- cross-posted to:
- technews@radiation.party
- cross-posted to:
- technews@radiation.party
This is dumb. Proton encrypts your private keys with your password.
Just upload the key to your encrypted proton account like you’re supposed to, and let them take care of the signing/encryption/etc.
This is a silly thing to take issue with. I use a password manager. When I need a new password I allow the manager to generate one for me. Is the password inherently insecure or bad because it was generated by “a company” and not myself? Proton generates your key for you, just like a password manager does, and they’ve integrated that functionality into their service for ease of use, and probably ease of administration as well. There is no way someone can screw it up and not be able to read their emails if Proton handles it.
Encrypting email is extremely niche in the first place, the fact that Proton can enable it quickly and seamlessly for users with no prior knowledge on how this all works is a good thing imo. Everyone with just enough knowledge to think they know better seems to get annoyed by this type of thing and starts spreading ridiculous FUD even while Proton is enabling encrypted email for millions of people who otherwise would be using Google Mail. Don’t get so caught up in the details that you miss the big picture of what Proton is actually providing.
Right, but what the author is trying to implement is what is generally considered best practice for secure email.
You’re right that what Proton are doing is a compromise that’s reasonable for most people, but the author here is annoyed that there’s no way to turn it off so he can implement best practice E2EE himself.
Ironically he could probably do that with the vast majority of providers that aren’t Proton, so to me it seems like a totally reasonable ask that a self described privacy focused email provider has some way to allow you to implement best practice email security.
I still haven’t signed up for ProtonMail. Doesn’t sound like a good idea with this going on!
Yup, this is the worst thing about ProtonMail. They must patch this. Not being able to use my own GPG encryption when needed is crazy for a private & secure service.
That’s not true at all, you just upload your key into the encrypted account storage, and it gets automatically applied.
I don’t want to upload anything. Why would they ever not allow that?