
Is ProtonMail lying about their encryption? [video] - octosphere
https://www.youtube.com/watch?v=AhdJzjC7Leo
======
mimixco
When this scandal first came out, I poked around in their documentation. While
they claim that even they don't have your private keys and can't read your
email, a little investigation will show that they can reset your password. Now
I ask you, if you can't read someone's keys, how can you reset their password?
That's an obvious backdoor.

Compare this with Tresorit (Swiss private cloud storage) whose documentation
clearly says that if you lose your password, they can't help you.

The original video is absolutely correct that ProtonMail reduces your exposure
to third party and advertising-based spying. He's also right that a desktop or
mobile app is theoretically safer than JS running in the browser. It's
interesting to note here that it was leaked that the NSA can and does force
providers to push you your own, individually-hacked versions of apps if they
want them to. In other words, you could very well be running a different web
page or app than the other users without you knowing it. Australia's new
surveillance laws list that exact behavior as an explicit requirement that
must be supported if the gumment asks a provider to do it.

