I'm a happy ProtonMail user. I've never had an issue with the system and the web app is very pleasant to use.
However, I wonder when (if at all) they plan on encrypting more metadata...? Any of you users actually look at the network log of ProtonMail web app? Almost all effort goes in to encrypting just the body of the emails, while just about everything else is seemingly stored in plaintext (headers, subjects, senders, recipients, etc etc)
What is this? Since when did cloud hosted solutions announce version number changes? Is ProtonMail suddenly available as an open source self-hosted platform?
> Since when did cloud hosted solutions announce version number changes?
It would be great if cloud solutions actually allowed customers to upgrade to new versions when it suits them, not when it suits the provider. And with security fixes properly backported.
Some providers do this for specific APIs though I may be thinking of SaaS and not the general cloud. I agree though. Although I think Azure Functions lets you pick the version as well iirc.
> This announcement is an example of why I am not using ProtonMail anymore. There are a lot of things they do that sound very good on marketing materials, but upon examination are security theater.
As a user for more than a year I've suffered data loss using the Bridge Client on macOS, seen (and have copies of) encrypted phishing emails originating from trusted TLDs and PM themselves, and well, if they fixed something in the new release I'd really hope it would be the Phishing report button - which doesn't seem to work on Android.
I looked at Tutanota as an alternative, but in the end all I really wanted was something that integrates with my operating environments and just works. There are plenty of ways to communicate securely. Email doesn't have to be best one.
That depends, are you being investigated by the Swiss government?
Protonmail can not send data it doesn't have, so unless you think they may have singled you out to serve you client side code with broken encryption, they will not be sending anything to anyone.
If what you're asking is whether you can use Protonmail to engage in illegal activities with full assurance of impunity... then no, you can't.
> Protonmail can not send data it doesn't have,...
Is there any documentation on what info they have that is verifiably encrypted?
I assume their JavaScript library(served by them, and trusted by our browser) encrypts the body of the email using a key of the user's choice. What about the email meta-data, and the authenticity of the crypto library they serve and use?
I don't use protonmail because they lack the ability to do a full text search on emails, which is critical to my usage. But, I'm curious about their security implementation just to understand and possibly learn.
Can the Swiss govt simply gag order them to serve broken crypto to everyone so that they can get legal access to some user's email?
Yes, if you're under criminal investigation, or if ProtonMail is provided with overwhelming evidence that your account is being used for illegal activities.
I love how there's topics on HN which are basically pointless to try and dispute the nonsense because ever more commentators are going to continue doing it.
The fact that comment sections fill up with this stuff instantly and there's so many saying it's all a scam says something in itself. Along with the routine DDOS'ing they get every few months it gives me a suspicion of which way to lean in the debate.
However, I wonder when (if at all) they plan on encrypting more metadata...? Any of you users actually look at the network log of ProtonMail web app? Almost all effort goes in to encrypting just the body of the emails, while just about everything else is seemingly stored in plaintext (headers, subjects, senders, recipients, etc etc)