Is ProtonMail lying about their encryption? In response to Nadim Kobeissi and LiveOverflow

Показать описание

As the most popular encrypted email provider, ProtonMail has been criticized for false security promises and weak guarantees of its end-to-end encryption infrastructure. Can be ProtonMail's marketing of their Swiss-based email service justified? The results might SHOCK you!

These are encrypted email providers that I would recommend
Free and paid plans
Only paid

The Reddit debate and Protonmail's response

The problem with ProtonMail’s webmail service is that each time you go to sign in to their website, you have to completely trust ProtonMail that the javascript that your browser runs is correctly implementing PGP and is not trying to steal your private keys and read your messages. This problem is limited with smartphone apps, because each new version of an app has to be signed by the author and the platform – which in this case is ProtonMail and Google Play Store or Apple App Store. With these apps, users can verify whether they received the same binary for a particular version as everyone else.
Because of the differences in the levels of trust, webmail services are objectively less secure than desktop and smartphone apps. That is if you expect ProtonMail to try to execute a malicious javascript that would let them read your emails without being detected.
The fact that webmail is less secure than native apps is not new and ProtonMail has been saying that from day one. In their threat model article, ProtonMail explains this issue and even openly says that ProtonMail is for average people who want to protect themselves against mass surveillance, but it’s not for a next Edward Snowden. ProtonMail successfully accomplishes this mission because their servers can’t be tapped by the NSA to read plain-text emails as is the case with Gmail, Yahoo, Apple, or Microsoft.
Where ProtonMail and Nadim differ, is that Nadim thinks that end-to-end encryption is not possible in webmail and ProtonMail should not be calling it that.

Bitcoin:
1C7UkndgpQqjTrUkk8pY1rRpmddwHaEEuf

Follow me:

The footage and images featured in the video were for critical analysis, commentary and parody, which are protected under the Fair Use laws of the United States Copyright act of 1976.

Рекомендации по теме

Комментарии

\o/ thanks for this video. I think thats the first time I am aware of another YouTuber commenting on anything I have done. Thanks for participating in the discussion and being critical of it :)
I’d add one small thing in my defense, and that is that for me it’s more about the thought provoking thesis “can e2ee be possible?”, rather than about other arguments like “it still benefits more people”. I largely agree with all you say, but I still find it an important perspective to explore this thesis. and I think you still covered that PoV fairly :)
Thanks!

LiveOverflow

The moral of the story is that no matter what, in the end, unless you completely cut out and go off grid, you're going to have trust _someone_ whether it's these guys or those guys or the other ones.

vnceigz

One way to protect against malicious JS in their webapp is writing a browser plugin to verify the JS with the hash of an already known safe version. I might write this, since it would guarantee you aren't running a malicious version of the JS. If I do write a plugin, I'll release the source and link it here.

Happy new years, The Hated One!

jameslawson

Great overview of this problem 👍 Thanks for all the hard work THO

techlore

This year was amazing because I found your channel. I could not be more grateful. Thank you very much, and a happy new year to you!

PaulLabus

Proton mail is the last safe service based in Switzerland.

klwtherd

Technically any email you send regardless of the company will have metadata through the email port your using. Getting your own email server would be the most private way to send emails but you have to set it up carefully.

mandolin

I hear Australia's government has just passed laws that forces apps like telegram and signal to implement screenshot mechanic into their apps that allows law enforcement to see unencrypted messages before they're sent to the recipient, circumventing the need to decrypt the communications all together. (go look it up it's crazy) I'm becoming more skeptical of android (Alphabet) as time goes on as I'm curious to know if there's anything stopping them from doing something similar - taking screenshots of a phone's screen and sending it to 'whoever'. I'm a big user of proton mail and just worried using android will jeopardize that security as is happening in Australia at the moment. If anyone has thoughts on this or could explain further that would be awesome to hear.

PyroChimp

@8:15 Are proton emails always sent as sealed envolopes, or only when the receipient server supports the encryption?

fredthewaterboy

Keep bringing those truths man, love your vids.

Goldengolfer

What about this?
Get blue stacks on desktop and use said services from their google App Store?
Is it still as vulnerable?

koolmexican

@The Hated One at 8:11 where is that cropped picture from about The Fourteen Eyes? I would like to read more about it.

hypolyxa

*I JUST created a ProtonMail and here's a video about it*

AakashRMusic

If native mail apps are more secure to implement E2E than webmail can I trust the OS not to steal my login data (not to mention doing screengrabbing)? Can this be secured on iOs or android or even linux?

marcin

Guys what is the native windows app for Protonmail? Is it the Protonmail Bridge (not for free users)?

promytheasm.v

Just to clarify, if we add a ProtonMail account to Outlook or Thunderbird, would it make it more secure than just signing in online through a browser?

sisbrawny

Among others, I'm surprised how good you're doing and technically correct your information is.
Tldr of this whole video though: The server can serve *smiley* you any code that you will entrust your only decryption keys.

VADemon

Question: I don't know technically protonMail bridge functions and therefore my question is wheather this problem with trust protonmail each access is also valid for the bridge oder only for the web app?

lukas-vaelinalsorna

Thank you! you've convinced me to migrate over to an encrypted mail service!

SD-wuod

In some article about messages apps it was mentioned that signal is on a server in the USA and therfore bound by law to give data to the government. Is this true? And if so, something to worry about?

bjarkih

Is ProtonMail lying about their encryption? In response to Nadim Kobeissi and LiveOverflow

Is ProtonMail lying about their encryption? In response to Nadim Kobeissi and LiveOverflow

Is Proton Mail Really Private, Secure, and Anonymous?

🔒 Why aren't you using ProtonMail?!

Is Protonmail Safe for Security and Privacy?

Is ProtonMail Broken?

Can You REALLY Trust Proton Mail?

How Protonmail Is Trying To Destroy Google

How Secure is ProtonMail? The Swiss Answer to Privacy

ProtonMail Sends User IP and Device Info to Swiss Authorities.

Why Protonmail Is Not Safe For Privacy And E-Mail Security

ProtonMail vs Gmail...is secure email worth the extra $$$?

Don’t Use ProtonMail / Not Safe For Americans! Crazy

Is Your Email Secure & Encrypted? ProtonMail Founder Explains

Why I no longer use a VPN (most of the time) and nor should you

Is ProtonMail Safe? Under Fire After Logging IP's!

What's Wrong with Signal, Whatsapp, Telegram, Protonmail, Tutanota?

Protonmail a Flawed Privacy Strategy?

Can you trust Proton VPN and Proton Mail? [Bundle review]

The MOST private email service

VPN Providers Are LYING To Your Face! ft. Techlore

My Experience With Protonmail

STOP Believing You're ANONYMOUS Online (even with a VPN!)

How secure are your emails?

ProtonMail Logged IP Addresses For The Government! Can You Still Trust Them? -Surveillance Report 54