no AppImage, no Flatpak, no PPA, and no COPR
AUR FTW!
If that’s the case, then I might have to use distrobox for once.
https://encryp.ch/blog/disturbing-facts-about-protonmail/
i’m begging you, don’t buy snake oil.
Not only is this article three years old, it is also lacking in terms of sources. Additionally, the language and phrasing is quite inappropriate for the purpose of spreading the information. Lots of text is just mean and offensive without any actual purpose.
It also seems to be largely based on speculation rather than actual solid evidence.
I’m not against investigating the legitimacy of established and trusted privacy-first providers. However, this seems a bit lackluster.
Also: Email is inherently insecure, we all know that. Proton services are open source, independently audited and verifiably E2EE, except for Mail, which uses PGP for the emails themselves and E2EE to store them.
for what claim do you want a source that isn’t provided?
All of the hyperbole and speculation? The SSL stuff with TOR for example. That’s not proof, that’s a hint at best
they say plainly what they don’t know. what they don’t know, you don’t know. and if you don’t know, you are trusting on faith, not evidence.
So whats more privacy friendly, using a browser to check email, og using the official Proton app?
Neither. The single app that Proton has done somewhat right with is their VPN and only because they haven’t eliminated port forwarding. Everything else they’ve utilized non-standard protocols and failed to provide source code or API docs. They basically said that users are too stupid to protect themselves, and that you should just trust them to do it for you.
They failed to provide CalDav & CardDav syncing for things like calendars & contacts, IMAPS for mail, and prioritized things like their cloud-only password store. They had no valid reason not to use standardized protocols other than to prevent their users from actively syncing local copies of their data to integrate with privacy-friendly open source software. They act like Apple & a lot of their users prob. are Apple fan bois who will trust a company no questions asked. I have no reason to trust them whatsoever.
Thank you for that.
deleted by creator
Make sure to encrypt messages with a ceasar cypher.
On a related note? When my friend on proton send me (regular imap, openpgp) and several others (gmail, outlook) an email with all of us as recipients, it seems that proton cheats? I get to decrypt the message, where’s the others just read plain ø, unincrypted text.
At first i thought this smart. But now i kind of realize how much of a nightmare this seems to be.
On the other hand, i am not really sure how they do it? Is it to different mails, with fake headers? Or is it more like: if no encryption is available, show thisb (dentical) text instead?
Yeah, Proton is awesome, that’s for sure. Now, being a “security and privacy” company, it blows my mind that they put so much effort on making apps for Windows and Mac first, leaving Linux behind, and when they finally get to it, they just dump in a glorified PWA. This world is really weird 🤣🤣
Capitalism is weird? Ok, but this is what we have.
I had no idea the whole world was capitalist, but I guess I don’t know everything. And there’s the fact that I mentioned the world, not a form of political economy. But yeah, capitalism is weird.
deleted by creator
Are you confusing security and privacy?
They mutually imply one another.
If something was private, but not secure, well, that implies there are ways to breach the privacy, which isn’t very private at all.
If it’s secure, but not private, that implies it’s readable by someone other than the consenting conversational parties, which makes it insecure.
Privacy: I have blinds on my windows. I control whether they are open or closed, but they aren’t secure. You could break a window and look inside if you really wanted to.
Security: my glass storm door has a lock. But privacy is only there when I close the front door.
There is overlap between these two concepts but one does not imply the other.
…and proton advertises as both, which as pointed out, isn’t true
I’m not, the comment I was replying to literally called proton a “security and privacy” company.
That’s why I put “security and privacy” between quotes. I have absolutely Jo way to confirm if they are secure and private or if they’re not, other than all the contradicting mentions all over the internet. Also, while security and privacy may not be mutually dependent in the physical world, it stands to reason that something insecure cannot be private, and something not private is inherently insecure, as @[email protected] clearly pointed out. As for controlling my own email infrastructure, I’d love to, as everything else I do self-host, and only with FOSS software. However, email hosting is a seriously complicated animal that requires too much effort and maintenance, and most of us dont have the knowledge and time to invest in that, so compromises need to be made. I am well aware that there’s always risk on using something I have no real control over, but the alternative meets the reason for the phrase “the treatment is worse than the decease”.
Companies have to comply with law enforcement. If anything, the little amount of data they were able to give after being forced is a good proof of their overall claim. If there is someone to blame here are courts using antiterrorism laws to catch environmental activists.
exactly if it’s a company they have to comply with laws. This is not a service to rely on if you doing espionage or something. It’s for people who want more privacy and choice.
If you just did this little thing, you would convey your point very well. Proton is unfit for activist and journalist tier threat models. You could link Moon Of Alabama blog articles. Proton is better than Gmail and Outlook, but it is no saint. It is enough to achieve good basic privacy and security, but not bulletproof in worst cases.
I mean, if you want secure/private communication, email should not be your go-to. It’s a horrible platform by today’s standards. It was never designed to have any serious level of security. Once they have an unencrypted email on the target with timestamps and mail headers, all they need to do is see who was communicating with Proton at that point. I don’t know if anything has changed since the PRISM days, but back in the 2000s, they definitely had that level of insight into the web.
Not much has changed. It’s really only secure if you are sending emails between addresses within the same local network like gmail to gmail. Thankfull with end to end encryption it can be pretty safe just good luck finding someone that knows how to use it. but thankfully proton makes that pretty seamless.
It’s a native app on Windows and Mac?
I don’t use either OS, but the apps are .DMG (Mac) and .exe (Windows), so I believe they are, yes.
PWAs can be packed in .dmg and .exe.
I had no idea. That’s good information to have. And my wife doesn’t get why I spend so much time in Lemmy. I learn more here than with all the online courses I take regularly put together. I love this community.
And that they decided to go with RPM and DEB instead of just doing a Flatpak
I prefer rpm over flatpak. at least I know any os dependency updates are happening regularly, flatpak may not get weekly dependency updates from proton
Its kinda annoying for anyone not on debian or fedora (and derivatives) though.
I’m on OpenSuse which will take a Fedora RPM, and most will take deb, if they don’t you can uae the alien tool to convert it for your OS…extra steps which sucks
OpenSUSE does not have Fedoras ABI or package names. The RPMs aren’t compatible.
This one might work as its just Electron.
I installed it and it works. i have also installed other Fedora RPMs. RPM can contain repo links to dependecies needed. or just contain all the libraries needed. OpenSUSE will install it and just treat them as Orphaned Packages (in the later case)
deleted by creator
“Extra steps for thee, not for me!”
Tbh it should have simply been a flatpak
Are you kidding me? Doesn’t bother me that much, as I use Thunderbird with Protonmail bridge. I’m still waiting on Proton Drive for linux. Well, I’m gonna end up self hosting at this point. :(
it blows my mind that they put so much effort on making apps for Windows and Mac first, leaving Linux behind
Because most people use Windows and Mac, including their clients. It’s not the world that is weird, it’s people who don’t understand such basic things. You don’t focus on 5% of your users.
Is this where the source code is supposed to be ? https://github.com/ProtonMail/inbox-desktop
Looks like it, it’s available as a zip in the releases along with the compiled app, but isn’t yet uploaded fully on GitHub.
deleted by creator
This came way sooner than expected, be grateful. It’ll arrive soon enough. Patience, young padawan
Aaaand it’s electron garbage.
I went here for this info. Thanks.
Out of the loop, what’s wrong with electron?
Everything
It’s basically Chrome. It’s not a real application, it’s a website pretending to be one. It uses a metric fuckton of RAM and eats your battery faster than Prince Andrew a minor.
But does it sweat though ;-)
No, one Chrome tab does not eat that much RAM. Yes it is not as good as native, but it is more platform agnostic, and an Electron app does not really go above 300 MB RAM.
If Firefox could allow their engine to be packaged like this I’d use it. The problem I see here is chromium. Everything is a trade off and we need more ways to build maintainable cross platform applications.
Slack, for example, is Electron and it runs great. One of the best apps I’ve used. And it works better than the browser version…
The hate on Lemmy of electron is a bit of an overreaction if you ask me. Yeah it uses more ram than is necessary but again everything is a trade off. Not everything can be a hard to maintain rust app. Let’s try to embrace cross platform solutions, though yes fuck chrome/google, so sure criticize that part of it.
Let me get this right… you’re complaining about Chromium, but you use Slack? You do realize Chromium had better Linux support for things like HW-accelerated decoding than Firefox? Also, the Chromium sandbox is superior to Firefox.
I realize Firefox business practices aren’t total garbage for humanity and that they are constantly working to improve it on like .1% budget of Google. And that they are the only real competition which keeps us in a situation where we actually have a choice in browsers. So yeah let’s only care about the technical aspects, or something
And that they are the only real competition which keeps us in a situation where we actually have a choice in browsers.
That isn’t true. You’ve got WebKit-based browsers, LadyBird/LibWeb/LibJs, Goanna, and others. Why choose Mozilla to lead the efforts, when another open source community/foundation may be better? You can also participate in the various new web specifications yourself too if you’re not happy with the direction they’re headed.
They said competition, not alternatives. As things are right now, and knowing people, not just trying to make a technical point, Firefox is the only competition.
Chromium had better Linux support for things like HW-accelerated decoding than Firefox?
Source? Experienced the exact opposite, especially on Wayland.
You can track the bug history here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1751363
You can see here Chromium had support for this for several years prior:
https://aur.archlinux.org/cgit/aur.git/log/PKGBUILD?h=chromium-vaapi
Android being based on Linux prob has something to do with Chromium’s strong Linux support, but Mozilla has consistently prioritized Windows/Mac. Despite it still be challenging, building Chromium from source has always been a lot easier IMO than trying to create a custom build of Firefox.
Regardless, when it comes to privacy, Chromium itself is pretty stripped down and has policy-based integrations that put it on par with Firefox in terms of security. Even with Firefox, you’d have to modify quite a few policies to improve security. Tor/Mullvad Browser though do a better job in many ways and there is no equal to those privacy enhancements on Chromium that I know of, unless you’re using something like GrapheneOS.
Point being, people like to complain about Chromium a lot & act like Apple fan bois for Firefox, when in reality privacy is nearly the same with both with some minor configurations.
What the heck are you talking about? Chromium is one of the hardest packages to build and it takes forever. Firefox has FAR fewer dependencies. Chromium’s privacy enhancements are a joke.
Chromium is not stripped down at all, just use googerteller and see. It contacts Google everywhere, on the password list, on the account list, in some settings pages, and just randomly sometimes.
It is very crazy. And also it is not fingerprint resistant at all.
I am using all flag settings, policies and GUI settings possibly existing and it still is like that. So no, it is not the same privacy-wise.
Rust is infinitely easier to maintain than mountains of untyped js garbage libraries built upon left pad
🙄
Let’s try to embrace cross platform solutions,
[JavaFX has entered the chat.]
I don’t know what javafx is, but java is hell. For me. I’m glad it works for others
I don’t know what javafx is
There is Tauri which packages it with WebKit and uses Rust as backend.
I think tauri uses the OS web view, so it depends
I just checked, and it seems that it indeed only uses WebKitGTK on Linux
The hate on Lemmy of electron is a bit of an overreaction if you ask me
The issue is mainly developers using Electron when things like React Native and Flutter exist. I don’t know a lot about Flutter, but React Native uses native UI widgets and feels a lot nicer than Electron.
I bought 32gb of RAM cause I was tired and gave up to eléctron apps
I bought 64 gigs of ram and still refuse to use it.
Electron runs a core Chromium Browser + NodeJS + a bit more.
Unlike Chromium itself it is not backwards compatible and removes a ton of things like its sandboxing capabilities.
I am not sure how it is less secure, but it may use more RAM (also not always but generally yes of course), doesnt allow hardening (unlike android WebView apps) and breaks LD_PRELOAD-ing another memory allocator.
This is only a big problem in special cases, in general it makes apps strictly dependend on GNU glibc and others, no idea how it works on Alpine or others (that actually try to make a secure system).
If somebody knows more about security concerns about Electron, please add.
It’s just the webapp. If we want the webapp we use a browser.
Yeah, I was dissapointed, but at least it is a controlled browser and not reliant on your normal browser which could change or have malicious extensions
This. Its webapp with more persistent storage maybe. If the Browsers could integrate this, it would be a gamechanger.
I am also very sure that Chrome preloads google. com to make it seem to “load faster”. Its all just preloading or persistent storage
Slack desktop app is built with electron and works much better than the web app in my experience. So no it’s not actually always that simple.
It could be that simple. They just hinder their own website to get you to download the app.
You really believe that? It would be easier for them to maintain only the website, so this really doesn’t make sense to me.
Dev here.
Yeah that’s how it works.
I’m a web developer. I think there’s a misunderstanding here. The person I responded to said that slack purposely made the web version worse than the desktop app, which I’m doubting.
deleted by creator
Slack is one of those apps which lags in a week on any hardware, it might be better than web version but it still sucks ass compared to fucking ICQ clients. Source: using it in the company I work for, for about 7 years already.
I don’t often have trouble with slack being slow, or buggy. Been using it like 9 years myself. Interesting you’re comparing slack to icq. Are you referring to a current version of icq, or the one that existed in the early 2000s?
I am not sure I understand comparing an app designed to do video/audio chat seamlessly, threaded conversations, channels, filesharing, plus has dozens of subtle nice features that make for a rich experience and a… Chat app, that worked fine for sending plaintext messages but didn’t really do anything else.
I compare it to qip or similar with voice calling support about 10 years ago. But still, Slack loses to pretty much anything on the market regarding performance, be that Element, Telegram, Skype or even Discord. It literally battles with biggest IDEs lol
Not my experience. Not sure what qip is either
Now that Chromium has persistent File System Access permission support, what benefit does Electron have over a PWA other than “Native-looking” menu bars?
deleted by creator
interesting!
WebKitGTK is only native for GTK desktops. On Qt desktops, you’d want QtWebEngine instead.
deleted by creator
It’s what you deploy to your users if you want to work around ad blockers and browser extensions. It’s a great tool to get operating system level access to exfiltrate information about your users and identify them uniquely, even if they would prefer that not to happen.
All that with the help of Google’s telemetry engine aka Chrome, which further helps Alphabet to manifest their interpretation of web standards in the world.
We worked to move things onto the web. Now people bring the web back to your desktop with every application bringing it’s own browser shell. We have come full circle and we’re now using 10x the resources.
Electron is the prime example of everything that is wrong in IT.
Wow. That sounds horrible. Do you have a source about the system level access statement? I would like to see people’s thoughts on it, if it’s as bad as it sounds, I’m surprised I haven’t heard about it before
What source do you need? It’s almost literally the mission statement of Electron.
I’ve never gone to the webpage of electron
deleted by creator
Do you have a source about the system level access statement?
Electron apps are native apps with the Chromium browser embedded in their windows, so they can do anything a native app can. It supports Node.js modules for things like filesystem access, and can interop with C++ code by writing an add on (https://nodejs.org/api/addons.html)
Ah ok gotcha. Thanks.
Each electron App is actually a full independent chromium browser install running a website. It’s easy to code for and works cross platform as a result, but it’s essentially just a website, although they can run offline depending on what’s been built in to the local app.
Each electron app running on your system is a separate full chromium app running, with no sharing of resources between each instance. So they take up a lot of space each and duplicate all the resource usage, and potentially the security flaws.
oh yikes. that sucks.
Ugh, I was looking forward to replacing Thunderbird/Bridge, but never mind.
Bridge
I am actually sort of worried that now that they put this out they will retire bridge. We will have to wait and see. Is having a browser tab open really that bad… ?? I suppose but I still like programs over web pages.
No way.
deleted by creator
It says so in the repo
“Finally” really is the key word, waiting for Proton to add features or apps is painful at times.
Glad they’ve finally made progress with this.
Waiting for Proton to acknowledge and fix critical bugs that can cause data loss was way more painful… took them years with the solution being “just wait for the bridge rewrite it will be (most likely) fixed there”.
"Anyone can download the app, but free users will be given a 14-day trial to test drive it.’
So it’s only for premium users ?
Hey it takes effort to make a WebView for mail.proton.com
They need to see how to package the dedicated browser for all the different distros and operating systems, make a nice icon and so ok. It takes hours
They should sell this masterpiece for much more
Baby steps that take Proton from a great service to a toy for the masses in the effort to increase revenue. AI features are next
Sooo… What exactly changed about the service?
Yup
Cool. Now please do Proton Drive and Calendar. Please and thank you Proton.
Calender is included in the mail app
We need caldev through the bridge app for use in thunderbird and other apps.
So, what is general concesus about Proton, is it safe or not? I dont use it because you need to pay for Bridge to use it in Thunderbird. Maybe I would use if it has a dedicated app.
It’s pretty great. Especially considering that you get a full ecosystem with Mail, Calendar, Drive, VPN and Pass.
I would also like to take this opportunity to shout out murena.io. They host open source cloud solutions. You get a Nextcloud with OnlyOffice and lots of other goodies and their pricing is pretty good
So how would you sync your Proton Passwords with NextCloud, or with VaultWarden? Or actively sync them locally to be used with an open source app?
Oh, that’s right… you can’t. Proton will say… “Just trust our payloads bro! There is no way we’d ever deliver a modified payload to get your password. Sorry you can’t sync your calendar & contacts, just use our Windows apps.”
I wouldn’t? I suggested Murena as a Proton alternative. I don’t know if they have a password manager right know but you can always throw a KeePass database into your Nextcloud.
My sincerest apologies. I misread the thread and thought you were advocating for Proton, which IMO is a questionable company. Thanks for the clarification.
I use both. Proton fits most of my needs, Murena does the rest. I’m not attached to any of them though, if I’m given good enough a reason, I’ll drop Proton immediately
At least you’re open to moving on. I think keeping an open attitude in any scenario is prob the best option. For most people, I’d recommend they keep using whatever works for them. If you’re happy with Proton then switching may just cause frustration. However, if you’re very much security focused and also care about things like being able to access your calendars/contacts in the apps you want, then I’d prob suggest just using SimpleLogin for email with their GPG feature, vaultwarden for passwords (you can still use the BitWarden phone apps), and Nextcloud for Calendar/Contacts which also supports DAVx for mobile.
I do use the SimpleLogin aliases, it’s one of my favorite services they offer. Most of my web storage (which I barely use anyway) and calendar and stuff is all Nextcloud
The people behind Murena are also the devs of /e/OS, a de-Googled Android OS that they also sell phones they pre-load it on. My one critique of it so far, owning one of the phones, is that I wish they would work on making it compatible with more well-known phone models available outside Europe. They sold this model I’m using, the Murena One (some Chinese OEM they slapped their name on), here in the US through their website, but I had to run around for two days trying to find a carrier whose service would work on it (or who would even try - eventually T-Mobile worked, the European-based carrier, what a surprise…) and I can’t get anyone to do repairs on it because it’s not one of the well-known brands. The case they gave me for it is essentially purely cosmetic, and only a week or so into owning it, I dropped it at a restaurant and it got a huge area of dead pixels at the bottom of the screen that nobody will fix because they can’t get a new screen for it. If I could install /e/OS myself on more than just the Google Pixel (paying Google to not have to use Android, fun…) that would be great and solve my problems.
As the mod of !c/e_os, I am so happy you brought this up. I use /e/ on my Fairphone 4, it’s great. The Easy Installer has come a long way, you should check it out https://doc.e.foundation/easy-installer
Edit: You can also check all the supported devices here
I’ve looked at the list. The only model that could give me what I’m looking for (5G, actually familiar to US-based carriers and repair shops) is the Pixel. I understand it’s not all the fault of the /e/OS devs since there’s factors like many bootloaders not being unlockable on US phones or other hardware complications, but I do get the feeling that the North American market does tend to be an afterthought. From what I can see, a majority of the list is either only available in Europe or will only work with very few carriers here, with lack of 5G capability being a big setback for carrier compatibility. That 5G requirement for many carriers really does hurt European based phone tech compatibility over here quite a bit.
It depends on what you want. If you want a solution that makes sure your provider won’t be able to read your data? It is sure safe for that.
Generally I would distrust any company claiming that our swiss privacy laws are worth a dime - in fact they are shit and among the worst in Europe. Swiss intelligence laws actually force companies to cooperate in a much broader sense than even the national security laws in the US do. And of course there is no judge involved and they can basically share the collected data with whoever they want.
It is about as safe as trusting Apple at their word to protect your privacy.
I sure hope they make a Flatpak like they did for VPN (although it’s not working properly at all rn). I don’t get why they are still troubling themselves to support two other formats already during beta, when this is probably just an Electron app.
The cli is working fine. They changed a few things for free subscribers but idk if it affects the cli.
Finally? Why does it need an app all of a sudden…
Making email secure and good is very hard and it involves either making it inconvenient or getting rid of interoperability with existing systems. As long as I’ve been tracking it your choices for client when using Proton were webmail or mobile apps. The news here is that a new option has opened up not that an old option is being taken away
This is just patently false. GPG is not inconvenient & there are a plethora of apps that has made it much more user friendly. The fact that Proton has decided to take away freedom & tell you it is more secure is just bologna. There is no reason to trust Proton at all.
I also prefer gpg but it is not super beginner friendly. I generally recommend people away from proton and tuta unless they really want encrypted email and gpg isn’t something they can figure out
GPG isn’t beginner friendly if you’re only using the CLI. However, even then there are tons of documentations and even Gemini/ChatGPT would prob be good at helping users create/manage their keys. However, I can provide a list of user-friendly GUI apps to create/manage/encrypt/etc. using GPG if you’d like that make it as easy. I mean, you can pay a company that says they’ll protect your privacy but history has shown paying for privacy is unreliable.
@timewarp @Quill7513 The only real alternative IMHO is hosting your own mail server and *that* is no alternative at all, because big-tech will blacklist your server immediately… so Proton/Tuta are the lesser of all evils. If you have a true alternative I am listening.
You can use PGP with just about any email service. I personally just use SimpleLogin, where you can add your public key to have all your messages encrypted. But Thunderbird, KMail, Evolution, FairMail, etc all support email encryption too with IMAP.
@timewarp ok, PGP … remember EFAIL… and all kinds of usability issues which inevitably lead to security issues by ‘wrong use’ at some point. And another *centralized* ‘web of trust’ (benign as it may be) is also not something I look forward to. O well, some genius will emerge at some point and deliver us 🥳 may he/she/it/them be FOSS-minded
GPG is a huge pain in the ass to manage. Everyone knows this, because it’s the case. The web of trust also doesn’t scale and has many problems, handling key securely is hard, making GPG work on all devices is something which is completely impossible for people without solid technical skills.
If you think otherwise, you are just in a bubble.
You’re a serial killer. Everyone knows this, because it’s the case.
Do you see how that works? You can say whatever you want, but unless you can provide some proof then you’re just parroting whatever you’ve heard. If you want to learn how to use GPG then let me know and I’d be happy to show you several open source tools that make it very easy so you can stop parroting BS. Otherwise, you’re entitled to your opinion and I’ll continue to believe you’re a serial killer.
The bubble you’re referring to is your own ignorance.
There are certain things that are known facts, there is no need to prove them every time.
The simple fact that:
- There is not a standard tool that is common
- The amount of people who use PGP is ridiculously low, including within tech circles. Just to make one example, even a famous cryptographer such as Filippo Sottile mentions to receive maybe a couple of PGP encrypted emails a year. I work in security and I have never received one, nobody among my colleagues has a public key to use, and I have never seen anybody who was not a tech professional use PGP.
You can also see:
We can’t say this any better than Ted Unangst: “There was a PGP usability study conducted a few years ago where a group of technical people were placed in a room with a computer and asked to set up PGP. Two hours later, they were never seen or heard from again.” If you’d like empirical data of your own to back this up, here’s an experiment you can run: find an immigration lawyer and talk them through the process of getting Signal working on their phone. You probably don’t suddenly smell burning toast. Now try doing that with PGP.
A recent talk, I will quote the preamble:
Although OpenPGP is widely considered hard to use, overcomplicated, and the stuff of nerds, our prior experience working on another OpenPGP implementation suggested that the OpenPGP standard is actually pretty good, but the tooling needs improvement.
And you can find as many opinion pieces as you want, by just searching (for example: https://nullprogram.com/blog/2017/03/12/).
However, if you really believe I am wrong, and you disagree that PGP tooling is widely considered bad, complex and almost a meme in the security community, you are welcome to show where I am wrong. Show me a simple PGP setup that non-technical people use.
P.s.
I also found https://arxiv.org/pdf/1510.08555.pdf, an interesting paper which is a followup of another paper 10 years older about usability of PGP tools.
Proton seems on the wrong side of the usability - privacy spectrum. Every last feature I’d want from an online provider is impossible or massively neutered by the overly strict security.
I wish there was a similar service in a trustworthy country with a more sane level of safety, like opt-in encryption for example.
mailbox.org has pretty good pgp key integration and will encrypted all emails that come in with a public key of your choosing.
