this post was submitted on 17 Aug 2024
967 points (96.4% liked)

Technology

59347 readers
6293 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
967
Proton is transitioning towards a non-profit structure | Proton (proton.me)
submitted 2 months ago by [email protected] to c/[email protected]
184 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 8 points 2 months ago (20 children)

You upload your private key to the cloud. Encrypted or not, this is a bad idea.

An encrypted key is a useless blob. What matters is the decryption key for that key, which is your password (or a key derived from it, I assume), which is client side.

They can do the signing and encryption with my public key

They can't sign with your public key. Signing is done using your private one, otherwise nobody can verify the signature.

Either way:

and then I’ll do the decryption with my own private key locally without them storing it.

You can do it using the bridge, exactly like you would with any client-side tooling.

[–] [email protected] 3 points 2 months ago (18 children)

It's still insecure. They decryption process is still in the proton company hands and they could add some client specific code to log the password on the fly. Proton is obliged to follow the swiss law and I can imagine situation that police asks proton (+ gag order ) to log certain data for specific clients like passwords and ips. Still private keys are better to be stored separately. You can sync them easily if you with with either rsync or rclone

[–] [email protected] 3 points 2 months ago (10 children)

Exactly. There's no justification for them storing the private key online for "convenience". And key generation happens in the browser with JS. Which means it is possible to send backdoored JS to easily copy the private key.

[–] [email protected] 2 points 2 months ago

endof

Especially with the fact that: 1) deminificafion of the javascript code is not simple 2) you cannot "freeze" the code version you use. Still your computer does allow it ( minus the windows which follows the Microsoft thinking way, kidding about windows updates )

load more comments (9 replies)
load more comments (16 replies)
load more comments (17 replies)