UmbraTemporis@lemmy.dbzer0.com
on 16 Mar 2024 10:15
nextcollapse
Proton Drive though đ. The Windows app is so nice, wish we could get that for Linux.
Iâve set up an Rclone for the time being, not great but it works well enough for basic bisynchronisation.
sanpo@sopuli.xyz
on 16 Mar 2024 11:29
nextcollapse
Oh⌠I thought they meant Drive is finally out. That sucks. :(
QuandaleDingle@lemmy.world
on 16 Mar 2024 15:17
nextcollapse
Ugh, they took too darn long. Iâm probably going to switch to Nextcloud.
Molecular0079@lemmy.world
on 16 Mar 2024 15:56
nextcollapse
You should do it. Easy to setup using either their official AIO image or the community-driven micro service one. I am using the latter and itâs been amazing. Itâs completely replaced Google Drive, Calendar, and Contacts for me and with the DAVx5 Android App it feels like a drop-in replacement. I am also using the auto upload feature to back up my photos to it.
QuandaleDingle@lemmy.world
on 16 Mar 2024 19:29
collapse
Working on that right now. Wish me luck. :)
UmbraTemporis@lemmy.dbzer0.com
on 16 Mar 2024 20:38
collapse
I would too, but after like a week I get bored of maintaining it myself when all the expenses summed together arenât much cheaper than Proton or likewise. This is what I was doing before submitting my independence to Proton.
Furthermore Nextcloud is just too damn sluggish. The web interface makes it seem like my serverâs idea of a CPU is a kid with a calculator and WebDAV isnât designed for cloud storage. Iâll take new features being slow over my whole experience being even slower any day of the week.
QuandaleDingle@lemmy.world
on 17 Mar 2024 04:23
collapse
I feel that. However, Protonâs a non-starter for me as Iâm using Linux, so no Proton drive client. Really scratching my head since Linux attracts the security conscious.
Celeste works fine on Linux, or you can use rclone directly.
UmbraTemporis@lemmy.dbzer0.com
on 18 Mar 2024 07:18
collapse
Thatâs what Iâve done, using rclone bisync and my crontab. Like I said it works well enough, but far from perfect. Using a beta backend with an experimental operation, according to the rclone website, puts me slightly on-edge.
I did try Celeste, but stopped using it for two reasons:
I use Budgie, so Libadwaita apps look incredibly out-of-place. Inconsistency like that makes me physically uncomfortable.
âFinallyâ really is the key word, waiting for Proton to add features or apps is painful at times.
Glad theyâve finally made progress with this.
amju_wolf@pawb.social
on 16 Mar 2024 11:56
collapse
Waiting for Proton to acknowledge and fix critical bugs that can cause data loss was way more painful⌠took them years with the solution being âjust wait for the bridge rewrite it will be (most likely) fixed thereâ.
southernwolf@pawb.social
on 16 Mar 2024 12:16
collapse
Looks like it, itâs available as a zip in the releases along with the compiled app, but isnât yet uploaded fully on GitHub.
crispy_kilt@feddit.de
on 16 Mar 2024 11:34
nextcollapse
Aaaand itâs electron garbage.
JetpackJackson@feddit.de
on 16 Mar 2024 11:36
nextcollapse
Out of the loop, whatâs wrong with electron?
ReakDuck@lemmy.ml
on 16 Mar 2024 11:41
nextcollapse
Everything
crispy_kilt@feddit.de
on 16 Mar 2024 11:41
nextcollapse
Itâs basically Chrome. Itâs not a real application, itâs a website pretending to be one. It uses a metric fuckton of RAM and eats your battery faster than Prince Andrew a minor.
angrymouse@lemmy.world
on 16 Mar 2024 13:03
nextcollapse
I bought 32gb of RAM cause I was tired and gave up to elĂŠctron apps
I bought 64 gigs of ram and still refuse to use it.
FatLegTed@piefed.social
on 16 Mar 2024 13:17
nextcollapse
But does it sweat though ;-)
TrickDacy@lemmy.world
on 16 Mar 2024 14:01
nextcollapse
If Firefox could allow their engine to be packaged like this Iâd use it. The problem I see here is chromium. Everything is a trade off and we need more ways to build maintainable cross platform applications.
Slack, for example, is Electron and it runs great. One of the best apps Iâve used. And it works better than the browser versionâŚ
The hate on Lemmy of electron is a bit of an overreaction if you ask me. Yeah it uses more ram than is necessary but again everything is a trade off. Not everything can be a hard to maintain rust app. Letâs try to embrace cross platform solutions, though yes fuck chrome/google, so sure criticize that part of it.
timewarp@lemmy.world
on 16 Mar 2024 17:49
nextcollapse
Let me get this right⌠youâre complaining about Chromium, but you use Slack? You do realize Chromium had better Linux support for things like HW-accelerated decoding than Firefox? Also, the Chromium sandbox is superior to Firefox.
Pantherina@feddit.de
on 16 Mar 2024 18:31
nextcollapse
Chromium had better Linux support for things like HW-accelerated decoding than Firefox?
Source? Experienced the exact opposite, especially on Wayland.
timewarp@lemmy.world
on 16 Mar 2024 18:51
collapse
Android being based on Linux prob has something to do with Chromiumâs strong Linux support, but Mozilla has consistently prioritized Windows/Mac. Despite it still be challenging, building Chromium from source has always been a lot easier IMO than trying to create a custom build of Firefox.
Regardless, when it comes to privacy, Chromium itself is pretty stripped down and has policy-based integrations that put it on par with Firefox in terms of security. Even with Firefox, youâd have to modify quite a few policies to improve security. Tor/Mullvad Browser though do a better job in many ways and there is no equal to those privacy enhancements on Chromium that I know of, unless youâre using something like GrapheneOS.
Point being, people like to complain about Chromium a lot & act like Apple fan bois for Firefox, when in reality privacy is nearly the same with both with some minor configurations.
TarantulaFudge@lemmy.ml
on 18 Mar 2024 00:05
nextcollapse
What the heck are you talking about? Chromium is one of the hardest packages to build and it takes forever. Firefox has FAR fewer dependencies. Chromiumâs privacy enhancements are a joke.
timewarp@lemmy.world
on 19 Mar 2024 05:00
collapse
You should go tell that to the maintainers of GrapheneOS, which is known as the most secure mobile OS⌠which uses a custom Chromium build, because of Chromiumâs superior sandboxing.
Pantherina@feddit.de
on 18 Mar 2024 13:48
collapse
Chromium is not stripped down at all, just use googerteller and see. It contacts Google everywhere, on the password list, on the account list, in some settings pages, and just randomly sometimes.
It is very crazy. And also it is not fingerprint resistant at all.
I am using all flag settings, policies and GUI settings possibly existing and it still is like that. So no, it is not the same privacy-wise.
timewarp@lemmy.world
on 19 Mar 2024 04:59
collapse
Oh really, what policies are you using? Cause my Firefox does all the same things you mention regarding calling Mozilla services for all sorts of things, including telemetry. Oh, and it isnât fingerprint resistant either⌠so please, share what youâre doing.
Pantherina@feddit.de
on 19 Mar 2024 09:26
collapse
For Firefox I am either using Librewolf or Arkenfox user.js
But as Librewolf has a good CI/CD system I think I will switch to that. Problem is they are not active at all, while the arkenfox guy is very active.
For Chromium I use the secureblue policies in /usr/etc/chromium/policies/managed
TrickDacy@lemmy.world
on 16 Mar 2024 19:23
collapse
I realize Firefox business practices arenât total garbage for humanity and that they are constantly working to improve it on like .1% budget of Google. And that they are the only real competition which keeps us in a situation where we actually have a choice in browsers. So yeah letâs only care about the technical aspects, or something
timewarp@lemmy.world
on 16 Mar 2024 19:53
collapse
And that they are the only real competition which keeps us in a situation where we actually have a choice in browsers.
That isnât true. Youâve got WebKit-based browsers, LadyBird/LibWeb/LibJs, Goanna, and others. Why choose Mozilla to lead the efforts, when another open source community/foundation may be better? You can also participate in the various new web specifications yourself too if youâre not happy with the direction theyâre headed.
They said competition, not alternatives. As things are right now, and knowing people, not just trying to make a technical point, Firefox is the only competition.Â
timewarp@lemmy.world
on 17 Mar 2024 13:25
collapse
What do you think alternatives are exactly? Firefox has what, 3â5% usage across all platforms? What did Mozilla do to fix that other than exploring Pocket, a iOS only Password app, and now reselling a crippled VPN & email/phone relay? At some point, people will have to move on from anything Mozilla-owned. Want a better browser, then find a community you can donate to that is focusing on building a better browser. Itâs time to take off the rose-colored glasses.
CosmicCleric@lemmy.world
on 16 Mar 2024 18:03
nextcollapse
Letâs try to embrace cross platform solutions,
[JavaFX has entered the chat.]
TrickDacy@lemmy.world
on 16 Mar 2024 18:28
collapse
I donât know what javafx is, but java is hell. For me. Iâm glad it works for others
CosmicCleric@lemmy.world
on 18 Mar 2024 15:19
collapse
The hate on Lemmy of electron is a bit of an overreaction if you ask me
The issue is mainly developers using Electron when things like React Native and Flutter exist. I donât know a lot about Flutter, but React Native uses native UI widgets and feels a lot nicer than Electron.
TheAnonymouseJoker@lemmy.ml
on 16 Mar 2024 18:02
collapse
No, one Chrome tab does not eat that much RAM. Yes it is not as good as native, but it is more platform agnostic, and an Electron app does not really go above 300 MB RAM.
PlexSheep@feddit.de
on 16 Mar 2024 11:42
nextcollapse
Itâs just the webapp. If we want the webapp we use a browser.
TrickDacy@lemmy.world
on 16 Mar 2024 14:04
nextcollapse
Slack desktop app is built with electron and works much better than the web app in my experience. So no itâs not actually always that simple.
It could be that simple. They just hinder their own website to get you to download the app.
TrickDacy@lemmy.world
on 16 Mar 2024 14:44
collapse
You really believe that? It would be easier for them to maintain only the website, so this really doesnât make sense to me.
smileyhead@discuss.tchncs.de
on 16 Mar 2024 16:17
nextcollapse
Both are Chromium apps.
First running on Chromium, second running on modified Chromium.
loudWaterEnjoyer@lemmy.dbzer0.com
on 17 Mar 2024 19:40
collapse
Dev here.
Yeah thatâs how it works.
TrickDacy@lemmy.world
on 17 Mar 2024 23:03
collapse
Iâm a web developer. I think thereâs a misunderstanding here. The person I responded to said that slack purposely made the web version worse than the desktop app, which Iâm doubting.
loudWaterEnjoyer@lemmy.dbzer0.com
on 18 Mar 2024 06:53
collapse
Yes, how are you doubting that? Is your company not big enough to want to pull users to a specific platform so you have to cripple the others?
TrickDacy@lemmy.world
on 18 Mar 2024 11:16
collapse
Because I have used both versions of slack and theyâre almost exactly the same. The desktop version only works better imo because of small factors such as having its own window so it does not get buried in tabs, and the notification options are (or at least were) more robust. Have you not used the two versions?
I donât really understand your comments. Are you implying that there would be an advantage for slack to âcrippleâ the web version, when they are essentially running probably 99% of the same code in the electron version? Theyâre never going to get rid of the web version, and if youâve used slack for ~9 years like I have, you can easily observe theyâre actually one of the few app makers out there to make mostly positive changes to their app. They arenât suddenly going to make the web app shitty.
Also, obviously yeah when it makes sense to, app makers in general make the web app version shitty on purpose. Reddit mobile for example. But just because thatâs a thing in the world doesnât mean it is what slack is doingâŚnot sure why you seem to be implying itâs a universal practice.
loudWaterEnjoyer@lemmy.dbzer0.com
on 18 Mar 2024 13:51
collapse
You just admitted the desktop version works better and that there is a 1% code difference
TrickDacy@lemmy.world
on 18 Mar 2024 14:01
collapse
And?
Gallardo994@sh.itjust.works
on 16 Mar 2024 17:18
nextcollapse
Slack is one of those apps which lags in a week on any hardware, it might be better than web version but it still sucks ass compared to fucking ICQ clients. Source: using it in the company I work for, for about 7 years already.
TrickDacy@lemmy.world
on 18 Mar 2024 11:24
collapse
I donât often have trouble with slack being slow, or buggy. Been using it like 9 years myself. Interesting youâre comparing slack to icq. Are you referring to a current version of icq, or the one that existed in the early 2000s?
I am not sure I understand comparing an app designed to do video/audio chat seamlessly, threaded conversations, channels, filesharing, plus has dozens of subtle nice features that make for a rich experience and a⌠Chat app, that worked fine for sending plaintext messages but didnât really do anything else.
Gallardo994@sh.itjust.works
on 18 Mar 2024 12:39
collapse
I compare it to qip or similar with voice calling support about 10 years ago. But still, Slack loses to pretty much anything on the market regarding performance, be that Element, Telegram, Skype or even Discord. It literally battles with biggest IDEs lol
TrickDacy@lemmy.world
on 18 Mar 2024 12:46
collapse
Not my experience. Not sure what qip is either
timewarp@lemmy.world
on 16 Mar 2024 17:54
collapse
Now that Chromium has persistent File System Access permission support, what benefit does Electron have over a PWA other than âNative-lookingâ menu bars?
Yeah, I was dissapointed, but at least it is a controlled browser and not reliant on your normal browser which could change or have malicious extensions
Pantherina@feddit.de
on 16 Mar 2024 18:33
collapse
This. Its webapp with more persistent storage maybe. If the Browsers could integrate this, it would be a gamechanger.
I am also very sure that Chrome preloads google. com to make it seem to âload fasterâ. Its all just preloading or persistent storage
BananaTrifleViolin@lemmy.world
on 16 Mar 2024 11:57
nextcollapse
Each electron App is actually a full independent chromium browser install running a website. Itâs easy to code for and works cross platform as a result, but itâs essentially just a website, although they can run offline depending on whatâs been built in to the local app.
Each electron app running on your system is a separate full chromium app running, with no sharing of resources between each instance. So they take up a lot of space each and duplicate all the resource usage, and potentially the security flaws.
JetpackJackson@feddit.de
on 16 Mar 2024 19:30
collapse
oh yikes. that sucks.
Pantherina@feddit.de
on 16 Mar 2024 18:30
nextcollapse
Electron runs a core Chromium Browser + NodeJS + a bit more.
Unlike Chromium itself it is not backwards compatible and removes a ton of things like its sandboxing capabilities.
I am not sure how it is less secure, but it may use more RAM (also not always but generally yes of course), doesnt allow hardening (unlike android WebView apps) and breaks LD_PRELOAD-ing another memory allocator.
This is only a big problem in special cases, in general it makes apps strictly dependend on GNU glibc and others, no idea how it works on Alpine or others (that actually try to make a secure system).
If somebody knows more about security concerns about Electron, please add.
tsonfeir@lemm.ee
on 16 Mar 2024 19:24
nextcollapse
There are other options like Tauri that do the same thing as electron, but instead of bundling chromium with the app, it relies on the OS provided web view. Itâs also built with Rust, which tends to be faster.
As an example, Mac would use Safari, Windows would use Edge (chromium), and Linux would likely use WebKitGTK, which is what safari uses.
By using the default browser, developers save a ton of spaceâat the risk of compatibility issues, which are very very rare nowadays.
JetpackJackson@feddit.de
on 16 Mar 2024 19:39
nextcollapse
interesting!
leopold@lemmy.kde.social
on 16 Mar 2024 22:41
collapse
WebKitGTK is only native for GTK desktops. On Qt desktops, youâd want QtWebEngine instead.
Itâs what you deploy to your users if you want to work around ad blockers and browser extensions. Itâs a great tool to get operating system level access to exfiltrate information about your users and identify them uniquely, even if they would prefer that not to happen.
All that with the help of Googleâs telemetry engine aka Chrome, which further helps Alphabet to manifest their interpretation of web standards in the world.
We worked to move things onto the web. Now people bring the web back to your desktop with every application bringing itâs own browser shell. We have come full circle and weâre now using 10x the resources.
Electron is the prime example of everything that is wrong in IT.
JetpackJackson@feddit.de
on 17 Mar 2024 13:44
collapse
Wow. That sounds horrible. Do you have a source about the system level access statement? I would like to see peopleâs thoughts on it, if itâs as bad as it sounds, Iâm surprised I havenât heard about it before
Do you have a source about the system level access statement?
Electron apps are native apps with the Chromium browser embedded in their windows, so they can do anything a native app can. It supports Node.js modules for things like filesystem access, and can interop with C++ code by writing an add on (nodejs.org/api/addons.html)
JetpackJackson@feddit.de
on 18 Mar 2024 15:30
collapse
What source do you need? Itâs almost literally the mission statement of Electron.
JetpackJackson@feddit.de
on 15 May 2024 00:52
collapse
Iâve never gone to the webpage of electron
pelotron@midwest.social
on 16 Mar 2024 13:38
nextcollapse
Ugh, I was looking forward to replacing Thunderbird/Bridge, but never mind.
Pantherina@feddit.de
on 16 Mar 2024 18:19
nextcollapse
No way.
drascus@sh.itjust.works
on 28 Mar 2024 10:45
collapse
Bridge
I am actually sort of worried that now that they put this out they will retire bridge. We will have to wait and see. Is having a browser tab open really that bad⌠?? I suppose but I still like programs over web pages.
tsonfeir@lemm.ee
on 16 Mar 2024 15:30
nextcollapse
How do you know itâs not Tauri?
russjr08@bitforged.space
on 17 Mar 2024 09:18
nextcollapse
The GitHub repository for the project is here, and the tagline of the repository is:
Desktop application for Mail and Calendar, made with Electron
crispy_kilt@feddit.de
on 17 Mar 2024 11:20
collapse
UnfortunateShort@lemmy.world
on 16 Mar 2024 11:43
nextcollapse
I sure hope they make a Flatpak like they did for VPN (although itâs not working properly at all rn). I donât get why they are still troubling themselves to support two other formats already during beta, when this is probably just an Electron app.
Eyck_of_denesle@lemmy.zip
on 16 Mar 2024 13:22
collapse
The cli is working fine. They changed a few things for free subscribers but idk if it affects the cli.
User79185@discuss.tchncs.de
on 16 Mar 2024 12:09
nextcollapse
Finally? Why does it need an app all of a suddenâŚ
Quill7513@slrpnk.net
on 16 Mar 2024 13:45
collapse
Making email secure and good is very hard and it involves either making it inconvenient or getting rid of interoperability with existing systems. As long as Iâve been tracking it your choices for client when using Proton were webmail or mobile apps. The news here is that a new option has opened up not that an old option is being taken away
timewarp@lemmy.world
on 16 Mar 2024 18:16
collapse
This is just patently false. GPG is not inconvenient & there are a plethora of apps that has made it much more user friendly. The fact that Proton has decided to take away freedom & tell you it is more secure is just bologna. There is no reason to trust Proton at all.
Quill7513@slrpnk.net
on 16 Mar 2024 18:41
nextcollapse
I also prefer gpg but it is not super beginner friendly. I generally recommend people away from proton and tuta unless they really want encrypted email and gpg isnât something they can figure out
timewarp@lemmy.world
on 16 Mar 2024 19:23
collapse
GPG isnât beginner friendly if youâre only using the CLI. However, even then there are tons of documentations and even Gemini/ChatGPT would prob be good at helping users create/manage their keys. However, I can provide a list of user-friendly GUI apps to create/manage/encrypt/etc. using GPG if youâd like that make it as easy. I mean, you can pay a company that says theyâll protect your privacy but history has shown paying for privacy is unreliable.
@timewarp@Quill7513 The only real alternative IMHO is hosting your own mail server and *that* is no alternative at all, because big-tech will blacklist your server immediately⌠so Proton/Tuta are the lesser of all evils. If you have a true alternative I am listening.
timewarp@lemmy.world
on 17 Mar 2024 16:38
collapse
You can use PGP with just about any email service. I personally just use SimpleLogin, where you can add your public key to have all your messages encrypted. But Thunderbird, KMail, Evolution, FairMail, etc all support email encryption too with IMAP.
@timewarp ok, PGP ⌠remember EFAIL⌠and all kinds of usability issues which inevitably lead to security issues by âwrong useâ at some point. And another *centralized* âweb of trustâ (benign as it may be) is also not something I look forward to. O well, some genius will emerge at some point and deliver us 𼳠may he/she/it/them be FOSS-minded
timewarp@lemmy.world
on 19 Mar 2024 05:03
collapse
Itâs quite possible that privacy is too hard for you and trash talking open source makes you feel better about the money youâre paying to someone else to say theyâll do a better job for you.
@timewarp donât know what youâre talking about, I love FOSSâŚ
timewarp@lemmy.world
on 19 Mar 2024 18:20
collapse
Okay, well itâs just the vulnerabilities you mentioned were geared towards email client issues that among other things would automatically load HTML data upon decryption. Furthermore, primary vulnerable targets were 10 year old email clients at the time that hadnât received any security updates. The SE data packet issue had been documented even in the spec since at least 2007 about its security issues and recommended rapid mitigation techniques. All in all, the EFAIL documented issues with mail client failures, not with OpenPGP itself.
Second, OpenPGP web-of-trust, or whatever you want to call it (public keyservers) is entirely optional. In fact, Proton relies heavily on this in from what I can tell actually enforces it in a more insecure way, but opting users into their internal keyserver automatically.
GPG is a huge pain in the ass to manage. Everyone knows this, because itâs the case. The web of trust also doesnât scale and has many problems, handling key securely is hard, making GPG work on all devices is something which is completely impossible for people without solid technical skills.
If you think otherwise, you are just in a bubble.
timewarp@lemmy.world
on 16 Mar 2024 19:20
collapse
Youâre a serial killer. Everyone knows this, because itâs the case.
Do you see how that works? You can say whatever you want, but unless you can provide some proof then youâre just parroting whatever youâve heard. If you want to learn how to use GPG then let me know and Iâd be happy to show you several open source tools that make it very easy so you can stop parroting BS. Otherwise, youâre entitled to your opinion and Iâll continue to believe youâre a serial killer.
The bubble youâre referring to is your own ignorance.
There are certain things that are known facts, there is no need to prove them every time.
The simple fact that:
There is not a standard tool that is common
The amount of people who use PGP is ridiculously low, including within tech circles. Just to make one example, even a famous cryptographer such as Filippo Sottile mentions to receive maybe a couple of PGP encrypted emails a year. I work in security and I have never received one, nobody among my colleagues has a public key to use, and I have never seen anybody who was not a tech professional use PGP.
We canât say this any better than Ted Unangst: âThere was a PGP usability study conducted a few years ago where a group of technical people were placed in a room with a computer and asked to set up PGP. Two hours later, they were never seen or heard from again.â
If youâd like empirical data of your own to back this up, hereâs an experiment you can run: find an immigration lawyer and talk them through the process of getting Signal working on their phone. You probably donât suddenly smell burning toast. Now try doing that with PGP.
Although OpenPGP is widely considered hard to use, overcomplicated, and the stuff of nerds, our prior experience working on another OpenPGP implementation suggested that the OpenPGP standard is actually pretty good, but the tooling needs improvement.
However, if you really believe I am wrong, and you disagree that PGP tooling is widely considered bad, complex and almost a meme in the security community, you are welcome to show where I am wrong. Show me a simple PGP setup that non-technical people use.
P.s.
I also found arxiv.org/pdf/1510.08555.pdf, an interesting paper which is a followup of another paper 10 years older about usability of PGP tools.
I never really understood the need for such apps when mail clients such as Thunderbird exist.
Tenkard@lemmy.ml
on 16 Mar 2024 12:40
nextcollapse
Proton mail has some extra (security?) feature, or they just lack smtp support, and you cannot directly use it on thunderbird. They offer a âbridgeâ app which allows you to do it, I just use that.
Eezyville@sh.itjust.works
on 16 Mar 2024 12:59
nextcollapse
You have to be a paying customer to use that app IIRC.
And a paying customer to use the desktop app too. Well, besides a 14 day free trial.
deweydecibel@lemmy.world
on 16 Mar 2024 13:55
collapse
Protonâs whole thing is itâs meant to be secure, private, encrypted, etc. To achieve that, it requires the Proton app or website as an endpoint, so your email never leaves Protonâs environment. As long as your reading your email in the Proton app/site, they can guarantee its privacy and security.
Once it sends your emails to Thunderbird or another client, itâs leaving the Proton environment, and they can no longer control it. Youâre sacrificing the inherent privacy/security of Proton when you use Thunderbird (they claim).
All of that being said, itâs an absolutely bullshit excuse. Tutanota does this same shit, only they donât even provide the bridge like Proton does.
Itâs true itâs technically more secure for those emails to stay in the Proton environment, but theyâre still your god damn emails, and they should operate like every other email service by giving the user the option to export those emails in whatever way they damn well please, for free.
Itâs just more platform lock-in garbage. Your emails are trapped on their server, so theyâll be no moving away to a different provider easily.
Bitrot@lemmy.sdf.org
on 16 Mar 2024 15:46
nextcollapse
Itâs more that they claim they cannot decrypt your data, so how do they send it to Thunderbird? The bridge does the decryption. Theoretically Thunderbird could add support for it.
timewarp@lemmy.world
on 16 Mar 2024 18:10
collapse
Corps have used that BS excuse for ages. The whole âyour phone is more secure when we control itâ is a garbage BS line. Make it open source, give developers the tools & theyâll make any app more secure than some bureaucracy that is constantly influenced by the national security agencies.
timewarp@lemmy.world
on 17 Mar 2024 13:45
collapse
None of those actually document their API nor provide source for the backend server code. Other than building hydroxide from PRs for CalDav, are there even any other open source implementations of CardDav/CalDav for Proton? I canât find a single implementation of Proton Pass that allows you to sync your passwords locally and be used in a different app. There is no shortage of people complaining about this:
Why would anyone be interested in efforts on a platform with a closed-source backend and that is not developer focused? Not to mention, entirely unnecessary why you should have to use a bridge gateway in the first place with IMAPS & PGP/GPG, CalDav & CardDav. Like I said, Proton is engaged in some questionable practices.
Why would anyone be interested in efforts on a platform with a closed-source backend and that is not developer focused?
Because most people donât care about those particular things. Almost all the world uses completely proprietary tools (Gmail) that also violate your privacy.
Not to mention, entirely unnecessary why you should have to use a bridge gateway in the first place with IMAPS & PGP/GPG, CalDav & CardDav. Like I said, Proton is engaged in some questionable practices.
Itâs not unnecessary, itâs the result of a technical choice. A winning technical choice actually. PGP has a negligible user-base, while Proton has already 100 million accounts. I would be surprised if there were 10 million people actually using PGP. They sacrificed the flexibility and composability of tools (which results almost always in complexity) and made an opinionated solution that works well enough for the mainstream population, who has no interest in picking their tools and simply expects a Gmail-like experience.
And if you really have stringent requirements, they anyway provided the bridge, so that you can have that flexibility if itâs really important for you.
IMAPS & PGP/GPG, CalDav & CardDav
IMAPs is just IMAP on TLS, so it does not have anything to do with e2ee in this context.
PGP/GPG is what they use. They just made a tool that is opinionated and just works, rather than one which is more flexible but also more complex. Good choice? Bad choice? Itâs a choice.
*DAV clients expect cleartext data on the server. If you encrypt the data, you need to build all this logic into the clients, and you are not following the standard anymore, which means you will anyway be bound to your client only (and those which implement compatibility). Proton decided that they want to implement e2ee calendar, and they decided to roll their own thing. Itâs up to everyone to decide whether e2ee is a more important feature than interoperability with other tools. I donât care about interoperability, for example, and Iâd take e2ee over that.
timewarp@lemmy.world
on 17 Mar 2024 16:25
collapse
IMAPs is just IMAP on TLS, so it does not have anything to do with e2ee in this context.
If you use GnuPG or one of the GUI implementations it does.
You do realize e2ee merely means that two users share public keys when they communicate in order to decrypt the messages they receive, right?
*DAV clients expect cleartext data on the server. If you encrypt the data, you need to build all this logic into the clients, and you are not following the standard anymore, which means you will anyway be bound to your client only (and those which implement compatibility).
Youâre talking about people paying for cloud services that manage everything for them. Nothing to stop you from hosting your own on an encrypted drive. EteSync does E2E already, and there is already a plethora of apps supporting PGP on Android and Desktop to encrypt/decrypt messages.
If you use GnuPG or one of the GUI implementations it does.
No, because itâs the server that terminates the TLS connection, not the recipientâs client. TLS is purely a security control to protect the transport between you and the server you are talking to. It doesnât have anything to do with e2ee. Itâs still important, of course, but not for e2ee.
You do realize e2ee merely means that two users share public keys when they communicate in order to decrypt the messages they receive, right?
And how does TLS between you and your mail server help with this? Does it give you any guarantee that the public key was not tampered when it reached your server? Or instead you use the fingerprint, generally transmitted through another medium to verify that?
Nothing to stop you from hosting your own on an encrypted drive.
An encrypted drive is useful only when the server is off against physical attacks. While the server is powered on (which is when it gets breached - not considering physical attacks) the data is still in clear.
EteSync does E2E already
AndâŚit requires a specialized client anyway. In fact, they built a DAV bridge (github.com/etesync/etesync-dav). Now tell me, if you use this on -say- your phone, can you use other DAV tools without using such bridge? No, because it does something very similar to what Proton does. If proton bridge will get calendar/contacts functionality too (if, because I have no idea how popular of a FR it is), you are in the exact same situation.
The ProtonBridge used to be garbage so people have wanted a dedicated app for awhile now. Over the past year or two, the Bridge finally works fairly reliably so âŚa little too late.
timewarp@lemmy.world
on 16 Mar 2024 18:05
collapse
So the bridge now syncs your calendars, contacts, files & passwords? đ Their bridge still sucks like it always has.
deweydecibel@lemmy.world
on 16 Mar 2024 14:00
collapse
Proton forces you to pay for a bridge to use Thunderbird.
Tutanota doesnât even provide that.
These âprivacy respectingâ email services donât respect the user enough to let them use third party email clients easily if the user chooses to.
AProfessional@lemmy.world
on 16 Mar 2024 14:07
collapse
They cannot decrypt your data while sitting, so IMAP cannot work.
timewarp@lemmy.world
on 16 Mar 2024 18:04
collapse
Go ahead and explain what you mean. I donât believe you & think youâre just parroting their corpo speak.
Itâs actually fairly simple: if the server never has access to the keys or the plaintext of messages (or calendar events, etc.), then you need a client tool to handle decryption and encryption operations.
They use PGP, and they have implemented this feature in a way that itâs completely transparent to the user to make it mainstream. So they chose building dedicated tools (bridge, web client), rather than letting users use their own tools, because the PGP tooling sucks hard and itâs extremely inaccessible for the general population.
This means that you need a fat client, whatever you do, or otherwise the server will have access to the data and there is no e2ee. Instead of using enigmail or other PGP plugins/tools, they built the bridge.
timewarp@lemmy.world
on 16 Mar 2024 19:17
collapse
if the server never has access to the keys or the plaintext of messages (or calendar events, etc.), then you need a client tool to handle decryption and encryption operations.
Proton stores your keys, and you have the decryption password. How do you think they handle password-based logins? Only the user should ever generate and store the private key. All they need now is your decryption password & they can read your messages. This is reason #1 not to trust Proton.
They use PGP, and they have implemented this feature in a way that itâs completely transparent to the user to make it mainstream.
It isnât transparent, because most users arenât running their own frontend locally and tracking all the source code changes. Theyâve already violated the first rule of PGP privacy by having your private key. Now youâre merely trusting them to not send you a custom JS payload to have your decryption password sent to the server. How many users are actually utilizing their hidden API to ensure that decryption/encryption is only done client-side? If they have your private key, how many users do you think are using long enough passwords to make cracking their password more challenging? This is reason #2 to not trust Proton.
PGP tooling sucks hard and itâs extremely inaccessible for the general population.
This is just entirely inaccurate and youâve failed to provide any "proofâ for your generalizations here.
This means that you need a fat client, whatever you do, or otherwise the server will have access to the data and there is no e2ee.
If you actually understood PGP youâd know you can generate and use local-only keys with IMAPS and have support to use any IMAP client. Furthermore, the other apps by Proton like Proton Pass, Calendar, etc⌠all use undocumented APIs that they have yet to implement in their bridge using standard protocols like CalDav/CardDav/JSON or whatever else in order to be able to integrate with local tools. There is no security benefit in their implementation other than to lock you into a walled garden and give you a false sense of security.
sudneo@lemmy.world
on 16 Mar 2024 21:54
nextcollapse
Proton stores your keys
Proton stores an encrypted blob.
All they need now is your decryption password & they can read your messages
âAll they need now is your private keyâ. Itâs literally a secret, they use bcrypt and then encrypt it. Also, âtheyâ are not generally in the threat model. âTheyâ can serve you JS that simply exfiltrates your email, because the emails are displayed in their web-app, they have no need to steal your password to decrypt your key and read your emailâŚ
It isnât transparent, because most users arenât running their own frontend locally and tracking all the source code changes.
Probably we misunderstand what âtransparentâ means in this context. What I mean is that the average user will not do any PGP operation, in general. Encryption happens transparently for them, which is the whole thing about Proton: make encryption easy and default.
Now youâre merely trusting them to not send you a custom JS payload to have your decryption password sent to the server.
Again, as I said before, they control the JS, they can get the decrypted data without getting the password�
You always trust your client tooling. There is always a point where I trust someone, be it the âenigmailâ maintainers, Thunderbird maintainers (it has access to messages post-decryption!), the CLI tool of choice etc.
How many users are actually utilizing their hidden API to ensure that decryption/encryption is only done client-side?
I mean, their clients are open-source and have also been audited?
If they have your private key, how many users do you think are using long enough passwords to make cracking their password more challenging?
I donât know. But here we are talking about a different risk: someone compromising Proton, getting your encrypted private key, and starting bruteforcing bcrypt-hashed-and-salted passwords. I find that risk acceptable.
This is just entirely inaccurate and youâve failed to provide any "proofâ for your generalizations here.
See other post.
If you actually understood PGP youâd know you can generate and use local-only keys with IMAPS and have support to use any IMAP client.
Care to share any practical example/link, and how exactly this means not having a fat client that does the encryption/decryption for you?
There is no security benefit in their implementation other than to lock you into a walled garden and give you a false sense of security.
Right, because *DAV protocol are so secure. They all support e2ee, right�
There is a security benefit, and the benefit is trusting the client software more than a server, especially if shared.
You can export data and migrate when you want easily, so itâs really a matter of preference.
timewarp@lemmy.world
on 17 Mar 2024 16:12
collapse
Proton stores an encrypted blob.
It doesnât matter that your private key is stored on their servers encrypted/hased or whatever. If you were simply storing it there, that would not be an issue. The problem is that youâre also logging in and relying on whatever JS is sent to you to only happen client-side.
Probably we misunderstand what âtransparentâ means in this context. What I mean is that the average user will not do any PGP operation, in general. Encryption happens transparently for them, which is the whole thing about Proton: make encryption easy and default.
Most users arenât sending emails from their Proton to other Proton users either. Furthermore, the users that want encryption seek it out. They donât need to use Proton for encryption, especially when it would be easy for them to get an unknowing users decryption password.
Again, as I said before, they control the JS, they can get the decrypted data without getting the passwordâŚ? You always trust your client tooling. There is always a point where I trust someone, be it the âenigmailâ maintainers, Thunderbird maintainers (it has access to messages post-decryption!), the CLI tool of choice etc.
Yes, you have to trust source code somewhere, but with Thunderbird or other mail clients that is open source and their apps are signed or you can reproducibily build from source. However, once that is built it doesnât change. With Proton, everytime you visit their site you donât know for sure that it hasnât changed unless youâre monitoring the traffic. A government is much more likely to convince Proton to send a single user a custom JS payload, than to modify the source code of Thunderbird in a way that would create an exploit that bypasses firewalls, system sandboxing, etc.
I mean, their clients are open-source and have also been audited?
You mean their PWA/WebView clients that can still send custom JS at anytime, or their bridge?
Care to share any practical example/link, and how exactly this means not having a fat client that does the encryption/decryption for you?
First, explain what you mean by a fat client? GnuPG is not a fat client.
Right, because *DAV protocol are so secure. They all support e2ee, rightâŚ? There is a security benefit, and the benefit is trusting the client software more than a server, especially if shared. You can export data and migrate when you want easily, so itâs really a matter of preference.
Being able to export things is a lot different than being able to use Thunderbird for Calendars, or a different Contacts app on your phone. DAV is as secure as the server you run it on and the certificate you use for transport.
It doesnât matter that your private key is stored on their servers encrypted/hased or whatever. If you were simply storing it there, that would not be an issue. The problem is that youâre also logging in and relying on whatever JS is sent to you to only happen client-side.
I feel like I covered this point? They make the client tool you are using, there is 0 need for them to steal your password to decrypt your key. Of course you are trusting them, you are seeing your unencrypted email in their webpage, where they can run arbitrary code. They do have their clients opensourced, but this doesnât mean much. You are always exposed to a supply-chain risk for your client software.
Most users arenât sending emails from their Proton to other Proton users either.
So� The point is, if they do, encryption happen without them having to do anything, hence transparently. That was the point of my argument: my mom can make a proton account and send me an email and benefit from PGP without even knowing what PGP is.
Furthermore, the users that want encryption seek it out.
And thatâs the whole point of the conversation: these users are techies and a super tiny minority. This way, they made a product that allow mainstream users to have encryption.
Thunderbird or other mail clients that is open source and their apps are signed or you can reproducibily build from source.
And this control is worth zilch if they get compromised. This is a control against a MiTM who intercepts your download, itâs not a control if âthe maker of Thunderbirdâ decides to screw you over in the same way that Proton would do by serving malicious JS code.
If the threat actor you are considering is a malicious software supplier, you have exactly the same issue. There can be pressures from government agencies, the vendor might decide to go bananas or might get compromised.
However, once that is built it doesnât change. With Proton, everytime you visit their site you donât know for sure that it hasnât changed unless youâre monitoring the traffic.
Yes, this is true and itâs the real only difference.
I consider it a corner case and something that only affects the time needed to compromise your emails, not the feasibility, but itâs true. I am counting on the other hand on a company who has business interests in not letting that happen and a security team to support that work.
A government is much more likely to convince Proton to send a single user a custom JS payload, than to modify the source code of Thunderbird in a way that would create an exploit that bypasses firewalls, system sandboxing, etc.
MaybeâŚ? If government actors are in your threat model, you shouldnât use email in the first place. Metadata are unencrypted and cannot be encrypted, and there are better tools. That said, government agencies have the resources to target the supply chain for individuals and simply âencourageâ software distributors to distribute patched versions of the software. This is also a much better strategy because itâs likely they can just get access to the whole endpoint and maintain easy persistence (while with JS you are in the browser sandbox and potentially system sandbox), potentially allowing to compromise even other tools (say, Signal). So yeah, the likelihood might be higher with JS-based software, but the impact is smaller. Everyone has their own risk appetite and can decide what they are comfortable with, but again, if you are considering the NSA (or equivalent) as your adversaries, donât use emails.
You mean their PWA/WebView clients that can still send custom JS at anytime, or their bridge?
Yes.
First, explain what you mean by a fat client? GnuPG is not a fat client.
In computer networking, a rich client (also called heavy, fat or thick client) is a computer (a âclientâ in clientâserver network architecture) that typically provides rich functionality independent of the central server.
What I mean is this: a client that implements quite some functionality besides what the server would require to work. In this case, the client handles key management, encryption, decryption, signature verification etc. all functionalities that the server doesnât even know they exist.
This is normal, because the encryption is done on top of regular email protocols, so they require a lot of logic in the client side.
Being able to export things is a lot different than being able to use Thunderbird for Calendars, or a different Contacts app on your phone.
For sure itâs d
timewarp@lemmy.world
on 17 Mar 2024 16:55
collapse
All good points. It seems like we mostly agree on the same concepts. I donât disagree that people using Proton may have better privacy overall than other services, but I do disagree on the way they implemented it and find their design decisions and approach to be questionable. It screams that they are profit-hungry and admire Appleâs walled garden.
federatingIsTooHard@lemmy.world
on 16 Mar 2024 22:17
collapse
some people want to be swindled.
Stalins_Spoon@lemmygrad.ml
on 16 Mar 2024 13:21
nextcollapse
That could very well be the case. I guess Iâll only find out if I ever feel like I need the paid version. For now, Iâm doing golden with the free one đ
jjlinux@lemmy.ml
on 16 Mar 2024 13:48
nextcollapse
Yeah, Proton is awesome, thatâs for sure. Now, being a âsecurity and privacyâ company, it blows my mind that they put so much effort on making apps for Windows and Mac first, leaving Linux behind, and when they finally get to it, they just dump in a glorified PWA.
This world is really weird đ¤Łđ¤Ł
And that they decided to go with RPM and DEB instead of just doing a Flatpak
QuandaleDingle@lemmy.world
on 16 Mar 2024 15:13
nextcollapse
Are you kidding me? Doesnât bother me that much, as I use Thunderbird with Protonmail bridge. Iâm still waiting on Proton Drive for linux. Well, Iâm gonna end up self hosting at this point. :(
banghida@lemm.ee
on 16 Mar 2024 16:57
nextcollapse
I prefer rpm over flatpak. at least I know any os dependency updates are happening regularly, flatpak may not get weekly dependency updates from proton
Iâm on OpenSuse which will take a Fedora RPM, and most will take deb, if they donât you can uae the alien tool to convert it for your OSâŚextra steps which sucks
Holzkohlen@feddit.de
on 17 Mar 2024 04:56
nextcollapse
âExtra steps for thee, not for me!â
AProfessional@lemmy.world
on 17 Mar 2024 15:30
collapse
OpenSUSE does not have Fedoras ABI or package names. The RPMs arenât compatible.
I installed it and it works. i have also installed other Fedora RPMs. RPM can contain repo links to dependecies needed. or just contain all the libraries needed. OpenSUSE will install it and just treat them as Orphaned Packages (in the later case)
ducking_donuts@lemm.ee
on 16 Mar 2024 14:33
nextcollapse
Are you confusing security and privacy?
pixelscript@lemmy.ml
on 16 Mar 2024 14:43
nextcollapse
They mutually imply one another.
If something was private, but not secure, well, that implies there are ways to breach the privacy, which isnât very private at all.
If itâs secure, but not private, that implies itâs readable by someone other than the consenting conversational parties, which makes it insecure.
CosmicTurtle@lemmy.world
on 16 Mar 2024 15:10
collapse
Privacy: I have blinds on my windows. I control whether they are open or closed, but they arenât secure. You could break a window and look inside if you really wanted to.
Security: my glass storm door has a lock. But privacy is only there when I close the front door.
There is overlap between these two concepts but one does not imply the other.
You999@sh.itjust.works
on 16 Mar 2024 15:19
collapse
Iâm not, the comment I was replying to literally called proton a âsecurity and privacyâ company.
jjlinux@lemmy.ml
on 16 Mar 2024 16:39
nextcollapse
Thatâs why I put âsecurity and privacyâ between quotes. I have absolutely Jo way to confirm if they are secure and private or if theyâre not, other than all the contradicting mentions all over the internet. Also, while security and privacy may not be mutually dependent in the physical world, it stands to reason that something insecure cannot be private, and something not private is inherently insecure, as @pixelscript@lemmy.ml clearly pointed out.
As for controlling my own email infrastructure, Iâd love to, as everything else I do self-host, and only with FOSS software. However, email hosting is a seriously complicated animal that requires too much effort and maintenance, and most of us dont have the knowledge and time to invest in that, so compromises need to be made. I am well aware that thereâs always risk on using something I have no real control over, but the alternative meets the reason for the phrase âthe treatment is worse than the deceaseâ.
TheAnonymouseJoker@lemmy.ml
on 16 Mar 2024 18:00
nextcollapse
If you just did this little thing, you would convey your point very well. Proton is unfit for activist and journalist tier threat models. You could link Moon Of Alabama blog articles. Proton is better than Gmail and Outlook, but it is no saint. It is enough to achieve good basic privacy and security, but not bulletproof in worst cases.
sudneo@lemmy.world
on 16 Mar 2024 18:40
nextcollapse
Companies have to comply with law enforcement. If anything, the little amount of data they were able to give after being forced is a good proof of their overall claim. If there is someone to blame here are courts using antiterrorism laws to catch environmental activists.
drascus@sh.itjust.works
on 28 Mar 2024 10:46
collapse
exactly if itâs a company they have to comply with laws. This is not a service to rely on if you doing espionage or something. Itâs for people who want more privacy and choice.
linearchaos@lemmy.world
on 17 Mar 2024 14:53
collapse
I mean, if you want secure/private communication, email should not be your go-to. Itâs a horrible platform by todayâs standards. It was never designed to have any serious level of security. Once they have an unencrypted email on the target with timestamps and mail headers, all they need to do is see who was communicating with Proton at that point. I donât know if anything has changed since the PRISM days, but back in the 2000s, they definitely had that level of insight into the web.
drascus@sh.itjust.works
on 28 Mar 2024 10:48
collapse
Not much has changed. Itâs really only secure if you are sending emails between addresses within the same local network like gmail to gmail. Thankfull with end to end encryption it can be pretty safe just good luck finding someone that knows how to use it. but thankfully proton makes that pretty seamless.
Molecular0079@lemmy.world
on 16 Mar 2024 15:57
nextcollapse
I had no idea. Thatâs good information to have. And my wife doesnât get why I spend so much time in Lemmy. I learn more here than with all the online courses I take regularly put together. I love this community.
privacyn@feddit.it
on 16 Mar 2024 20:01
nextcollapse
Capitalism is weird? Ok, but this is what we have.
I had no idea the whole world was capitalist, but I guess I donât know everything. And thereâs the fact that I mentioned the world, not a form of political economy. But yeah, capitalism is weird.
it blows my mind that they put so much effort on making apps for Windows and Mac first, leaving Linux behind
Because most people use Windows and Mac, including their clients. Itâs not the world that is weird, itâs people who donât understand such basic things. You donât focus on 5% of your users.
federatingIsTooHard@lemmy.world
on 16 Mar 2024 14:35
nextcollapse
i quite like disrootâs suite of services.
possiblylinux127@lemmy.zip
on 16 Mar 2024 15:07
collapse
Gmail requires that you use proprietary software. Anyway just because email is insecure doesnât mean you should jump into the pot
triplenadir@lemmygrad.ml
on 16 Mar 2024 18:03
nextcollapse
protonmail is also proprietary.
that said, gmail is surely a terrible recommendation
possiblylinux127@lemmy.zip
on 16 Mar 2024 19:30
collapse
I wouldnât use proton mail either
timewarp@lemmy.world
on 16 Mar 2024 18:13
collapse
No it doesnât. You can use free Gmail with IMAPS & GPG-encrypt all your messages if you want to. I donât know why youâre spreading lies, other than youâre just too oblivious to know better.
possiblylinux127@lemmy.zip
on 16 Mar 2024 19:30
collapse
It in fact does. You canât sign in with Google without non-free JavaScript
timewarp@lemmy.world
on 16 Mar 2024 19:56
collapse
This is the dumbest argument. You canât create a Proton account without non-free JS either. Once you enable IMAP in Gmail, you donât have to sign in using the browser. Are you really going to argue this? I mean, you can just admit you donât know enough about security and that you trust Proton just cause they make you feel warm & fuzzy or whatever.
possiblylinux127@lemmy.zip
on 16 Mar 2024 22:05
collapse
I donât use or trust Proton either. My point was that when you use gmail you are giving up additional data and your freedom.
The best answer is to use an email provider that doesnât force you to use non-free software. There a limited few that work with HTML or properly licensed JavaScript
federatingIsTooHard@lemmy.world
on 16 Mar 2024 14:23
nextcollapse
illectrility@sh.itjust.works
on 16 Mar 2024 16:17
collapse
Not only is this article three years old, it is also lacking in terms of sources. Additionally, the language and phrasing is quite inappropriate for the purpose of spreading the information. Lots of text is just mean and offensive without any actual purpose.
It also seems to be largely based on speculation rather than actual solid evidence.
Iâm not against investigating the legitimacy of established and trusted privacy-first providers. However, this seems a bit lackluster.
Also: Email is inherently insecure, we all know that. Proton services are open source, independently audited and verifiably E2EE, except for Mail, which uses PGP for the emails themselves and E2EE to store them.
federatingIsTooHard@lemmy.world
on 16 Mar 2024 16:33
collapse
for what claim do you want a source that isnât provided?
illectrility@sh.itjust.works
on 16 Mar 2024 16:43
collapse
All of the hyperbole and speculation? The SSL stuff with TOR for example. Thatâs not proof, thatâs a hint at best
federatingIsTooHard@lemmy.world
on 16 Mar 2024 22:27
collapse
they say plainly what they donât know. what they donât know, you donât know. and if you donât know, you are trusting on faith, not evidence.
FriedRice@lemmy.ml
on 16 Mar 2024 14:25
nextcollapse
So whats more privacy friendly, using a browser to check email, og using the official Proton app?
dodgy_bagel@lemmy.blahaj.zone
on 16 Mar 2024 19:26
collapse
Make sure to encrypt messages with a ceasar cypher.
timewarp@lemmy.world
on 16 Mar 2024 17:46
collapse
Neither. The single app that Proton has done somewhat right with is their VPN and only because they havenât eliminated port forwarding. Everything else theyâve utilized non-standard protocols and failed to provide source code or API docs. They basically said that users are too stupid to protect themselves, and that you should just trust them to do it for you.
They failed to provide CalDav & CardDav syncing for things like calendars & contacts, IMAPS for mail, and prioritized things like their cloud-only password store. They had no valid reason not to use standardized protocols other than to prevent their users from actively syncing local copies of their data to integrate with privacy-friendly open source software. They act like Apple & a lot of their users prob. are Apple fan bois who will trust a company no questions asked. I have no reason to trust them whatsoever.
Yerbouti@lemmy.ml
on 16 Mar 2024 14:30
nextcollapse
So, what is general concesus about Proton, is it safe or not? I dont use it because you need to pay for Bridge to use it in Thunderbird. Maybe I would use if it has a dedicated app.
illectrility@sh.itjust.works
on 16 Mar 2024 16:07
nextcollapse
Itâs pretty great. Especially considering that you get a full ecosystem with Mail, Calendar, Drive, VPN and Pass.
I would also like to take this opportunity to shout out murena.io. They host open source cloud solutions. You get a Nextcloud with OnlyOffice and lots of other goodies and their pricing is pretty good
Grangle1@lemm.ee
on 16 Mar 2024 16:28
nextcollapse
The people behind Murena are also the devs of /e/OS, a de-Googled Android OS that they also sell phones they pre-load it on. My one critique of it so far, owning one of the phones, is that I wish they would work on making it compatible with more well-known phone models available outside Europe. They sold this model Iâm using, the Murena One (some Chinese OEM they slapped their name on), here in the US through their website, but I had to run around for two days trying to find a carrier whose service would work on it (or who would even try - eventually T-Mobile worked, the European-based carrier, what a surpriseâŚ) and I canât get anyone to do repairs on it because itâs not one of the well-known brands. The case they gave me for it is essentially purely cosmetic, and only a week or so into owning it, I dropped it at a restaurant and it got a huge area of dead pixels at the bottom of the screen that nobody will fix because they canât get a new screen for it. If I could install /e/OS myself on more than just the Google Pixel (paying Google to not have to use Android, funâŚ) that would be great and solve my problems.
illectrility@sh.itjust.works
on 16 Mar 2024 16:38
collapse
As the mod of !c/e_os, I am so happy you brought this up. I use /e/ on my Fairphone 4, itâs great. The Easy Installer has come a long way, you should check it out doc.e.foundation/easy-installer
Edit: You can also check all the supported devices here
Iâve looked at the list. The only model that could give me what Iâm looking for (5G, actually familiar to US-based carriers and repair shops) is the Pixel. I understand itâs not all the fault of the /e/OS devs since thereâs factors like many bootloaders not being unlockable on US phones or other hardware complications, but I do get the feeling that the North American market does tend to be an afterthought. From what I can see, a majority of the list is either only available in Europe or will only work with very few carriers here, with lack of 5G capability being a big setback for carrier compatibility. That 5G requirement for many carriers really does hurt European based phone tech compatibility over here quite a bit.
timewarp@lemmy.world
on 16 Mar 2024 18:03
collapse
So how would you sync your Proton Passwords with NextCloud, or with VaultWarden? Or actively sync them locally to be used with an open source app?
Oh, thatâs right⌠you canât. Proton will say⌠âJust trust our payloads bro! There is no way weâd ever deliver a modified payload to get your password. Sorry you canât sync your calendar & contacts, just use our Windows apps.â
illectrility@sh.itjust.works
on 17 Mar 2024 13:13
collapse
I wouldnât? I suggested Murena as a Proton alternative. I donât know if they have a password manager right know but you can always throw a KeePass database into your Nextcloud.
timewarp@lemmy.world
on 17 Mar 2024 13:47
collapse
My sincerest apologies. I misread the thread and thought you were advocating for Proton, which IMO is a questionable company. Thanks for the clarification.
illectrility@sh.itjust.works
on 17 Mar 2024 14:09
collapse
I use both. Proton fits most of my needs, Murena does the rest. Iâm not attached to any of them though, if Iâm given good enough a reason, Iâll drop Proton immediately
timewarp@lemmy.world
on 17 Mar 2024 14:24
collapse
At least youâre open to moving on. I think keeping an open attitude in any scenario is prob the best option. For most people, Iâd recommend they keep using whatever works for them. If youâre happy with Proton then switching may just cause frustration. However, if youâre very much security focused and also care about things like being able to access your calendars/contacts in the apps you want, then Iâd prob suggest just using SimpleLogin for email with their GPG feature, vaultwarden for passwords (you can still use the BitWarden phone apps), and Nextcloud for Calendar/Contacts which also supports DAVx for mobile.
illectrility@sh.itjust.works
on 17 Mar 2024 14:32
collapse
I do use the SimpleLogin aliases, itâs one of my favorite services they offer. Most of my web storage (which I barely use anyway) and calendar and stuff is all Nextcloud
timewarp@lemmy.world
on 16 Mar 2024 17:55
nextcollapse
It is about as safe as trusting Apple at their word to protect your privacy.
It depends on what you want.
If you want a solution that makes sure your provider wonât be able to read your data?
It is sure safe for that.
Generally I would distrust any company claiming that our swiss privacy laws are worth a dime - in fact they are shit and among the worst in Europe.
Swiss intelligence laws actually force companies to cooperate in a much broader sense than even the national security laws in the US do.
And of course there is no judge involved and they can basically share the collected data with whoever they want.
testeronious@lemmy.world
on 16 Mar 2024 16:03
nextcollapse
no proton drive??
illectrility@sh.itjust.works
on 16 Mar 2024 16:05
collapse
This came way sooner than expected, be grateful. Itâll arrive soon enough. Patience, young padawan
psycho_driver@lemmy.world
on 16 Mar 2024 16:30
nextcollapse
Speaking of mail apps, has anyone used Thunderbird recently? I had used it for a year or two up until . . . a year or two ago (probably two or three, actually) and then switched to kmail to satisfy my masochism. Thunderbird just hadnât been doing it for me with meh functionality and slightly more meh looks.
Fast forward to yesterday when Iâm updating my steamdeck desktop to use nix stuff instead of rwfus+pacman and I couldnât get kmail from nix to behave right so I thought Iâd give thunderbird another look. Iâm several hours into tinkering with it and holy hell has it changed pretty much completely from a few years ago. Looks fantastic and works pretty much exactly how I want/expect it to. Good job mozilla!
Hadriscus@lemm.ee
on 16 Mar 2024 16:50
nextcollapse
Yeah I installed it recently on my widows and it is super sleek.
Pantherina@feddit.de
on 16 Mar 2024 17:49
nextcollapse
Thunderbird is fine.
Tbh I have no idea what they are doing though, they have more funding than GNOME but after Supernova I didnt see any updates.
There is an unofficial Thunderbird nightly Flatpak, that will likely reveal what the hell they are doing.
So Supernova is kinda nice, mainly a big overhaul of the underlying stuff, making it easier to maintain.
It lacks a ton of things like Threads (the addon TB Conversation works though). Also their âspacesâ bar is useless, as it just opens tabs, so it is redundant. Good idea, but only if it could replace tabs.
Their search and filter stuff is still the same, really bad. Either displaced in the message list column, as the global search still opens a new tab which is kinda bad UI.
Some addons broke too, not a big deal though.
I have the feeling they removed nested filters, which is extremely bad, but filters still work.
Thunderbird works well.
deweydecibel@lemmy.world
on 17 Mar 2024 00:45
nextcollapse
I believe I read somewhere theyâre focusing heavily on the mobile app at the moment (or rather turning K-9 into their mobile app). Once they get that out, weâll see where the desktop goes.
Pantherina@feddit.de
on 17 Mar 2024 09:38
collapse
That too but afaik thats a separate Android dev
uncertainty@lemmy.nz
on 17 Mar 2024 10:02
collapse
Iâve never found Thunderbird search bad compared to alternatives, as long as Iâm not looking to find content inside attachments. Really fast and responsive and being a desktop client without paginated results makes moving and deleting in bulk so much easier. Would love it to be as powerful as Voidtools Everything to get a bit more granular sometimes but otherwise pretty happy with it.
Pantherina@feddit.de
on 17 Mar 2024 10:07
collapse
I mean, I think their global search is not that useful, while their inline mail list search is. So I have a cluttered UI with 2 search bars, to supplement the incomplete inline search.
BananaTrifleViolin@lemmy.world
on 16 Mar 2024 18:36
nextcollapse
Yeah Iâve started using it again the past year. I use Proton Bridge with Thunderbird, and it works well. Much prefer it to webmail interfaces.
PrettyFlyForAFatGuy@feddit.uk
on 16 Mar 2024 19:49
nextcollapse
Itâs not developed by mozilla anymore. they stopped updating it a couple years ago.
explore_broaden@midwest.social
on 16 Mar 2024 21:02
collapse
Thatâs not true, the latest release was two weeks ago.
PrettyFlyForAFatGuy@feddit.uk
on 16 Mar 2024 23:33
collapse
Not from mozilla, they spun it off a couple years ago
explore_broaden@midwest.social
on 16 Mar 2024 23:38
collapse
Itâs still under the Mozilla foundation though, which is what people who are talking about Mozilla usually mean (theyâre the ones collecting donations and the parent organization).
TCB13@lemmy.world
on 16 Mar 2024 20:14
nextcollapse
Yes Thunderbird is getting really nice nowadays.
Grimpen@lemmy.ca
on 16 Mar 2024 22:38
nextcollapse
Just started using Thunderbird again a couple of months ago. Like it! I never really stopped liking it, just stopped using it because all the webmail interfaces and âappificationâ.
Was just trying to get K-9 Mail working on my phone again (after years of using umpteen different apps) and itâs not as smooth as I remember.
jwt@programming.dev
on 17 Mar 2024 09:56
nextcollapse
I think theyâre talking Kmail from the KDE app suite. I thought they meant K-9 mail.
Btw If I remember correctly K-9 mail is or is becoming Thunderbird.
turkishdelight@lemmy.ml
on 16 Mar 2024 18:18
nextcollapse
Protonmail still does not have an official app in F-Droid. Just because of this reason I ended my paid subscription and moved to Tutanota.
tomatolung@lemmy.world
on 16 Mar 2024 19:07
nextcollapse
Not going away from Proton myself, but yes this is damned infuriating. Although Iâd deal with a reliable Android app. The Beta Android looks good, but why Proton has struggled so much with Android is beyond my current digging.
version_unsorted@lemm.ee
on 17 Mar 2024 10:52
collapse
Tutanota doesnât have a good way to export emails in bulk. Their feature set is getting richer, but once invested, the exit cost is quite high, speaking from experience.
FrankTheHealer@lemmy.world
on 16 Mar 2024 18:18
nextcollapse
Cool. Now please do Proton Drive and Calendar. Please and thank you Proton.
They generally require to have data visible on the server and/or handle independently encryption/decryption with related tools and key management (including key discovery).
For some, it might be worth, for 99% of the population who wouldnât be able to do this but also doesnât want their content availablento the provider, itâs not.
TCB13@lemmy.world
on 16 Mar 2024 20:24
nextcollapse
âAfter years of pushing their proprietary and closed solutions to privacy minded people Proton decided that it was in their best interest to further bury said users into their service as a form of vendor lock-in. To achieve this they made more non-standard desktop clients for their groupware features (contacts and calendars) and the bridge will be discontinued soon.â
Only if there wasnât CardDAV, CalDAV, IMAP, SMTP and dozens of other highly standardized protocols to handle e-mailing and groupware.
savvywolf@pawb.social
on 16 Mar 2024 21:56
collapse
Is the bridge actually being discontinued? People have been saying that a lot recently but Iâve not seen any evidence for it, and not in the linked article.
Iâm annoyed that they donât support SMTP, but realistically they actually canât unless they have the ability to read your email, which they donât.
No, but what from their moves it is very clear it wonât live long.
they donât support SMTP, but realistically they actually canât unless they have the ability to read your emai
Technically they do use SMTP⌠and itâs possible for a provider and provide submission and generic SMTP do clients without having to read the email content.
There are lots of ways to do e2e encryption on e-mail (no server access to the contents) over SMTP (OpenPGP, S/MIME etc.). There are also header minimization options to prevent metadata leakage. And Proton decided NOT to use any of those proven solutions (in a standard and open way at least) and go for some obscure implementation instead because it fits their business better and makes development faster.
philpo@feddit.de
on 17 Mar 2024 09:53
nextcollapse
Because with proven concepts the swiss intelligence services would be locked out.
And now people have to trust their claims of âswiss privacy lawsâ (who are shit - the worst in Central Europe. Switzerland had multiple scandals, from a system that had intelligence files on a large percentage of their âunreliableâ citizens as part of the âFichenskandalâ to them recently admitting that most internet traffic within and all traffic leaving and entering Switzerland is monitored by the swiss intelligence services - without so much as a judges permit).
Yeah, I know, they are auditedâŚBut since Snowden we all know how much that is worth.
JustARegularNerd@aussie.zone
on 17 Mar 2024 23:01
collapse
The minute they discontinue Proton Bridge is the minute I cancel my subscription with them and change mail providers. No one is prying my beloved Thunderbird from me
nobloat@lemmy.ml
on 16 Mar 2024 21:20
nextcollapse
"Anyone can download the app, but free users will be given a 14-day trial to test drive it.â
So itâs only for premium users ?
Wispy2891@lemmy.world
on 16 Mar 2024 21:57
nextcollapse
Hey it takes effort to make a WebView for mail.proton.com
They need to see how to package the dedicated browser for all the different distros and operating systems, make a nice icon and so ok. It takes hours
r1veRRR@feddit.de
on 16 Mar 2024 22:12
nextcollapse
Proton seems on the wrong side of the usability - privacy spectrum. Every last feature Iâd want from an online provider is impossible or massively neutered by the overly strict security.
I wish there was a similar service in a trustworthy country with a more sane level of safety, like opt-in encryption for example.
version_unsorted@lemm.ee
on 17 Mar 2024 10:47
collapse
mailbox.org has pretty good pgp key integration and will encrypted all emails that come in with a public key of your choosing.
SamVergeudetZeit@feddit.de
on 17 Mar 2024 11:07
nextcollapse
Idk, got thunderbird set up and feeling pretty happy with it.
Yep. Installed it, started it, saw it is basically the website in an embedded browser, uninstalled it.
Like, come on, you have a web version. Why should I use an extra application to view a website. This seems like a cheap excuse for a desktop app.
xylogx@lemmy.world
on 17 Mar 2024 14:17
nextcollapse
Does it support offline access?
calmluck9349@infosec.pub
on 17 Mar 2024 14:28
collapse
It does not. Which is the reason I wanted the appâŚ
notepass@feddit.de
on 17 Mar 2024 17:28
nextcollapse
How to completely fail on a mail client. Holy hell.
dallen@programming.dev
on 17 Mar 2024 21:51
collapse
Are you sure?
This was in the linked article:
Caching for offline use
calmluck9349@infosec.pub
on 17 Mar 2024 23:26
nextcollapse
I turned my WiFi off and opened the app it was just a white screen. I suppose its beta still. But my dream is to keep a local copy of all my mail just got a cache.
downloading emails and storing them locally for offline reading, categorizing, searching and drafting. âCachingâ usually just means if you opened the app with connection, it wonât go bonkers and will probably let you finish your immediate task + some basic functionality if you lose it. Canât close the app though.
The only benefit i can see of web app is it is in a controlled browser environmentâŚcould be helpful with security?
gibson@sopuli.xyz
on 17 Mar 2024 18:14
nextcollapse
The main benefit is since it is locally installed, it is harder for protonâs server to access your encrypted data by serving you malicious JS. A malicious desktop app/update could be served too, but that may be trickier.
HopFlop@discuss.tchncs.de
on 18 Mar 2024 20:07
collapse
To save myself the hassle of having to rebuild the electron app every once in a while? Iâd rather not open my browser, go to their website and log in with 2fa every time I want to read an email.
pathief@lemmy.world
on 17 Mar 2024 18:14
nextcollapse
Is the search functionality improved in the desktop app?
Moonrise2473@lemmy.ml
on 17 Mar 2024 21:07
collapse
It just opens the web app
737@lemmy.blahaj.zone
on 17 Mar 2024 18:38
nextcollapse
no AppImage, no Flatpak, no PPA, and no COPR
gaussian_distro@iusearchlinux.fyi
on 17 Mar 2024 19:23
collapse
AUR FTW!
Arthur_Leywin@lemmy.world
on 18 Mar 2024 02:13
collapse
If thatâs the case, then I might have to use distrobox for once.
umbraroze@lemmy.world
on 17 Mar 2024 19:41
nextcollapse
(Webmail provider releases a bespoke desktop app)
(me, old fart, bumbles out from behind the cables and servers and muck)
You fools! Have any of you whippersnappers ever heard of IMAP? No? Thought so.
[Iâm not that familiar with ProtonMail. Chances are they already support IMAP. In which case: ⌠âŚwhy? Why this? Why in this day and age?]
Moonrise2473@lemmy.ml
on 17 Mar 2024 21:06
collapse
Itâs worse than you thought.
The webmail provider released a dedicated browser that can only open the webmail and called it a âdesktopâ app.
Additionally, they donât support IMAP. Thereâs an app to run on your computer that becomes a bridge. The proprietary protocol is translated to IMAP. You canât use your favorite client if your operating system canât run that bridge and youâre not a premium user because for âreasonsâ only premium users can run that local bridge
Bogasse@lemmy.ml
on 17 Mar 2024 21:33
nextcollapse
On a lighter note, the protocol might be proprietary but the bridge still seems to be fully open source : github.com/ProtonMail/proton-bridge
I donât think think Proton shows bad will on this one. The only alternative I can think of (as a non expert) would be IMAP + GPG encrypted emails but very few desktop clients support GPG, which would make them less accessible đ¤ˇââď¸ Having their own protocol also probably makes it much much easier for them to iterate on it, opening up usually makes think much robust but also slower.
Moonrise2473@lemmy.ml
on 18 Mar 2024 07:57
collapse
The bridge Is âopenâ but somehow it works only for premium users.
They donât support IMAP because they want emails to remain end-to-end encrypted, and IMAP doesnât have any way of doing that. The gateway decrypts the emails locally, then serves them as plain text.
We need something better than IMAP, thatâs designed for modern use cases. Something thatâs not stateful⌠Maybe a web service or something like that. JMAP seems promising but barely any providers have implemented it.
Moonrise2473@lemmy.ml
on 18 Mar 2024 08:01
collapse
Still, if an user prefers the convenience of using any client instead of e2e, could enable it in a setting. Maybe the user subscribed because they liked the interface and the overall features of the plan, and not because of the encrypted email solution and just wants to add the account on the mobile client instead of a dedicated app
Being closed like this IMHO is just to increase user retention
E2E is their flagship feature and pretty much only selling point. Iâm really not surprised they donât allow to just disable it.
HopFlop@discuss.tchncs.de
on 18 Mar 2024 20:03
collapse
If thex subscribed because of the interface (ehich is certainly plausible), what would they need IMAP support for? Also, if you really want IMAP, xou can have it, you just need their (open source) Proton Bridge for it (thats a sofrware) so that ut retains all features. But then I would need my own email client.
Moonrise2473@lemmy.ml
on 20 Mar 2024 06:03
collapse
On mobile youâre forced to use their âopen sourceâ app that is only available on the closed source app stores and not on fdroid because it uses Google push services
HopFlop@discuss.tchncs.de
on 20 Mar 2024 06:39
collapse
Not true, itâs been available on Fdroid for quite some time now. And it doesnât need play services for the notifications to work either.
Moonrise2473@lemmy.ml
on 21 Mar 2024 11:15
collapse
Itâs available on an unofficial repository that can be optionally added to fdroid, itâs not available on fdroid
HopFlop@discuss.tchncs.de
on 21 Mar 2024 12:51
collapse
Even so, your statement that it is only available on closed-source app stores is wrong. And it doesnât even matter that itâs not provided by âMy First F-Droid Repo Demoâ (yes, thatâd the name of the official repo). Many open source apps are on IzzyOnDroid, including Jerboa, what do you use to write on Lemmy?
Either way, your original comment is completely wrong and it doesnt help that itâs âonlyâ available in the most popular extra repo.
On a related note?
When my friend on proton send me (regular imap, openpgp) and several others (gmail, outlook) an email with all of us as recipients, it seems that proton cheats? I get to decrypt the message, whereâs the others just read plain ø, unincrypted text.
At first i thought this smart. But now i kind of realize how much of a nightmare this seems to be.
On the other hand, i am not really sure how they do it? Is it to different mails, with fake headers? Or is it more like: if no encryption is available, show thisb (dentical) text instead?
5opn0o30@lemmy.world
on 18 Mar 2024 02:37
collapse
threaded - newest
Proton Drive though đ. The Windows app is so nice, wish we could get that for Linux.
Iâve set up an Rclone for the time being, not great but it works well enough for basic bisynchronisation.
Oh⌠I thought they meant Drive is finally out. That sucks. :(
Ugh, they took too darn long. Iâm probably going to switch to Nextcloud.
You should do it. Easy to setup using either their official AIO image or the community-driven micro service one. I am using the latter and itâs been amazing. Itâs completely replaced Google Drive, Calendar, and Contacts for me and with the DAVx5 Android App it feels like a drop-in replacement. I am also using the auto upload feature to back up my photos to it.
Working on that right now. Wish me luck. :)
I would too, but after like a week I get bored of maintaining it myself when all the expenses summed together arenât much cheaper than Proton or likewise. This is what I was doing before submitting my independence to Proton.
Furthermore Nextcloud is just too damn sluggish. The web interface makes it seem like my serverâs idea of a CPU is a kid with a calculator and WebDAV isnât designed for cloud storage. Iâll take new features being slow over my whole experience being even slower any day of the week.
I feel that. However, Protonâs a non-starter for me as Iâm using Linux, so no Proton drive client. Really scratching my head since Linux attracts the security conscious.
Celeste works fine on Linux, or you can use rclone directly.
Thatâs what Iâve done, using
rclone bisyncand my crontab. Like I said it works well enough, but far from perfect. Using a beta backend with an experimental operation, according to the rclone website, puts me slightly on-edge.I did try Celeste, but stopped using it for two reasons:
âFinallyâ really is the key word, waiting for Proton to add features or apps is painful at times.
Glad theyâve finally made progress with this.
Waiting for Proton to acknowledge and fix critical bugs that can cause data loss was way more painful⌠took them years with the solution being âjust wait for the bridge rewrite it will be (most likely) fixed thereâ.
.
Looks like it, itâs available as a zip in the releases along with the compiled app, but isnât yet uploaded fully on GitHub.
Aaaand itâs electron garbage.
Out of the loop, whatâs wrong with electron?
Everything
Itâs basically Chrome. Itâs not a real application, itâs a website pretending to be one. It uses a metric fuckton of RAM and eats your battery faster than Prince Andrew a minor.
I bought 32gb of RAM cause I was tired and gave up to elĂŠctron apps
I bought 64 gigs of ram and still refuse to use it.
But does it sweat though ;-)
If Firefox could allow their engine to be packaged like this Iâd use it. The problem I see here is chromium. Everything is a trade off and we need more ways to build maintainable cross platform applications.
Slack, for example, is Electron and it runs great. One of the best apps Iâve used. And it works better than the browser versionâŚ
The hate on Lemmy of electron is a bit of an overreaction if you ask me. Yeah it uses more ram than is necessary but again everything is a trade off. Not everything can be a hard to maintain rust app. Letâs try to embrace cross platform solutions, though yes fuck chrome/google, so sure criticize that part of it.
Let me get this right⌠youâre complaining about Chromium, but you use Slack? You do realize Chromium had better Linux support for things like HW-accelerated decoding than Firefox? Also, the Chromium sandbox is superior to Firefox.
Source? Experienced the exact opposite, especially on Wayland.
You can track the bug history here:
bugzilla.mozilla.org/show_bug.cgi?id=1751363
You can see here Chromium had support for this for several years prior:
aur.archlinux.org/cgit/aur.git/log/PKGBUILD?h=chrâŚ
Android being based on Linux prob has something to do with Chromiumâs strong Linux support, but Mozilla has consistently prioritized Windows/Mac. Despite it still be challenging, building Chromium from source has always been a lot easier IMO than trying to create a custom build of Firefox.
Regardless, when it comes to privacy, Chromium itself is pretty stripped down and has policy-based integrations that put it on par with Firefox in terms of security. Even with Firefox, youâd have to modify quite a few policies to improve security. Tor/Mullvad Browser though do a better job in many ways and there is no equal to those privacy enhancements on Chromium that I know of, unless youâre using something like GrapheneOS.
Point being, people like to complain about Chromium a lot & act like Apple fan bois for Firefox, when in reality privacy is nearly the same with both with some minor configurations.
What the heck are you talking about? Chromium is one of the hardest packages to build and it takes forever. Firefox has FAR fewer dependencies. Chromiumâs privacy enhancements are a joke.
You should go tell that to the maintainers of GrapheneOS, which is known as the most secure mobile OS⌠which uses a custom Chromium build, because of Chromiumâs superior sandboxing.
Chromium is not stripped down at all, just use googerteller and see. It contacts Google everywhere, on the password list, on the account list, in some settings pages, and just randomly sometimes.
It is very crazy. And also it is not fingerprint resistant at all.
I am using all flag settings, policies and GUI settings possibly existing and it still is like that. So no, it is not the same privacy-wise.
Oh really, what policies are you using? Cause my Firefox does all the same things you mention regarding calling Mozilla services for all sorts of things, including telemetry. Oh, and it isnât fingerprint resistant either⌠so please, share what youâre doing.
For Firefox I am either using Librewolf or Arkenfox user.js
But as Librewolf has a good CI/CD system I think I will switch to that. Problem is they are not active at all, while the arkenfox guy is very active.
For Chromium I use the secureblue policies in /usr/etc/chromium/policies/managed
I realize Firefox business practices arenât total garbage for humanity and that they are constantly working to improve it on like .1% budget of Google. And that they are the only real competition which keeps us in a situation where we actually have a choice in browsers. So yeah letâs only care about the technical aspects, or something
That isnât true. Youâve got WebKit-based browsers, LadyBird/LibWeb/LibJs, Goanna, and others. Why choose Mozilla to lead the efforts, when another open source community/foundation may be better? You can also participate in the various new web specifications yourself too if youâre not happy with the direction theyâre headed.
They said competition, not alternatives. As things are right now, and knowing people, not just trying to make a technical point, Firefox is the only competition.Â
What do you think alternatives are exactly? Firefox has what, 3â5% usage across all platforms? What did Mozilla do to fix that other than exploring Pocket, a iOS only Password app, and now reselling a crippled VPN & email/phone relay? At some point, people will have to move on from anything Mozilla-owned. Want a better browser, then find a community you can donate to that is focusing on building a better browser. Itâs time to take off the rose-colored glasses.
[JavaFX has entered the chat.]
I donât know what javafx is, but java is hell. For me. Iâm glad it works for others
en.wikipedia.org/wiki/JavaFX
There is Tauri which packages it with WebKit and uses Rust as backend.
I think tauri uses the OS web view, so it depends
I just checked, and it seems that it indeed only uses WebKitGTK on Linux
Rust is infinitely easier to maintain than mountains of untyped js garbage libraries built upon left pad
đ
The issue is mainly developers using Electron when things like React Native and Flutter exist. I donât know a lot about Flutter, but React Native uses native UI widgets and feels a lot nicer than Electron.
No, one Chrome tab does not eat that much RAM. Yes it is not as good as native, but it is more platform agnostic, and an Electron app does not really go above 300 MB RAM.
Itâs just the webapp. If we want the webapp we use a browser.
Slack desktop app is built with electron and works much better than the web app in my experience. So no itâs not actually always that simple.
It could be that simple. They just hinder their own website to get you to download the app.
You really believe that? It would be easier for them to maintain only the website, so this really doesnât make sense to me.
Both are Chromium apps.
First running on Chromium, second running on modified Chromium.
Dev here.
Yeah thatâs how it works.
Iâm a web developer. I think thereâs a misunderstanding here. The person I responded to said that slack purposely made the web version worse than the desktop app, which Iâm doubting.
Yes, how are you doubting that? Is your company not big enough to want to pull users to a specific platform so you have to cripple the others?
Because I have used both versions of slack and theyâre almost exactly the same. The desktop version only works better imo because of small factors such as having its own window so it does not get buried in tabs, and the notification options are (or at least were) more robust. Have you not used the two versions?
I donât really understand your comments. Are you implying that there would be an advantage for slack to âcrippleâ the web version, when they are essentially running probably 99% of the same code in the electron version? Theyâre never going to get rid of the web version, and if youâve used slack for ~9 years like I have, you can easily observe theyâre actually one of the few app makers out there to make mostly positive changes to their app. They arenât suddenly going to make the web app shitty.
Also, obviously yeah when it makes sense to, app makers in general make the web app version shitty on purpose. Reddit mobile for example. But just because thatâs a thing in the world doesnât mean it is what slack is doingâŚnot sure why you seem to be implying itâs a universal practice.
You just admitted the desktop version works better and that there is a 1% code difference
And?
Slack is one of those apps which lags in a week on any hardware, it might be better than web version but it still sucks ass compared to fucking ICQ clients. Source: using it in the company I work for, for about 7 years already.
I donât often have trouble with slack being slow, or buggy. Been using it like 9 years myself. Interesting youâre comparing slack to icq. Are you referring to a current version of icq, or the one that existed in the early 2000s?
I am not sure I understand comparing an app designed to do video/audio chat seamlessly, threaded conversations, channels, filesharing, plus has dozens of subtle nice features that make for a rich experience and a⌠Chat app, that worked fine for sending plaintext messages but didnât really do anything else.
I compare it to qip or similar with voice calling support about 10 years ago. But still, Slack loses to pretty much anything on the market regarding performance, be that Element, Telegram, Skype or even Discord. It literally battles with biggest IDEs lol
Not my experience. Not sure what qip is either
Now that Chromium has persistent File System Access permission support, what benefit does Electron have over a PWA other than âNative-lookingâ menu bars?
Yeah, I was dissapointed, but at least it is a controlled browser and not reliant on your normal browser which could change or have malicious extensions
This. Its webapp with more persistent storage maybe. If the Browsers could integrate this, it would be a gamechanger.
I am also very sure that Chrome preloads google. com to make it seem to âload fasterâ. Its all just preloading or persistent storage
Each electron App is actually a full independent chromium browser install running a website. Itâs easy to code for and works cross platform as a result, but itâs essentially just a website, although they can run offline depending on whatâs been built in to the local app.
Each electron app running on your system is a separate full chromium app running, with no sharing of resources between each instance. So they take up a lot of space each and duplicate all the resource usage, and potentially the security flaws.
oh yikes. that sucks.
Electron runs a core Chromium Browser + NodeJS + a bit more.
Unlike Chromium itself it is not backwards compatible and removes a ton of things like its sandboxing capabilities.
I am not sure how it is less secure, but it may use more RAM (also not always but generally yes of course), doesnt allow hardening (unlike android WebView apps) and breaks LD_PRELOAD-ing another memory allocator.
This is only a big problem in special cases, in general it makes apps strictly dependend on GNU glibc and others, no idea how it works on Alpine or others (that actually try to make a secure system).
If somebody knows more about security concerns about Electron, please add.
There are other options like Tauri that do the same thing as electron, but instead of bundling chromium with the app, it relies on the OS provided web view. Itâs also built with Rust, which tends to be faster.
As an example, Mac would use Safari, Windows would use Edge (chromium), and Linux would likely use WebKitGTK, which is what safari uses.
By using the default browser, developers save a ton of spaceâat the risk of compatibility issues, which are very very rare nowadays.
interesting!
WebKitGTK is only native for GTK desktops. On Qt desktops, youâd want QtWebEngine instead.
Ahh thank you.
Itâs what you deploy to your users if you want to work around ad blockers and browser extensions. Itâs a great tool to get operating system level access to exfiltrate information about your users and identify them uniquely, even if they would prefer that not to happen.
All that with the help of Googleâs telemetry engine aka Chrome, which further helps Alphabet to manifest their interpretation of web standards in the world.
We worked to move things onto the web. Now people bring the web back to your desktop with every application bringing itâs own browser shell. We have come full circle and weâre now using 10x the resources.
Electron is the prime example of everything that is wrong in IT.
Wow. That sounds horrible. Do you have a source about the system level access statement? I would like to see peopleâs thoughts on it, if itâs as bad as it sounds, Iâm surprised I havenât heard about it before
.
Electron apps are native apps with the Chromium browser embedded in their windows, so they can do anything a native app can. It supports Node.js modules for things like filesystem access, and can interop with C++ code by writing an add on (nodejs.org/api/addons.html)
Ah ok gotcha. Thanks.
What source do you need? Itâs almost literally the mission statement of Electron.
Iâve never gone to the webpage of electron
Ugh, I was looking forward to replacing Thunderbird/Bridge, but never mind.
No way.
I am actually sort of worried that now that they put this out they will retire bridge. We will have to wait and see. Is having a browser tab open really that bad⌠?? I suppose but I still like programs over web pages.
How do you know itâs not Tauri?
The GitHub repository for the project is here, and the tagline of the repository is:
It says so in the repo
I went here for this info. Thanks.
I sure hope they make a Flatpak like they did for VPN (although itâs not working properly at all rn). I donât get why they are still troubling themselves to support two other formats already during beta, when this is probably just an Electron app.
The cli is working fine. They changed a few things for free subscribers but idk if it affects the cli.
Finally? Why does it need an app all of a suddenâŚ
Making email secure and good is very hard and it involves either making it inconvenient or getting rid of interoperability with existing systems. As long as Iâve been tracking it your choices for client when using Proton were webmail or mobile apps. The news here is that a new option has opened up not that an old option is being taken away
This is just patently false. GPG is not inconvenient & there are a plethora of apps that has made it much more user friendly. The fact that Proton has decided to take away freedom & tell you it is more secure is just bologna. There is no reason to trust Proton at all.
I also prefer gpg but it is not super beginner friendly. I generally recommend people away from proton and tuta unless they really want encrypted email and gpg isnât something they can figure out
GPG isnât beginner friendly if youâre only using the CLI. However, even then there are tons of documentations and even Gemini/ChatGPT would prob be good at helping users create/manage their keys. However, I can provide a list of user-friendly GUI apps to create/manage/encrypt/etc. using GPG if youâd like that make it as easy. I mean, you can pay a company that says theyâll protect your privacy but history has shown paying for privacy is unreliable.
@timewarp @Quill7513 The only real alternative IMHO is hosting your own mail server and *that* is no alternative at all, because big-tech will blacklist your server immediately⌠so Proton/Tuta are the lesser of all evils. If you have a true alternative I am listening.
You can use PGP with just about any email service. I personally just use SimpleLogin, where you can add your public key to have all your messages encrypted. But Thunderbird, KMail, Evolution, FairMail, etc all support email encryption too with IMAP.
@timewarp ok, PGP ⌠remember EFAIL⌠and all kinds of usability issues which inevitably lead to security issues by âwrong useâ at some point. And another *centralized* âweb of trustâ (benign as it may be) is also not something I look forward to. O well, some genius will emerge at some point and deliver us 𼳠may he/she/it/them be FOSS-minded
Itâs quite possible that privacy is too hard for you and trash talking open source makes you feel better about the money youâre paying to someone else to say theyâll do a better job for you.
@timewarp donât know what youâre talking about, I love FOSSâŚ
Okay, well itâs just the vulnerabilities you mentioned were geared towards email client issues that among other things would automatically load HTML data upon decryption. Furthermore, primary vulnerable targets were 10 year old email clients at the time that hadnât received any security updates. The SE data packet issue had been documented even in the spec since at least 2007 about its security issues and recommended rapid mitigation techniques. All in all, the EFAIL documented issues with mail client failures, not with OpenPGP itself.
Second, OpenPGP web-of-trust, or whatever you want to call it (public keyservers) is entirely optional. In fact, Proton relies heavily on this in from what I can tell actually enforces it in a more insecure way, but opting users into their internal keyserver automatically.
GPG is a huge pain in the ass to manage. Everyone knows this, because itâs the case. The web of trust also doesnât scale and has many problems, handling key securely is hard, making GPG work on all devices is something which is completely impossible for people without solid technical skills.
If you think otherwise, you are just in a bubble.
Youâre a serial killer. Everyone knows this, because itâs the case.
Do you see how that works? You can say whatever you want, but unless you can provide some proof then youâre just parroting whatever youâve heard. If you want to learn how to use GPG then let me know and Iâd be happy to show you several open source tools that make it very easy so you can stop parroting BS. Otherwise, youâre entitled to your opinion and Iâll continue to believe youâre a serial killer.
The bubble youâre referring to is your own ignorance.
There are certain things that are known facts, there is no need to prove them every time.
The simple fact that:
You can also see:
A recent talk, I will quote the preamble:
And you can find as many opinion pieces as you want, by just searching (for example: nullprogram.com/blog/2017/03/12/).
However, if you really believe I am wrong, and you disagree that PGP tooling is widely considered bad, complex and almost a meme in the security community, you are welcome to show where I am wrong. Show me a simple PGP setup that non-technical people use.
P.s.
I also found arxiv.org/pdf/1510.08555.pdf, an interesting paper which is a followup of another paper 10 years older about usability of PGP tools.
I never really understood the need for such apps when mail clients such as Thunderbird exist.
Proton mail has some extra (security?) feature, or they just lack smtp support, and you cannot directly use it on thunderbird. They offer a âbridgeâ app which allows you to do it, I just use that.
You have to be a paying customer to use that app IIRC.
And a paying customer to use the desktop app too. Well, besides a 14 day free trial.
Protonâs whole thing is itâs meant to be secure, private, encrypted, etc. To achieve that, it requires the Proton app or website as an endpoint, so your email never leaves Protonâs environment. As long as your reading your email in the Proton app/site, they can guarantee its privacy and security.
Once it sends your emails to Thunderbird or another client, itâs leaving the Proton environment, and they can no longer control it. Youâre sacrificing the inherent privacy/security of Proton when you use Thunderbird (they claim).
All of that being said, itâs an absolutely bullshit excuse. Tutanota does this same shit, only they donât even provide the bridge like Proton does.
Itâs true itâs technically more secure for those emails to stay in the Proton environment, but theyâre still your god damn emails, and they should operate like every other email service by giving the user the option to export those emails in whatever way they damn well please, for free.
Itâs just more platform lock-in garbage. Your emails are trapped on their server, so theyâll be no moving away to a different provider easily.
Itâs more that they claim they cannot decrypt your data, so how do they send it to Thunderbird? The bridge does the decryption. Theoretically Thunderbird could add support for it.
Corps have used that BS excuse for ages. The whole âyour phone is more secure when we control itâ is a garbage BS line. Make it open source, give developers the tools & theyâll make any app more secure than some bureaucracy that is constantly influenced by the national security agencies.
github.com/ProtonMail
glhf
None of those actually document their API nor provide source for the backend server code. Other than building hydroxide from PRs for CalDav, are there even any other open source implementations of CardDav/CalDav for Proton? I canât find a single implementation of Proton Pass that allows you to sync your passwords locally and be used in a different app. There is no shortage of people complaining about this:
âŚuservoice.com/âŚ/8985673-cardav-caldav-support brainbaking.com/post/2023/01/goodbye-protonmail/ minutestomidnight.co.uk/âŚ/email-migration-from-prâŚ
Why would anyone be interested in efforts on a platform with a closed-source backend and that is not developer focused? Not to mention, entirely unnecessary why you should have to use a bridge gateway in the first place with IMAPS & PGP/GPG, CalDav & CardDav. Like I said, Proton is engaged in some questionable practices.
Because most people donât care about those particular things. Almost all the world uses completely proprietary tools (Gmail) that also violate your privacy.
Itâs not unnecessary, itâs the result of a technical choice. A winning technical choice actually. PGP has a negligible user-base, while Proton has already 100 million accounts. I would be surprised if there were 10 million people actually using PGP. They sacrificed the flexibility and composability of tools (which results almost always in complexity) and made an opinionated solution that works well enough for the mainstream population, who has no interest in picking their tools and simply expects a Gmail-like experience.
And if you really have stringent requirements, they anyway provided the bridge, so that you can have that flexibility if itâs really important for you.
If you use GnuPG or one of the GUI implementations it does.
You do realize e2ee merely means that two users share public keys when they communicate in order to decrypt the messages they receive, right?
Youâre talking about people paying for cloud services that manage everything for them. Nothing to stop you from hosting your own on an encrypted drive. EteSync does E2E already, and there is already a plethora of apps supporting PGP on Android and Desktop to encrypt/decrypt messages.
No, because itâs the server that terminates the TLS connection, not the recipientâs client. TLS is purely a security control to protect the transport between you and the server you are talking to. It doesnât have anything to do with e2ee. Itâs still important, of course, but not for e2ee.
And how does TLS between you and your mail server help with this? Does it give you any guarantee that the public key was not tampered when it reached your server? Or instead you use the fingerprint, generally transmitted through another medium to verify that?
An encrypted drive is useful only when the server is off against physical attacks. While the server is powered on (which is when it gets breached - not considering physical attacks) the data is still in clear.
AndâŚit requires a specialized client anyway. In fact, they built a DAV bridge (github.com/etesync/etesync-dav). Now tell me, if you use this on -say- your phone, can you use other DAV tools without using such bridge? No, because it does something very similar to what Proton does. If proton bridge will get calendar/contacts functionality too (if, because I have no idea how popular of a FR it is), you are in the exact same situation.
The ProtonBridge used to be garbage so people have wanted a dedicated app for awhile now. Over the past year or two, the Bridge finally works fairly reliably so âŚa little too late.
So the bridge now syncs your calendars, contacts, files & passwords? đ Their bridge still sucks like it always has.
Proton forces you to pay for a bridge to use Thunderbird.
Tutanota doesnât even provide that.
These âprivacy respectingâ email services donât respect the user enough to let them use third party email clients easily if the user chooses to.
They cannot decrypt your data while sitting, so IMAP cannot work.
Go ahead and explain what you mean. I donât believe you & think youâre just parroting their corpo speak.
Itâs actually fairly simple: if the server never has access to the keys or the plaintext of messages (or calendar events, etc.), then you need a client tool to handle decryption and encryption operations.
They use PGP, and they have implemented this feature in a way that itâs completely transparent to the user to make it mainstream. So they chose building dedicated tools (bridge, web client), rather than letting users use their own tools, because the PGP tooling sucks hard and itâs extremely inaccessible for the general population.
This means that you need a fat client, whatever you do, or otherwise the server will have access to the data and there is no e2ee. Instead of using enigmail or other PGP plugins/tools, they built the bridge.
Proton stores your keys, and you have the decryption password. How do you think they handle password-based logins? Only the user should ever generate and store the private key. All they need now is your decryption password & they can read your messages. This is reason #1 not to trust Proton.
It isnât transparent, because most users arenât running their own frontend locally and tracking all the source code changes. Theyâve already violated the first rule of PGP privacy by having your private key. Now youâre merely trusting them to not send you a custom JS payload to have your decryption password sent to the server. How many users are actually utilizing their hidden API to ensure that decryption/encryption is only done client-side? If they have your private key, how many users do you think are using long enough passwords to make cracking their password more challenging? This is reason #2 to not trust Proton.
This is just entirely inaccurate and youâve failed to provide any "proofâ for your generalizations here.
If you actually understood PGP youâd know you can generate and use local-only keys with IMAPS and have support to use any IMAP client. Furthermore, the other apps by Proton like Proton Pass, Calendar, etc⌠all use undocumented APIs that they have yet to implement in their bridge using standard protocols like CalDav/CardDav/JSON or whatever else in order to be able to integrate with local tools. There is no security benefit in their implementation other than to lock you into a walled garden and give you a false sense of security.
Proton stores an encrypted blob.
âAll they need now is your private keyâ. Itâs literally a secret, they use
bcryptand then encrypt it. Also, âtheyâ are not generally in the threat model. âTheyâ can serve you JS that simply exfiltrates your email, because the emails are displayed in their web-app, they have no need to steal your password to decrypt your key and read your emailâŚProbably we misunderstand what âtransparentâ means in this context. What I mean is that the average user will not do any PGP operation, in general. Encryption happens transparently for them, which is the whole thing about Proton: make encryption easy and default.
Again, as I said before, they control the JS, they can get the decrypted data without getting the passwordâŚ? You always trust your client tooling. There is always a point where I trust someone, be it the âenigmailâ maintainers, Thunderbird maintainers (it has access to messages post-decryption!), the CLI tool of choice etc.
I mean, their clients are open-source and have also been audited?
I donât know. But here we are talking about a different risk: someone compromising Proton, getting your encrypted private key, and starting bruteforcing
bcrypt-hashed-and-salted passwords. I find that risk acceptable.See other post.
Care to share any practical example/link, and how exactly this means not having a fat client that does the encryption/decryption for you?
Right, because *DAV protocol are so secure. They all support e2ee, rightâŚ? There is a security benefit, and the benefit is trusting the client software more than a server, especially if shared. You can export data and migrate when you want easily, so itâs really a matter of preference.
You are awesome!
It doesnât matter that your private key is stored on their servers encrypted/hased or whatever. If you were simply storing it there, that would not be an issue. The problem is that youâre also logging in and relying on whatever JS is sent to you to only happen client-side.
Most users arenât sending emails from their Proton to other Proton users either. Furthermore, the users that want encryption seek it out. They donât need to use Proton for encryption, especially when it would be easy for them to get an unknowing users decryption password.
Yes, you have to trust source code somewhere, but with Thunderbird or other mail clients that is open source and their apps are signed or you can reproducibily build from source. However, once that is built it doesnât change. With Proton, everytime you visit their site you donât know for sure that it hasnât changed unless youâre monitoring the traffic. A government is much more likely to convince Proton to send a single user a custom JS payload, than to modify the source code of Thunderbird in a way that would create an exploit that bypasses firewalls, system sandboxing, etc.
You mean their PWA/WebView clients that can still send custom JS at anytime, or their bridge?
First, explain what you mean by a fat client? GnuPG is not a fat client.
Being able to export things is a lot different than being able to use Thunderbird for Calendars, or a different Contacts app on your phone. DAV is as secure as the server you run it on and the certificate you use for transport.
I feel like I covered this point? They make the client tool you are using, there is 0 need for them to steal your password to decrypt your key. Of course you are trusting them, you are seeing your unencrypted email in their webpage, where they can run arbitrary code. They do have their clients opensourced, but this doesnât mean much. You are always exposed to a supply-chain risk for your client software.
So� The point is, if they do, encryption happen without them having to do anything, hence transparently. That was the point of my argument: my mom can make a proton account and send me an email and benefit from PGP without even knowing what PGP is.
And thatâs the whole point of the conversation: these users are techies and a super tiny minority. This way, they made a product that allow mainstream users to have encryption.
And this control is worth zilch if they get compromised. This is a control against a MiTM who intercepts your download, itâs not a control if âthe maker of Thunderbirdâ decides to screw you over in the same way that Proton would do by serving malicious JS code. If the threat actor you are considering is a malicious software supplier, you have exactly the same issue. There can be pressures from government agencies, the vendor might decide to go bananas or might get compromised.
Yes, this is true and itâs the real only difference. I consider it a corner case and something that only affects the time needed to compromise your emails, not the feasibility, but itâs true. I am counting on the other hand on a company who has business interests in not letting that happen and a security team to support that work.
MaybeâŚ? If government actors are in your threat model, you shouldnât use email in the first place. Metadata are unencrypted and cannot be encrypted, and there are better tools. That said, government agencies have the resources to target the supply chain for individuals and simply âencourageâ software distributors to distribute patched versions of the software. This is also a much better strategy because itâs likely they can just get access to the whole endpoint and maintain easy persistence (while with JS you are in the browser sandbox and potentially system sandbox), potentially allowing to compromise even other tools (say, Signal). So yeah, the likelihood might be higher with JS-based software, but the impact is smaller. Everyone has their own risk appetite and can decide what they are comfortable with, but again, if you are considering the NSA (or equivalent) as your adversaries, donât use emails.
Yes.
What I mean is this: a client that implements quite some functionality besides what the server would require to work. In this case, the client handles key management, encryption, decryption, signature verification etc. all functionalities that the server doesnât even know they exist. This is normal, because the encryption is done on top of regular email protocols, so they require a lot of logic in the client side.
For sure itâs d
All good points. It seems like we mostly agree on the same concepts. I donât disagree that people using Proton may have better privacy overall than other services, but I do disagree on the way they implemented it and find their design decisions and approach to be questionable. It screams that they are profit-hungry and admire Appleâs walled garden.
some people want to be swindled.
Give us IMAP/SMTP support instead of this garbage
Donât quote me on this, as Iâm not 100% certain, but I believe they do allow IMAP on paid accounts. Can someone confirm/deny this?
I think itâs allowed on paid business accounts
last time I checked, IMAP/SMTP required not only a paid account, but running Protonmailâs proprietary bridge app
That could very well be the case. I guess Iâll only find out if I ever feel like I need the paid version. For now, Iâm doing golden with the free one đ
Yeah, Proton is awesome, thatâs for sure. Now, being a âsecurity and privacyâ company, it blows my mind that they put so much effort on making apps for Windows and Mac first, leaving Linux behind, and when they finally get to it, they just dump in a glorified PWA. This world is really weird đ¤Łđ¤Ł
And that they decided to go with RPM and DEB instead of just doing a Flatpak
Are you kidding me? Doesnât bother me that much, as I use Thunderbird with Protonmail bridge. Iâm still waiting on Proton Drive for linux. Well, Iâm gonna end up self hosting at this point. :(
Tbh it should have simply been a flatpak
I prefer rpm over flatpak. at least I know any os dependency updates are happening regularly, flatpak may not get weekly dependency updates from proton
Its kinda annoying for anyone not on debian or fedora (and derivatives) though.
Iâm on OpenSuse which will take a Fedora RPM, and most will take deb, if they donât you can uae the alien tool to convert it for your OSâŚextra steps which sucks
âExtra steps for thee, not for me!â
OpenSUSE does not have Fedoras ABI or package names. The RPMs arenât compatible.
This one might work as its just Electron.
I installed it and it works. i have also installed other Fedora RPMs. RPM can contain repo links to dependecies needed. or just contain all the libraries needed. OpenSUSE will install it and just treat them as Orphaned Packages (in the later case)
.
.
Are you confusing security and privacy?
They mutually imply one another.
If something was private, but not secure, well, that implies there are ways to breach the privacy, which isnât very private at all.
If itâs secure, but not private, that implies itâs readable by someone other than the consenting conversational parties, which makes it insecure.
Privacy: I have blinds on my windows. I control whether they are open or closed, but they arenât secure. You could break a window and look inside if you really wanted to.
Security: my glass storm door has a lock. But privacy is only there when I close the front door.
There is overlap between these two concepts but one does not imply the other.
âŚand proton advertises as both, which as pointed out, isnât true
<img alt="" src="https://lemmy.world/pictrs/image/50834ba8-8f70-40bd-b432-b9ec696ae33e.png">
Iâm not, the comment I was replying to literally called proton a âsecurity and privacyâ company.
Thatâs why I put âsecurity and privacyâ between quotes. I have absolutely Jo way to confirm if they are secure and private or if theyâre not, other than all the contradicting mentions all over the internet. Also, while security and privacy may not be mutually dependent in the physical world, it stands to reason that something insecure cannot be private, and something not private is inherently insecure, as @pixelscript@lemmy.ml clearly pointed out. As for controlling my own email infrastructure, Iâd love to, as everything else I do self-host, and only with FOSS software. However, email hosting is a seriously complicated animal that requires too much effort and maintenance, and most of us dont have the knowledge and time to invest in that, so compromises need to be made. I am well aware that thereâs always risk on using something I have no real control over, but the alternative meets the reason for the phrase âthe treatment is worse than the deceaseâ.
If you just did this little thing, you would convey your point very well. Proton is unfit for activist and journalist tier threat models. You could link Moon Of Alabama blog articles. Proton is better than Gmail and Outlook, but it is no saint. It is enough to achieve good basic privacy and security, but not bulletproof in worst cases.
Companies have to comply with law enforcement. If anything, the little amount of data they were able to give after being forced is a good proof of their overall claim. If there is someone to blame here are courts using antiterrorism laws to catch environmental activists.
exactly if itâs a company they have to comply with laws. This is not a service to rely on if you doing espionage or something. Itâs for people who want more privacy and choice.
I mean, if you want secure/private communication, email should not be your go-to. Itâs a horrible platform by todayâs standards. It was never designed to have any serious level of security. Once they have an unencrypted email on the target with timestamps and mail headers, all they need to do is see who was communicating with Proton at that point. I donât know if anything has changed since the PRISM days, but back in the 2000s, they definitely had that level of insight into the web.
Not much has changed. Itâs really only secure if you are sending emails between addresses within the same local network like gmail to gmail. Thankfull with end to end encryption it can be pretty safe just good luck finding someone that knows how to use it. but thankfully proton makes that pretty seamless.
Itâs a native app on Windows and Mac?
I donât use either OS, but the apps are .DMG (Mac) and .exe (Windows), so I believe they are, yes.
PWAs can be packed in .dmg and .exe.
I had no idea. Thatâs good information to have. And my wife doesnât get why I spend so much time in Lemmy. I learn more here than with all the online courses I take regularly put together. I love this community.
Capitalism is weird? Ok, but this is what we have.
I had no idea the whole world was capitalist, but I guess I donât know everything. And thereâs the fact that I mentioned the world, not a form of political economy. But yeah, capitalism is weird.
Because most people use Windows and Mac, including their clients. Itâs not the world that is weird, itâs people who donât understand such basic things. You donât focus on 5% of your users.
.
i quite like disrootâs suite of services.
Gmail requires that you use proprietary software. Anyway just because email is insecure doesnât mean you should jump into the pot
protonmail is also proprietary.
that said, gmail is surely a terrible recommendation
I wouldnât use proton mail either
No it doesnât. You can use free Gmail with IMAPS & GPG-encrypt all your messages if you want to. I donât know why youâre spreading lies, other than youâre just too oblivious to know better.
It in fact does. You canât sign in with Google without non-free JavaScript
This is the dumbest argument. You canât create a Proton account without non-free JS either. Once you enable IMAP in Gmail, you donât have to sign in using the browser. Are you really going to argue this? I mean, you can just admit you donât know enough about security and that you trust Proton just cause they make you feel warm & fuzzy or whatever.
I donât use or trust Proton either. My point was that when you use gmail you are giving up additional data and your freedom.
The best answer is to use an email provider that doesnât force you to use non-free software. There a limited few that work with HTML or properly licensed JavaScript
encryp.ch/âŚ/disturbing-facts-about-protonmail/
iâm begging you, donât buy snake oil.
Not only is this article three years old, it is also lacking in terms of sources. Additionally, the language and phrasing is quite inappropriate for the purpose of spreading the information. Lots of text is just mean and offensive without any actual purpose.
It also seems to be largely based on speculation rather than actual solid evidence.
Iâm not against investigating the legitimacy of established and trusted privacy-first providers. However, this seems a bit lackluster.
Also: Email is inherently insecure, we all know that. Proton services are open source, independently audited and verifiably E2EE, except for Mail, which uses PGP for the emails themselves and E2EE to store them.
for what claim do you want a source that isnât provided?
All of the hyperbole and speculation? The SSL stuff with TOR for example. Thatâs not proof, thatâs a hint at best
they say plainly what they donât know. what they donât know, you donât know. and if you donât know, you are trusting on faith, not evidence.
So whats more privacy friendly, using a browser to check email, og using the official Proton app?
.
Make sure to encrypt messages with a ceasar cypher.
Neither. The single app that Proton has done somewhat right with is their VPN and only because they havenât eliminated port forwarding. Everything else theyâve utilized non-standard protocols and failed to provide source code or API docs. They basically said that users are too stupid to protect themselves, and that you should just trust them to do it for you.
They failed to provide CalDav & CardDav syncing for things like calendars & contacts, IMAPS for mail, and prioritized things like their cloud-only password store. They had no valid reason not to use standardized protocols other than to prevent their users from actively syncing local copies of their data to integrate with privacy-friendly open source software. They act like Apple & a lot of their users prob. are Apple fan bois who will trust a company no questions asked. I have no reason to trust them whatsoever.
Thank you for that.
So, what is general concesus about Proton, is it safe or not? I dont use it because you need to pay for Bridge to use it in Thunderbird. Maybe I would use if it has a dedicated app.
Itâs pretty great. Especially considering that you get a full ecosystem with Mail, Calendar, Drive, VPN and Pass.
I would also like to take this opportunity to shout out murena.io. They host open source cloud solutions. You get a Nextcloud with OnlyOffice and lots of other goodies and their pricing is pretty good
The people behind Murena are also the devs of /e/OS, a de-Googled Android OS that they also sell phones they pre-load it on. My one critique of it so far, owning one of the phones, is that I wish they would work on making it compatible with more well-known phone models available outside Europe. They sold this model Iâm using, the Murena One (some Chinese OEM they slapped their name on), here in the US through their website, but I had to run around for two days trying to find a carrier whose service would work on it (or who would even try - eventually T-Mobile worked, the European-based carrier, what a surpriseâŚ) and I canât get anyone to do repairs on it because itâs not one of the well-known brands. The case they gave me for it is essentially purely cosmetic, and only a week or so into owning it, I dropped it at a restaurant and it got a huge area of dead pixels at the bottom of the screen that nobody will fix because they canât get a new screen for it. If I could install /e/OS myself on more than just the Google Pixel (paying Google to not have to use Android, funâŚ) that would be great and solve my problems.
As the mod of !c/e_os, I am so happy you brought this up. I use /e/ on my Fairphone 4, itâs great. The Easy Installer has come a long way, you should check it out doc.e.foundation/easy-installer
Edit: You can also check all the supported devices here
Iâve looked at the list. The only model that could give me what Iâm looking for (5G, actually familiar to US-based carriers and repair shops) is the Pixel. I understand itâs not all the fault of the /e/OS devs since thereâs factors like many bootloaders not being unlockable on US phones or other hardware complications, but I do get the feeling that the North American market does tend to be an afterthought. From what I can see, a majority of the list is either only available in Europe or will only work with very few carriers here, with lack of 5G capability being a big setback for carrier compatibility. That 5G requirement for many carriers really does hurt European based phone tech compatibility over here quite a bit.
So how would you sync your Proton Passwords with NextCloud, or with VaultWarden? Or actively sync them locally to be used with an open source app?
Oh, thatâs right⌠you canât. Proton will say⌠âJust trust our payloads bro! There is no way weâd ever deliver a modified payload to get your password. Sorry you canât sync your calendar & contacts, just use our Windows apps.â
I wouldnât? I suggested Murena as a Proton alternative. I donât know if they have a password manager right know but you can always throw a KeePass database into your Nextcloud.
My sincerest apologies. I misread the thread and thought you were advocating for Proton, which IMO is a questionable company. Thanks for the clarification.
I use both. Proton fits most of my needs, Murena does the rest. Iâm not attached to any of them though, if Iâm given good enough a reason, Iâll drop Proton immediately
At least youâre open to moving on. I think keeping an open attitude in any scenario is prob the best option. For most people, Iâd recommend they keep using whatever works for them. If youâre happy with Proton then switching may just cause frustration. However, if youâre very much security focused and also care about things like being able to access your calendars/contacts in the apps you want, then Iâd prob suggest just using SimpleLogin for email with their GPG feature, vaultwarden for passwords (you can still use the BitWarden phone apps), and Nextcloud for Calendar/Contacts which also supports DAVx for mobile.
I do use the SimpleLogin aliases, itâs one of my favorite services they offer. Most of my web storage (which I barely use anyway) and calendar and stuff is all Nextcloud
It is about as safe as trusting Apple at their word to protect your privacy.
It depends on what you want. If you want a solution that makes sure your provider wonât be able to read your data? It is sure safe for that.
Generally I would distrust any company claiming that our swiss privacy laws are worth a dime - in fact they are shit and among the worst in Europe. Swiss intelligence laws actually force companies to cooperate in a much broader sense than even the national security laws in the US do. And of course there is no judge involved and they can basically share the collected data with whoever they want.
no proton drive??
This came way sooner than expected, be grateful. Itâll arrive soon enough. Patience, young padawan
Speaking of mail apps, has anyone used Thunderbird recently? I had used it for a year or two up until . . . a year or two ago (probably two or three, actually) and then switched to kmail to satisfy my masochism. Thunderbird just hadnât been doing it for me with meh functionality and slightly more meh looks.
Fast forward to yesterday when Iâm updating my steamdeck desktop to use nix stuff instead of rwfus+pacman and I couldnât get kmail from nix to behave right so I thought Iâd give thunderbird another look. Iâm several hours into tinkering with it and holy hell has it changed pretty much completely from a few years ago. Looks fantastic and works pretty much exactly how I want/expect it to. Good job mozilla!
Yeah I installed it recently on my widows and it is super sleek.
Thunderbird is fine.
Tbh I have no idea what they are doing though, they have more funding than GNOME but after Supernova I didnt see any updates.
See my list of flatpak repositories
There is an unofficial Thunderbird nightly Flatpak, that will likely reveal what the hell they are doing.
So Supernova is kinda nice, mainly a big overhaul of the underlying stuff, making it easier to maintain.
It lacks a ton of things like Threads (the addon TB Conversation works though). Also their âspacesâ bar is useless, as it just opens tabs, so it is redundant. Good idea, but only if it could replace tabs.
Their search and filter stuff is still the same, really bad. Either displaced in the message list column, as the global search still opens a new tab which is kinda bad UI.
Some addons broke too, not a big deal though.
I have the feeling they removed nested filters, which is extremely bad, but filters still work.
Thunderbird works well.
I believe I read somewhere theyâre focusing heavily on the mobile app at the moment (or rather turning K-9 into their mobile app). Once they get that out, weâll see where the desktop goes.
That too but afaik thats a separate Android dev
Iâve never found Thunderbird search bad compared to alternatives, as long as Iâm not looking to find content inside attachments. Really fast and responsive and being a desktop client without paginated results makes moving and deleting in bulk so much easier. Would love it to be as powerful as Voidtools Everything to get a bit more granular sometimes but otherwise pretty happy with it.
I mean, I think their global search is not that useful, while their inline mail list search is. So I have a cluttered UI with 2 search bars, to supplement the incomplete inline search.
Yeah Iâve started using it again the past year. I use Proton Bridge with Thunderbird, and it works well. Much prefer it to webmail interfaces.
Itâs not developed by mozilla anymore. they stopped updating it a couple years ago.
Thatâs not true, the latest release was two weeks ago.
Not from mozilla, they spun it off a couple years ago
âThunderbird is completely independent of the Mozilla Corporation, the makers of Firefox.â
Edit: from 2012 apparently. time flies blog.thunderbird.net/âŚ/the-future-of-thunderbird-âŚ
Itâs still under the Mozilla foundation though, which is what people who are talking about Mozilla usually mean (theyâre the ones collecting donations and the parent organization).
Yes Thunderbird is getting really nice nowadays.
Just started using Thunderbird again a couple of months ago. Like it! I never really stopped liking it, just stopped using it because all the webmail interfaces and âappificationâ.
Was just trying to get K-9 Mail working on my phone again (after years of using umpteen different apps) and itâs not as smooth as I remember.
I think theyâre talking Kmail from the KDE app suite. I thought they meant K-9 mail.
Btw If I remember correctly K-9 mail is or is becoming Thunderbird.
Itâs taking them quite a while, but that usually means that the end result will be worth it.
If K-9 isnât working well for you, try FairEmail. Itâs one of my favourite email clients.
K-9 has gotten a LOT better over the past few months though.
If you like Thunderbird, I recommend checking out Betterbird fork as well that adds more features.
Mozilla donât work on Thunderbird any more. Itâs an independent project now. support.mozilla.org/en-US/kb/thunderbird-faq#w_whâŚ
Protonmail still does not have an official app in F-Droid. Just because of this reason I ended my paid subscription and moved to Tutanota.
Not going away from Proton myself, but yes this is damned infuriating. Although Iâd deal with a reliable Android app. The Beta Android looks good, but why Proton has struggled so much with Android is beyond my current digging.
Tutanota doesnât have a good way to export emails in bulk. Their feature set is getting richer, but once invested, the exit cost is quite high, speaking from experience.
Cool. Now please do Proton Drive and Calendar. Please and thank you Proton.
Calender is included in the mail app
We need caldev through the bridge app for use in thunderbird and other apps.
Whatâs wrong with IMAP and SMTP?
They generally require to have data visible on the server and/or handle independently encryption/decryption with related tools and key management (including key discovery).
For some, it might be worth, for 99% of the population who wouldnât be able to do this but also doesnât want their content availablento the provider, itâs not.
âAfter years of pushing their proprietary and closed solutions to privacy minded people Proton decided that it was in their best interest to further bury said users into their service as a form of vendor lock-in. To achieve this they made more non-standard desktop clients for their groupware features (contacts and calendars) and the bridge will be discontinued soon.â
Only if there wasnât CardDAV, CalDAV, IMAP, SMTP and dozens of other highly standardized protocols to handle e-mailing and groupware.
Is the bridge actually being discontinued? People have been saying that a lot recently but Iâve not seen any evidence for it, and not in the linked article.
Iâm annoyed that they donât support SMTP, but realistically they actually canât unless they have the ability to read your email, which they donât.
No, but what from their moves it is very clear it wonât live long.
Technically they do use SMTP⌠and itâs possible for a provider and provide submission and generic SMTP do clients without having to read the email content.
There are lots of ways to do e2e encryption on e-mail (no server access to the contents) over SMTP (OpenPGP, S/MIME etc.). There are also header minimization options to prevent metadata leakage. And Proton decided NOT to use any of those proven solutions (in a standard and open way at least) and go for some obscure implementation instead because it fits their business better and makes development faster.
Because with proven concepts the swiss intelligence services would be locked out. And now people have to trust their claims of âswiss privacy lawsâ (who are shit - the worst in Central Europe. Switzerland had multiple scandals, from a system that had intelligence files on a large percentage of their âunreliableâ citizens as part of the âFichenskandalâ to them recently admitting that most internet traffic within and all traffic leaving and entering Switzerland is monitored by the swiss intelligence services - without so much as a judges permit). Yeah, I know, they are auditedâŚBut since Snowden we all know how much that is worth.
The minute they discontinue Proton Bridge is the minute I cancel my subscription with them and change mail providers. No one is prying my beloved Thunderbird from me
"Anyone can download the app, but free users will be given a 14-day trial to test drive it.â
So itâs only for premium users ?
Hey it takes effort to make a WebView for mail.proton.com
They need to see how to package the dedicated browser for all the different distros and operating systems, make a nice icon and so ok. It takes hours
They should sell this masterpiece for much more
Baby steps that take Proton from a great service to a toy for the masses in the effort to increase revenue. AI features are next
Sooo⌠What exactly changed about the service?
Yup
What is the point of email clients? Why not just use the web browser?
More reliable notifications? Thatâs my reason, at least.
More useful if you have several email addresses, you can more easily check all of them in one place
.
My hope, for proton, would be improved search functionality. Currently search only works for email subject, not body. Itâs really lackluster.
FYI, you can enable a local index for message content searches:
proton.me/support/search-message-content#how-to-eâŚ
Proton seems on the wrong side of the usability - privacy spectrum. Every last feature Iâd want from an online provider is impossible or massively neutered by the overly strict security.
I wish there was a similar service in a trustworthy country with a more sane level of safety, like opt-in encryption for example.
mailbox.org has pretty good pgp key integration and will encrypted all emails that come in with a public key of your choosing.
Idk, got thunderbird set up and feeling pretty happy with it.
The proton desktop app was pretty slow when i checked it. I might give thunderbird a go.
Have to use a student account, gmail and my main protonmail account. Tying everything up in one window is just nice.
Its just a webview appâŚ
Yep. Installed it, started it, saw it is basically the website in an embedded browser, uninstalled it.
Like, come on, you have a web version. Why should I use an extra application to view a website. This seems like a cheap excuse for a desktop app.
Does it support offline access?
It does not. Which is the reason I wanted the appâŚ
How to completely fail on a mail client. Holy hell.
Are you sure?
This was in the linked article:
I turned my WiFi off and opened the app it was just a white screen. I suppose its beta still. But my dream is to keep a local copy of all my mail just got a cache.
Caching is not the same as actual offline functionality.
What the hell constitutes âactual offline useâ for an email client
downloading emails and storing them locally for offline reading, categorizing, searching and drafting. âCachingâ usually just means if you opened the app with connection, it wonât go bonkers and will probably let you finish your immediate task + some basic functionality if you lose it. Canât close the app though.
The only benefit i can see of web app is it is in a controlled browser environmentâŚcould be helpful with security?
The main benefit is since it is locally installed, it is harder for protonâs server to access your encrypted data by serving you malicious JS. A malicious desktop app/update could be served too, but that may be trickier.
To save myself the hassle of having to rebuild the electron app every once in a while? Iâd rather not open my browser, go to their website and log in with 2fa every time I want to read an email.
Is the search functionality improved in the desktop app?
It just opens the web app
no AppImage, no Flatpak, no PPA, and no COPR
AUR FTW!
If thatâs the case, then I might have to use distrobox for once.
(Webmail provider releases a bespoke desktop app)
(me, old fart, bumbles out from behind the cables and servers and muck)
You fools! Have any of you whippersnappers ever heard of IMAP? No? Thought so.
[Iâm not that familiar with ProtonMail. Chances are they already support IMAP. In which case: ⌠âŚwhy? Why this? Why in this day and age?]
Itâs worse than you thought.
The webmail provider released a dedicated browser that can only open the webmail and called it a âdesktopâ app.
Additionally, they donât support IMAP. Thereâs an app to run on your computer that becomes a bridge. The proprietary protocol is translated to IMAP. You canât use your favorite client if your operating system canât run that bridge and youâre not a premium user because for âreasonsâ only premium users can run that local bridge
On a lighter note, the protocol might be proprietary but the bridge still seems to be fully open source : github.com/ProtonMail/proton-bridge
I donât think think Proton shows bad will on this one. The only alternative I can think of (as a non expert) would be IMAP + GPG encrypted emails but very few desktop clients support GPG, which would make them less accessible đ¤ˇââď¸ Having their own protocol also probably makes it much much easier for them to iterate on it, opening up usually makes think much robust but also slower.
The bridge Is âopenâ but somehow it works only for premium users.
They donât support IMAP because they want emails to remain end-to-end encrypted, and IMAP doesnât have any way of doing that. The gateway decrypts the emails locally, then serves them as plain text.
We need something better than IMAP, thatâs designed for modern use cases. Something thatâs not stateful⌠Maybe a web service or something like that. JMAP seems promising but barely any providers have implemented it.
Still, if an user prefers the convenience of using any client instead of e2e, could enable it in a setting. Maybe the user subscribed because they liked the interface and the overall features of the plan, and not because of the encrypted email solution and just wants to add the account on the mobile client instead of a dedicated app
Being closed like this IMHO is just to increase user retention
E2E is their flagship feature and pretty much only selling point. Iâm really not surprised they donât allow to just disable it.
If thex subscribed because of the interface (ehich is certainly plausible), what would they need IMAP support for? Also, if you really want IMAP, xou can have it, you just need their (open source) Proton Bridge for it (thats a sofrware) so that ut retains all features. But then I would need my own email client.
On mobile youâre forced to use their âopen sourceâ app that is only available on the closed source app stores and not on fdroid because it uses Google push services
Not true, itâs been available on Fdroid for quite some time now. And it doesnât need play services for the notifications to work either.
Itâs available on an unofficial repository that can be optionally added to fdroid, itâs not available on fdroid
Even so, your statement that it is only available on closed-source app stores is wrong. And it doesnât even matter that itâs not provided by âMy First F-Droid Repo Demoâ (yes, thatâd the name of the official repo). Many open source apps are on IzzyOnDroid, including Jerboa, what do you use to write on Lemmy?
Either way, your original comment is completely wrong and it doesnt help that itâs âonlyâ available in the most popular extra repo.
On a related note? When my friend on proton send me (regular imap, openpgp) and several others (gmail, outlook) an email with all of us as recipients, it seems that proton cheats? I get to decrypt the message, whereâs the others just read plain ø, unincrypted text.
At first i thought this smart. But now i kind of realize how much of a nightmare this seems to be.
On the other hand, i am not really sure how they do it? Is it to different mails, with fake headers? Or is it more like: if no encryption is available, show thisb (dentical) text instead?
What are peopleâs thoughts on forwardemail.net/âŚ/best-quantum-safe-encrypted-emâŚ