Well, the trade-off by using protonmail / lavabit… If most of the user’s contacts don’t use the same provider, which is very reasonable to assume, their mails are still sent in cleartext around the world.
I easily grant them this to be true, yet that doesn’t give one what they are implying with it. How much worth is your super secure SSL engine, if the communication between the web server and the SSL engine on their server is still easily compromised by an adversary that can force local hardware access.[quote=“HulaHoop, post:4, topic:3459”]
@Patrick will sdwdate work with an https address?
url_to_unxtime https support
https://www.wired.com/2015/10/mr-robot-uses-protonmail-still-isnt-fully-secure/ nailed it perfectly,
Of course, this doesn’t mean ProtonMail couldn’t give the government plaintext messages—just that it would require ProtonMail to actively attack you and steal the required password.
A way around that would be the browser add-on. Then they would have to ship the backdored add-on to everyone and then there would be evidence that there is a backdoor.
I don’t think an add-on will find widespread adaption either. It would be another nice geeky nice-to-have but that’s about it.
What could help with widespread implementation and strong security would be implementing DIME inside Firefox and Chrome browsers. Then if a backdoor was demanded to be added, it would affect the whole user base of these browsers. With public source control systems (git…) and reproducible builds this would have a very good chance of detection. (Much more people involved than just a few people using some unpopular browser add-on.)
Someone feeling awesome to check if that was suggested / can suggest that to them?
While that is really awful, doing that was not doing that is only security by policy (a promise), not security by design.
That is hard since meta data hiding is currently provider specific and very far from widespread adaption.
Yes, that would be great!
On the other hand, e-mail even with enigmail, I am not sure usability is so broken beyond repair, unencrypted subjects and meta data, that at the current state the most sensible thing would be to discourage using e-mail for private communications.
I haven’t looked enough into replacements like bitmessage, freemail, pretty Easy privacy (p≡p) and whatnot.
As per https://www.whonix.org/wiki/PQCrypto it does not seem too sensible to me to start recommending a replacement that gets broken in ~ 10 years anyhow. So PQCrypto safe seems like a sensible criteria.