from Hacker News

Address Verification and Full PGP Support

by johnnycarcin on 7/25/18, 3:44 PM with 145 comments

  • by ddevault on 7/25/18, 5:12 PM

    I spoke on Mastodon recently about Protonmail - it's a scam and I cannot recommend it to anyone. They own your email, they don't support open protocols including SMTP and IMAP and the only way to export your emails is through a proprietary end-user application. They excuse this nonsense by saying that it's necessary for encryption, which is blatantly false. Their security is also based on trusting ProtonMail, since they could easily siphon off plaintext at the SMTP level or secretly modify their JavaScript to exfiltrate your private keys from the web browser. Genuinely secure systems do not require you to trust their operators.

    >PGP, because it is built on top of email, is therefore also a federated encryption system. Unlike other encrypted communications systems, such as Signal or Telegram, PGP doesn’t belong to anybody, there is no single central server, and you aren’t forced to use one service over another. We believe encrypted communications should be open and not a walled garden. ProtonMail is now interoperable with practically ANY other past, present, or future email system that supports the OpenPGP standard, and our implementation of this standard is also itself open source.

    This is rich. Why don't you start with the far more fundamental and important standards of SMTP and IMAP, Protonmail? Why don't you open source your desktop & mobile applications or your bridge? What a joke.

  • by mirimir on 7/25/18, 7:43 PM

    This is very good news!

    It's also great to have https://protonirockerxow.onion/ :)

    But I have a suggestion. If I hit https://protonmail.com/ via Tor, there's no warning to use the .onion address. Except for an "Onion Site" link at the bottom. And after I recently created a free account via Tor at https://protonmail.com/, I got that either SMS verification or a credit/debit card number was required for activation. Gak!

    But using https://protonirockerxow.onion/, there's no authentication requirement for activation. So perhaps there could be an alert when connecting to https://protonmail.com/ via Tor. As I recall, Bitmixer or Helix Light used to do that. Or maybe just put the .onion address near the top of the front page.

  • by Boulth on 7/25/18, 6:35 PM

    It's nice to see their own keyserver.

    I wonder though if it wouldn't be more practical to support the Web Key Directory protocol [0]. WKD is both more secure than HKP (as it's always over HTTPS and authenticates user's domain), it's enabled by default in a growing number of email clients (Enigmail, GPG for Outlook, KMail) and providers (kernel.org [1], posteo.de), it's used by GPG when locating a key and the setup is incredibly easy (just put binary key in one location).

    (to check it out try `gpg --locate-key torvalds@kernel.org` in modern GnuPG)

    From my perspective it looks like a perfect match for ProtonMail for both use cases: exposing @protonmail.ch users' keys and fetching keys of contacts on other servers.

    [0]: https://wiki.gnupg.org/WKD

    [1]: https://www.kernel.org/category/signatures.html

  • by Sephr on 7/25/18, 4:53 PM

    Yet they still don't support read receipt privacy when you enable loading images by default for unencrypted email.

    Webmail providers can implement read receipt privacy by requesting images from every email automatically on-delivery instead of on-read. Doing this for non-existent mailboxes also prevents mailbox enumeration.

  • by marcrosoft on 7/25/18, 5:58 PM

    Maybe the title should read "Email address verification and full PGP support".

    This should not be confused with real physical address verification.

  • by mikedilger on 7/25/18, 9:41 PM

    For the other perspective, fastmail has a good write-up on why they don't offer PGP: https://fastmail.blog/2016/12/10/why-we-dont-offer-pgp/

  • by kradle on 7/25/18, 4:49 PM