this post was submitted on 17 Aug 2024
964 points (96.4% liked)

Technology

59589 readers
2891 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] sudneo@lemm.ee 8 points 3 months ago (20 children)

You upload your private key to the cloud. Encrypted or not, this is a bad idea.

An encrypted key is a useless blob. What matters is the decryption key for that key, which is your password (or a key derived from it, I assume), which is client side.

They can do the signing and encryption with my public key

They can't sign with your public key. Signing is done using your private one, otherwise nobody can verify the signature.

Either way:

and then I’ll do the decryption with my own private key locally without them storing it.

You can do it using the bridge, exactly like you would with any client-side tooling.

[–] endofline@lemmy.ca 3 points 3 months ago (18 children)

It's still insecure. They decryption process is still in the proton company hands and they could add some client specific code to log the password on the fly. Proton is obliged to follow the swiss law and I can imagine situation that police asks proton (+ gag order ) to log certain data for specific clients like passwords and ips. Still private keys are better to be stored separately. You can sync them easily if you with with either rsync or rclone

[–] Asudox@lemmy.world 3 points 3 months ago (10 children)

Exactly. There's no justification for them storing the private key online for "convenience". And key generation happens in the browser with JS. Which means it is possible to send backdoored JS to easily copy the private key.

[–] sudneo@lemm.ee 3 points 3 months ago (1 children)

There is a reason: simplicity. Either you do all the key management yourself, which in practice means 98% of the people won't do it at all, or you implement a solution like they did and increase the risk of a small % (see my other comment) but you cover every customer.

[–] Asudox@lemmy.world 1 points 3 months ago* (last edited 3 months ago) (1 children)

That simplicity introduces security and privacy issues.

[–] sudneo@lemm.ee 4 points 3 months ago (1 children)

Introduces some risks in terms of security. Privacy concerns are extremely minimal, because in any case you don't control the setup of your other interlocutor(s).

Considering that the realistic alternative is not using anything at all and the fact that you have both options with Proton, it's a win-win scenario.

[–] Asudox@lemmy.world 1 points 3 months ago* (last edited 3 months ago) (1 children)

One of the biggest risks is when someone knows your password. Your PGP encrypted emails that you want noone to see will be available to the attacker. Whereas if no such thing happened, the attacker wouldn't be able to decrypt the PGP encrypted emails even if the attacker gained access to your account. Manually encrypting your stuff is better than having some random on the internet do it for you. It's really just a tradeoff. Convenience or security? It's not even hard to manually encrypt emails.

[–] sudneo@lemm.ee 5 points 3 months ago* (last edited 3 months ago) (1 children)

One of the biggest risks is when someone knows your password.

Just a curiosity. How do you think every password for every online service works? The service "has" your password. It is hashed, but if this doesn't matter (similarly for encryption) to you, then you should be panicking about basically everything.

In the case of Proton an attacker has basically these options:

  • Option 1: Attack you, try to compromise your device. If this is the case, your local keys are going to be taken, one way or another, even if you have them locally and encrypted. The only way you might save yourself in this scenario is if you store them on an hardware device (like a yubikey).
  • Option 2: Attack proton. Once the infrastructure is compromised, the JS code that does the crypto operation needs to be backdoored, you need to use the service while the JS is compromised, and the attacker will obtain the keys and the messages.
  • Option 3: Compromise the sender/recipient for the emails (this is in cleartext in any case).

In the case of a manual solution:

  • Option 1 is identical.
  • Option 2: Attack the software you use (let's say, mutt). Once you gain access to the repository, push a backdoored update and wait for you to install the new version. Incidentally, compromising this tool also allows the attacker to compromise your whole machine (unlike what happens with JS code, which runs at least in the browser sandbox).
  • Option 3 is identical.

So the tradeoff is really that:

  • With Proton an update is going to be pushed quicker and without your explicit interaction, but
  • compromising Proton is going to be much, much harder than compromising the laptop/repository for the handful of maintainers that generally have the keys to push updates for the software you are most likely going to use. We are talking company with security department + SOC vs maintainers with whatever security practice and no funding.

It’s not even hard to manually encrypt emails.

Yeah, and this is why 99.9% of the people have never and will never touch GPG with a 10-foot pole. The tradeoff is a complete no-brainer for the vast majority of people, because the reality is that for most, either someone else does the key discovery, management, signing, encryption, decryption, or nobody does. We can sit here and pretend that it's easy, but it's not. Managing keys is hard, it is painful, especially on multiple devices, etc..

EDIT:

The entire threat model for proton is also documented BTW: https://proton.me/blog/protonmail-threat-model

[–] Asudox@lemmy.world -1 points 3 months ago* (last edited 3 months ago) (1 children)

Encrypted or not, the fact that someone else has it stored somewhere in their computers is dangerous. The fact that it can be accessed online is dangerous. The only recommended way to store private keys are offline and encrypted. Why are you so ignorant of this fact, I wonder? I think you trust Proton a bit too much.

[–] sudneo@lemm.ee 4 points 3 months ago (1 children)

Encrypted or not, the fact that someone else has it stored somewhere in their computers is dangerous.

Of course. You are simply over-representing this risk, though. Besides, regular people realistically don't need to worry about Proton being backdoored, because their device is 10-100x more likely to be breached instead. Security is not a binary, it's a shade. Performing a software update is also "dangerous". Do you check every time you update the software its code, to verify no malicious backdoor is there? No, exactly, you trust the maintainers and the package infrastructure.

The only recommended way to store private keys are offline and encrypted.

So you don't store them on your device(s) (encrypted)? I store my GPG keys that I use to sign software on my yubikeys. That said, email is something I check from my phone and multiple computers (as most people). Do you really use a hardware key to do on-the-fly decryption, every time someone sends you a message, from each device?

As a security engineer, I also generally discourage such absolute "recommendations". My threat model is different from a regular Joe threat model, and both are different from Snowden's. There is no such thing as "only recommended way", because this is not a religion, it's a risk decision. Most people use Gmail, where the content of their email is literally available server side. Those same people can gain privacy and security using GPG via Proton, and in their threat model "provider gets compromised and software backdoored" is completely irrelevant. Is it relevant in your threat model? Good, then yes, you should only store keys offline and encrypted. Actually, you shouldn't use email at all, and you should use dedicated tools and protocols that are meant for security, where metadata is not transmitted in clear text, for example. You should also have virtually no session duration and perform a full login with 2FA every time, you should probably access the software that you use to communicate only from a secure machine dedicated for the purpose etc..

I think you trust Proton a bit too much.

I simply have clear in my mind what my threat model is and what risks are acceptable. I perfectly fit in the "Anyone with privacy concerns" category in the threat model they built. What about you?

[–] Asudox@lemmy.world 1 points 3 months ago (1 children)

Indeed. Email is not ideal for such things but it exists and is needed because everyone refuses to make a switch. If XMPP were to replace emails, that would've been great.

Anyway, I still don't trust Proton. Have a great day.

[–] sudneo@lemm.ee 2 points 3 months ago* (last edited 3 months ago)

If XMPP were to replace emails, that would’ve been great

Who knows :) But XMPP also needed all kind of extensions to support even relatively old security measures.

Anyway, I still don’t trust Proton. Have a great day.

That's fine, you can trust who you want, of course. The important thing is to have clear the risk model.

load more comments (8 replies)
load more comments (15 replies)
load more comments (16 replies)