from Hacker News

Security experts declare all Proton apps secure after security audit

by chmars on 4/18/22, 10:04 AM with 45 comments

  • by sodality2 on 4/18/22, 11:30 AM

    Declaring it secure after an audit is like writing 100% coverage tests and saying it's bug-free. You can't prove absence, only presence.

    This title is the definition of sensationalism and only by reading the article do you find the truth: "Their tests uncovered no major issues or security vulnerabilities". This is a bad look for them and I'm wary of their company now...

  • by justinpowers on 4/18/22, 12:59 PM

    So many complaints about the headline, but for the purpose of getting their point across to the masses and encouraging the use of as-secure-as-can-be-known software, it’s perfectly fine.

    If you cover your ass in a headline, which ultimately ends as legalese, the average person will completely ignore it due to wordiness or they will become suspicious and assume the worst.

    The body and attachments do not mislead at all and that should be commended.

    All this pedantry is counterproductive unless you truly know and trust your audience. Proton should be for the masses, not just for the technically adept.

  • by ctime on 4/18/22, 3:56 PM

    I have a hard time adding protonmail to my "generally regarded as safe" mail provider list when they haven't been able to implement Webauthn security key support (aka U2F security keys / FIDO security keys).

    Yes, they support Multi-Factor authentication, but only via phishable methods (TOTP)[1]. They have been "trying" for years[2] to implement U2F but for some reason haven't been able to figure it out yet /shrug

    [1] https://protonmail.com/support/knowledge-base/two-factor-aut...

    [2] https://twitter.com/protonmail/status/1300758061255217153?la...

  • by orlp on 4/18/22, 11:34 AM

    Technical nitpick purely on the wording of the title: the pentesters declared that "no important security issues were found during the pentest". Unfortunately in our current world that's about as good as you're going to get for a large software system, but that does not necessarily mean that Proton is secure. There could still be undiscovered vulnerabilities.

  • by coffeeandbooks on 4/18/22, 11:43 AM

    ProtonMail has a bad history of irresponsible sensationalism. It’s like constantly marketing yourself as the most private e-mail service “built by CERN scientists” but who will give information about you to authorities:

    https://www.engadget.com/protonmail-climate-activist-ip-swis...

    I know that ProtonMail doesn’t claim to protect your IP address, but I don’t expect the average user to make that distinction.

    This is another dumb article. Getting your service tested for vulnerabilities is good hygiene but it shouldn’t be used as marketing material to make users think your service is Fort Knox.

  • by etiam on 4/18/22, 11:47 AM

    For a moment there I thought the title referred to the Valve-associated Wine enhancements... Now that would have been a feat.

  • by Foobar8568 on 4/18/22, 1:29 PM

    So a company called Securitum did a security assessment limited to pentest according to the pdf.

    More over "Tests have been carried out in September 2021 in accordance with generally accepted methodologies, including OWASP Top 10 and SANS Top Issues".

    It's hard to believe that one can call apps being secured after pen testing especially when the two highlights are such low hang fruits that are OWASP top 10 and SANS top issues..

    It doesn't really give any confidences into Proton, but then again, I am not an expert, and have seen such useless reports at different clients.

  • by webmobdev on 4/18/22, 4:40 PM

    I always think twice when a company offers me an "app" for an application that is already available as a web app or that is already inbuilt in the system or doesn't use existing standards. Like, I perfectly understand the need for a Proton Mail client as some would like offline access to their mail and a backup of their mail in their system. But I resent the need of a custom and locked-in app, instead of the service being available over existing POP3 / IMAP protocol. (Yes, I understand how email encryption creates hurdles of using it over POP3 / IMAP, usage, but it would be a lot easier to trust a company if they actually built an extension over existing protocol or create a new standard that makes it easy to access their service. E.g. https://fastmail.blog/open-technologies/jmap-new-email-open-... ). ProtonVPN app also seems a bit redundant when most OSes already have built in support for VPN. Though I understand that it does make configuring, changing / choosing VPN servers a lot simpler, and probably helps ProtonVPN in load balancing, it provides more avenues for data collection and data leak.

  • by karmakaze on 4/18/22, 9:50 PM

    I was totally confused by the title thinking what does that mean or how can they say such a thing without proving a secure sandbox environment, which I didn't even know was possible. Then I realized it's for ProtonMail etc, not Proton from Valve.

  • by vr46 on 4/18/22, 11:21 AM

    Unfortunately users declare Protonmail barely usable in terms of features and UX. After a decade of this, I’m shifting back to IMAP. My use case is better off with GPG than with Protonmail. I can’t usefully function without integration into the rest of my Mac or iOS. A secure walled garden with Apps that get worse over time? I’ll go with Apple’s version.