to assess quantitatively, as risk is always subjective.
              From where I stand, the average person using native clients and managing their own keys has a much higher chance to be compromised (by far simpler vectors), for example.
              On the other hand, someone using a clean OS, storing the key on a yubikey and manually vetting the client tool can resist to sophisticated attacks better compared to using web clients.

              I just don't see this as hill to die on either way. In fact, I also argue in my blog post that for the most part, this technical difference doesn't impact the security sufficiently to make a difference for the average user.

              I guess you disagree and that's fine.

              D 1 Reply Last reply
              0
              • B [email protected]

                Privacy isn’t particularly good in the fediverse. Any federated instance can track you as much as they want without you ever knowing or consenting.

                Self hosting Lemmy is straightforward. Then subscribe to all communities and now you have a treasure trove of data to mine. If you modify the code a bit you can do more like keep deleted posts around or surveil user activities in real time.

                D This user is from outside of this forum
                D This user is from outside of this forum
                [email protected]
                wrote on last edited by
                #127

                That's not what privacy means. Mastodon is incredibly transparent that everything you do publicly is public - the threat model is very clear here.

                Also you can't compare public tool used for tool interactions to a suite of private tools that is Proton or any other service.

                Finally if all of the data is available public for anyone to access this means it's not exclusive to bad actors like ad machines, government spies etc.

                B 1 Reply Last reply
                0
                • F [email protected]

                  Proton: “We’re consolidating our social media presence due to limited resources and no longer posting on Mastodon. Follow us on Reddit for the latest updates”

                  L This user is from outside of this forum
                  L This user is from outside of this forum
                  [email protected]
                  wrote on last edited by
                  #128

                  Moving all my shit across Outlook to Proton took forever, I swear I'll shoot a mf if I have to move email providers AGAIN

                  I S 2 Replies Last reply
                  0
                  • L [email protected]

                    Sender and recipient can't be encrypted e2e. How would the server know to whom deliver the email if those are encrypted and not visible to it?

                    AFAIK tuta encryption extends to the subject line only.

                    Still a nice addition, don't get me wrong, but I believe you misunderstood something.

                    From their own doc:

                    The only unencrypted data are mail addresses of users as well as senders and recipients of emails.

                    Contacts and everything else is encrypted similarly in all "secure email" providers, including Proton.

                    A This user is from outside of this forum
                    A This user is from outside of this forum
                    [email protected]
                    wrote on last edited by
                    #129

                    Thank you for the correction.

                    Sender and recipient can’t be encrypted e2e. How would the server know to whom deliver the email if those are encrypted and not visible to it?

                    "End-to-end" is a bit of a misnomer in this case. Both Proton and Tuta apply encryption after receiving email in the general case, since email is not sent with E2EE across different providers (in general). Both Proton and Tuta can see your incoming email (body and all) from external servers in the general case — they just don't store it that way. (This is different when sending email between two Proton users or two Tuta users.)

                    L 1 Reply Last reply
                    0
                    • L [email protected]

                      Moving all my shit across Outlook to Proton took forever, I swear I'll shoot a mf if I have to move email providers AGAIN

                      I This user is from outside of this forum
                      I This user is from outside of this forum
                      [email protected]
                      wrote on last edited by
                      #130

                      I was subconciously always thinking "man, imagine if Proton screws up some day and all the people who switched to it have to switch away, that would suck" but didn't think it would actually happen, but man, with enshitification, it's actually possible lmao

                      softestsapphic@lemmy.worldS 1 Reply Last reply
                      0
                      • A [email protected]

                        Thank you for the correction.

                        Sender and recipient can’t be encrypted e2e. How would the server know to whom deliver the email if those are encrypted and not visible to it?

                        "End-to-end" is a bit of a misnomer in this case. Both Proton and Tuta apply encryption after receiving email in the general case, since email is not sent with E2EE across different providers (in general). Both Proton and Tuta can see your incoming email (body and all) from external servers in the general case — they just don't store it that way. (This is different when sending email between two Proton users or two Tuta users.)

                        L This user is from outside of this forum
                        L This user is from outside of this forum
                        [email protected]
                        wrote on last edited by
                        #131

                        Yes, that's absolutely true. Assuming a full PGP flow, (e.g., proton to proton) even in that case the recipient and other metadata (in tuta, excluding subject line) is still visible to the provider.

                        Hopefully the more people move to secure providers, the more the general case will be transparent PGP, but we are a long way from there...

                        1 Reply Last reply
                        0
                        • S [email protected]

                          Wait... neither Proton supports IMAP! (unless you install their local bridge)

                          T This user is from outside of this forum
                          T This user is from outside of this forum
                          [email protected]
                          wrote on last edited by
                          #132

                          Yeah I use the bridge.

                          1 Reply Last reply
                          0
                          • L [email protected]

                            Since I have found it historically hard to engage on this (broader) subject around here, just yesterday I put together my own thoughts at https://loudwhisper.me/blog/proton-fediverse-burnout/

                            Personally, I did not see the value of their Mastodon presence, it was write only marketing communication, no engagement with the community anyway. That happened only ever on Reddit, which I think is going to continue being the case.

                            They push the same info via email newsletter, if someone really wants that stuff.

                            Either way, the post above covers my take on the whole drama, not just this last small chapter.

                            D This user is from outside of this forum
                            D This user is from outside of this forum
                            [email protected]
                            wrote on last edited by
                            #133

                            Read your entire post. You claim people will say you come off as an apologist and you do.

                            As a person who was seriously considered switching to Proton this just reminds me of why I should not. It is clear no matter what corner of the Internet we run to as long as it is into the open arm of corporations it is a mistake.

                            Blue sky, Proton, etc. are not a solution to a problem. They are just the newest version of putting lipstick on a pig. We need to move beyond corporate control and it is clear Proton, even being a nonprofit, is no solution.

                            I find your hand waving of the CEOs position particularly distasteful. There are a lot of CEOs out there that don't decide to get all political. They don't do this because they have an image or brand to protect. Maybe I just like a good illusion though.

                            In this respect I am glad he opened his ignorant mouth and showed he has no business commenting on politics. He is no political scientist, just another person drunk on his accomplishments trying to pretend he knows fuck all about anything.

                            L 1 Reply Last reply
                            0
                            • D [email protected]

                              Read your entire post. You claim people will say you come off as an apologist and you do.

                              As a person who was seriously considered switching to Proton this just reminds me of why I should not. It is clear no matter what corner of the Internet we run to as long as it is into the open arm of corporations it is a mistake.

                              Blue sky, Proton, etc. are not a solution to a problem. They are just the newest version of putting lipstick on a pig. We need to move beyond corporate control and it is clear Proton, even being a nonprofit, is no solution.

                              I find your hand waving of the CEOs position particularly distasteful. There are a lot of CEOs out there that don't decide to get all political. They don't do this because they have an image or brand to protect. Maybe I just like a good illusion though.

                              In this respect I am glad he opened his ignorant mouth and showed he has no business commenting on politics. He is no political scientist, just another person drunk on his accomplishments trying to pretend he knows fuck all about anything.

                              L This user is from outside of this forum
                              L This user is from outside of this forum
                              [email protected]
                              wrote on last edited by
                              #134

                              Thanks for the response, despite the fact we disagree quite substantially.

                              I think it's OK that different people have different points of view. Everyone's opinion also should fit within a broader (political) praxis and strategy that they support.

                              There are a lot of CEOs out there that don’t decide to get all political. They don’t do this because they have an image or brand to protect. Maybe I just like a good illusion though.

                              This is something I particularly disagree, as you probably have already read. Ignorance on once's position doesn't mean that position doesn't exist. I appreciate Jeff Bezos for example writing that memo (just yesterday's published), compared to acting the same way without my full knowledge.

                              He is no political scientist

                              If this was the criteria to comment on politics, honestly we should shut down everything (including Lemmy) 🙂

                              D 1 Reply Last reply
                              0
                              • L [email protected]

                                I can see a threat model already from 2014.

                                Anyway, I think it's a tradeoff that it's hard to assess quantitatively, as risk is always subjective.
                                From where I stand, the average person using native clients and managing their own keys has a much higher chance to be compromised (by far simpler vectors), for example.
                                On the other hand, someone using a clean OS, storing the key on a yubikey and manually vetting the client tool can resist to sophisticated attacks better compared to using web clients.

                                I just don't see this as hill to die on either way. In fact, I also argue in my blog post that for the most part, this technical difference doesn't impact the security sufficiently to make a difference for the average user.

                                I guess you disagree and that's fine.

                                D This user is from outside of this forum
                                D This user is from outside of this forum
                                [email protected]
                                wrote on last edited by
                                #135

                                doesn't impact the security sufficiently to make a difference for the average user.

                                I think it is borderline. I am not advocating for PGP, I like the Signal model where you trust signal for introductions but have the ability to verify, even in retrospect. Trust but verify. Even a few advanced users verifying Signal keys forces Signal to remain honest or risk getting caught.

                                I think the lack of meaningful verification for proton is a significant security weakness, though average user probably has bigger things to worry about.

                                L 1 Reply Last reply
                                0
                                • L [email protected]

                                  Thanks for the response, despite the fact we disagree quite substantially.

                                  I think it's OK that different people have different points of view. Everyone's opinion also should fit within a broader (political) praxis and strategy that they support.

                                  There are a lot of CEOs out there that don’t decide to get all political. They don’t do this because they have an image or brand to protect. Maybe I just like a good illusion though.

                                  This is something I particularly disagree, as you probably have already read. Ignorance on once's position doesn't mean that position doesn't exist. I appreciate Jeff Bezos for example writing that memo (just yesterday's published), compared to acting the same way without my full knowledge.

                                  He is no political scientist

                                  If this was the criteria to comment on politics, honestly we should shut down everything (including Lemmy) 🙂

                                  D This user is from outside of this forum
                                  D This user is from outside of this forum
                                  [email protected]
                                  wrote on last edited by
                                  #136

                                  Your don't really have much of opinion except as an apologist. A devil's advocate defender of corporate and political nonsense without stating your actual thoughts beyond, "it is more nuanced that that" is pretty disingenuous.

                                  It is okay to have differing opinions when someone's opinion smells like shit. All the while you pass out the verbal/written clothespins is really just your version of carrying water. I know, I know it is more nuanced than that. Only it really isn't.

                                  And yes, you should have a degree or really just some critical thinking skills before deploying your wanna be political commentary on the world when you are in a leadership position. Otherwise please keep that shit to yourself and keep it out of your business if you ever want my money.

                                  L 1 Reply Last reply
                                  0
                                  • D [email protected]

                                    doesn't impact the security sufficiently to make a difference for the average user.

                                    I think it is borderline. I am not advocating for PGP, I like the Signal model where you trust signal for introductions but have the ability to verify, even in retrospect. Trust but verify. Even a few advanced users verifying Signal keys forces Signal to remain honest or risk getting caught.

                                    I think the lack of meaningful verification for proton is a significant security weakness, though average user probably has bigger things to worry about.

                                    L This user is from outside of this forum
                                    L This user is from outside of this forum
                                    [email protected]
                                    wrote on last edited by
                                    #137

                                    I think I can agree with that. Unfortunately PGP is the only alternative we have for emails (i.e., the client-side tools would still be doing PGP encryption), which is also the reason why it shouldn't be used for really delicate communication. The fact that - whatever setup you use - there will always be metadata showing that person X communicated with person Y alone is a nonstarter for certain types of communication.

                                    Signal would be my recommendation.

                                    D 1 Reply Last reply
                                    0
                                    • D [email protected]

                                      Your don't really have much of opinion except as an apologist. A devil's advocate defender of corporate and political nonsense without stating your actual thoughts beyond, "it is more nuanced that that" is pretty disingenuous.

                                      It is okay to have differing opinions when someone's opinion smells like shit. All the while you pass out the verbal/written clothespins is really just your version of carrying water. I know, I know it is more nuanced than that. Only it really isn't.

                                      And yes, you should have a degree or really just some critical thinking skills before deploying your wanna be political commentary on the world when you are in a leadership position. Otherwise please keep that shit to yourself and keep it out of your business if you ever want my money.

                                      L This user is from outside of this forum
                                      L This user is from outside of this forum
                                      [email protected]
                                      wrote on last edited by
                                      #138

                                      I felt that was really uncalled for. The whole post elaborates quite a lot in thousands of words, and I feel like your summary is not really accurate.
                                      Unfortunately, I have no way to debate accusations that follow a circular logic, so I won't attempt to do so.

                                      Otherwise please keep that shit to yourself and keep it out of your business if you ever want my money.

                                      I reiterate that I find curious that you seem to prefer ignorance of those positions, as if the reality is suddenly better if you don't know a problem exists.
                                      You would rather pay for Proton not knowing that Andy Yen thinks what he thinks than having more information so that you can choose to stop paying. Obviously just an example, same thing applies to the WaPo or Tesla, or any other similar case.

                                      D 1 Reply Last reply
                                      0
                                      • L [email protected]

                                        I think I can agree with that. Unfortunately PGP is the only alternative we have for emails (i.e., the client-side tools would still be doing PGP encryption), which is also the reason why it shouldn't be used for really delicate communication. The fact that - whatever setup you use - there will always be metadata showing that person X communicated with person Y alone is a nonstarter for certain types of communication.

                                        Signal would be my recommendation.

                                        D This user is from outside of this forum
                                        D This user is from outside of this forum
                                        [email protected]
                                        wrote on last edited by
                                        #139

                                        Yeah, we should just ditch email for sensitive communications.

                                        Anyway, my point was that a lost trust in Proton back then over this and went to Tuta that has native clients. It makes no difference to my security since I don't think I ever sent or received a single mail that was actually e2e encrypted. But Tuta's more serious approach to e2ee made me slightly more confident in it as a company.

                                        1 Reply Last reply
                                        0
                                        • L [email protected]

                                          I felt that was really uncalled for. The whole post elaborates quite a lot in thousands of words, and I feel like your summary is not really accurate.
                                          Unfortunately, I have no way to debate accusations that follow a circular logic, so I won't attempt to do so.

                                          Otherwise please keep that shit to yourself and keep it out of your business if you ever want my money.

                                          I reiterate that I find curious that you seem to prefer ignorance of those positions, as if the reality is suddenly better if you don't know a problem exists.
                                          You would rather pay for Proton not knowing that Andy Yen thinks what he thinks than having more information so that you can choose to stop paying. Obviously just an example, same thing applies to the WaPo or Tesla, or any other similar case.

                                          D This user is from outside of this forum
                                          D This user is from outside of this forum
                                          [email protected]
                                          wrote on last edited by
                                          #140

                                          There is nothing to debate because my summary and all your replies just reinforce my opinion of you. This is just my critical opinion though and it is not meant as an attack, but a wake up call. I appreciate the time and effort you put into this even if it is misplaced at best

                                          We all know problems exist. We all know speech has consequences. A leader, particularly in business, has a special fiduciary responsibility to their business. If they choose to expose themselves as politically ignorant and supporting positions that are indefensible the consequences is they will lose business. This is all I am pointing out.

                                          You conflate two things here which are a person's right to speak their mind and their responsibility to bigger issues. I get you want to hear their opinions and then play devil's advocate about them because that is just what you do.

                                          You are clearly technically minded but you are also clearly not politically minded. Much like our errant CEO and reminiscent of when a US congressman tries to grasp web technology. They say a lot of ignorant things about tech just like Andy says ignorant things about politics.

                                          Clearly you feel a kinship with this man because you are also heavily invested in the tech world. You defend him because you also admire him. No amount of debate or hand waving will change this immutable fact.

                                          L 1 Reply Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • World
                                          • Users
                                          • Groups