Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing attacks and make your online experience smoother and safer.
Unfortunately, Big Tech’s rollout of this technology prioritized using passkeys to lock people into their walled gardens over providing universal security for everyone (you have to use their platform, which often does not work across all platforms). And many password managers only support passkeys on specific platforms or provide them with paid plans, meaning you only get to reap passkeys’ security benefits if you can afford them.
They’ve reimagined passkeys, helping them reach their full potential as free, universal, and open-source tech. They have made online privacy and security accessible to everyone, regardless of what device you use or your ability to pay.
I’m still a paying customer of Bitwarden as Proton Pass was up to now still not doing everything, but this may make me re-evaluate using Proton Pass as I’m also a paying customer of Proton Pass. It certainly looks like Proton Pass is advancing at quite a pace, and Proton has already built up a good reputation for private e-mail and an excellent VPN client.
Proton is also the ONLY passkey provider that I’ve seen allowing you to store, share, and export passkeys just like you can with passwords!
See https://proton.me/blog/proton-pass-passkeys
#technology #passkeys #security #ProtonPass #opensource
Does it beat Bitwarden though? Bitwardan has supported at least 2 services for me using passkeys ,one of which is google.
I might be misunderstanding this,but it doesn’t seem like proton beat anyone to anything.
Edit for info: https://bitwarden.com/passwordless-passkeys/
The point of the post was that Proton Pass is beating Bitwarden right now to having passkeys for mobile (Bitwarden has still not released that), and Proton Pass can actually export passkeys which Bitwarden does not do, so they are improving. I would not say though they are better all round than Bitwarden. I pay for both but am still evaluating the rest of Proton Pass vs Bitwarden especially around tweaks in options. But Proton is showing some innovation and momentum, while Bitwarden is slowing a bit. For those already using Proton they will likely find Proton Pass good enough to use right now.
They’re talking about the fact that Bitwarden doesn’t support passkeys on mobile
Right,yeah,that’s true for mobile indeed.
Sad that these sort of features are paywalled.
Why shouldn’t these features require money?
It’s $10 per YEAR. This is an extremely reasonable price given the importance of the service.
Bitwarden employees need to eat too.
It’s not paywalled. It’s not yet implemented in mobile bitwarden apps. It probably won’t be paywalled once implemented because it’s not paywalled in extension where it’s already implemented
2FA is a paid feature in Bitwarden. That’s the feature we were talking about.
I’d be perfectly okay with them just charging for Bitwarden, period. Instead they pretend it’s free but charge premium for all the most effective security features, including 2FA to their own services. Effectively it creates a group of people that use Bitwarden without access to these security features but complacent enough to not seek alternatives that would offer these features at a price acceptable for them (possibly free, like KeepassXC).
Bottom line: security shouldn’t be a premium feature. It should be either available or not at all. Never as a premium within the service.
I disagree.
Simply adopting the use of their free service (or any password manager, sans 2FA) is an upgrade in terms of personal security. That’s moving in the right direction from memorized (and let’s be honest, that means using the same or a small list of similar passwords) passwords everywhere.
The existence of alternatives that include 2FA at no cost works against your point IMO. But that also comes at a cost - Keepass requires that you manage your own sync and backup.
For logging in, Bitwarden supports TOTP, email, and FIDO2 WebAuthn on the free plan. It only adds Yubikey OTP and Duo support at the paid tier, and WebAuthn is superior to both of those methods. This is an improvement that they made fairly recently - back in September 2023.
The other features that the free plan lacks are:
- the 1 GB of integrated, encrypted file storage. This is a convenience that is nice to have, but not essential to a password manager.
- the integrated TOTP generator. This is a convenience that many argue is actually a security downgrade (under the “putting all your eggs in one basket” argument).
- Upgraded vault health reports - free users get username data breach reports but not weak / reused password reports. This is the main area where your criticism is valid, but as far as I know free competitors don’t offer this feature, either. I looked at KeepassXC and didn’t see this mentioned.
- Emergency access (basically a trusted contact who can access your vault under some circumstances). This isn’t essential, either, and the mechanisms they add to ensure security of it cost money to provide.
- Priority support - free users get 24/7 support by email, which should be good enough
I really want to like Proton and all their shit, but they seem to heavily advertise everything they have on every software and product they have in a very intrusive and annoying way.
Simply logging into Proton mail and being bombarded by Proton promotional shit feels like Google all over again.
The app reminds me constantly that I’m a piece of shit for not supporting them by subscribing to their VPN, etc etc.
And yet I missed their announcement about their passkeys. In today’s competitive world, I think any company that does not advertise in some way, is really not going to survive (as much as I don’t like ads either). Maybe I don’t see that much as I am paying.
This is simply not true. If your products are good your customers will do the marketing for you.
I was getting these advertisements, even as a paid user, just before Christmas. Multiple other people have complained about it both here and on Reddit too. It seems to have gotten better now, but I know a few people have been quite turned off by this.
You can disable it from proton mail settings
Are you talking about the emails?
Yes
I wasn’t 🙃
Oh yeah the UI stuff was a bug, they’ve fixed it already
Do you have emails from them disabled? I got an email about the launch, but yeah, I haven’t seen much mention of it elsewhere.
No just have “Proton for Business newsletter” disabled but I see many of their mails say only once a quarter etc. So seems they don’t send out every month.
I have both paid and accounts with Proton and I have no idea what you’re talking about.
Yes, they make it clear they offer suite of services, and notify you of new services being launched, but my screen isn’t saturated, and my workflow isn’t negatively impacted.
…and they are nothing like Google in terms of self promotion, to say nothing of Google’s business practices.
you’re able to unsubscribe from all those protomtions . . . that is in settings. Personally, a once-a-month newsletter of everything that is new is helpful bc I don’t need to put in the effort tlinto keeping up
When I set up my account, then during setup they asked if I wanted to get email notifications about their products and later it is also available and clearly marked in the account settings. I’d assume that if I turned those setting off, I’d stop getting those emails.
That being said, I have gotten 8 notifications from them over the last 3 months. I have all newsletters and promotional content enabled. This isn’t much imo
I haven’t noticed much beyond emails about general product news.
That’s compared to Feedly which actively would popup “hey! have you considered paying us like… 2k/yr (or maybe it was 2k/month) for some service you don’t care about that really should be part of our normal RSS product that you’re already paying like 200/yr for? Also there’s no way to turn these notifications off and we’re going to keep sending them periodically. Oh! And we’re not going to work on anything you might find interesting or reasonably priced, so … have fun!”
You get ads to subscribe to a service while using the free tier? Huh, that’s weird…
I would rather they make money from advertising their own pretty awesome services than from advertising unsustainable (environmentally, but also unsustainable for the fucking soul!) bullshit via blood sucking multinational tech companies that prey on the masses with whatever data they can automatically dig up on you. The revenue Proton makes from converting free customers to paid allows them to grow a freely available service that is a user-friendly and is a technical rival of the surveillance capitalists.
My take is:
- If you’re the sort of person that is convinced your requirements need some custom covert ops pagan voodoo self hosted data center in an old cold war era bunker, don’t let me stop you. You crack right on mate and good luck (sounds like you need it!).
- If you want the sorts of services Proton provides, but don’t want to be fucked, then Proton are a good shout.
- If you can afford it, pay for it. It makes the experience smoother and keeps a relatively small but decent company going in an ocean of massive cunts.
- If you can’t afford it and don’t want to use the free version of Proton, I hear Google and Microsoft will happily buy your soul and sell your data.
If you’re the sort of person that is convinced your requirements need some custom covert ops pagan voodoo self hosted data center in an old cold war era bunker, don’t let me stop you. You crack right on mate and good luck
Can you give an actual example of this or are you just making a broad accusation against anyone that uses something other than Proton?
The initial point wasn’t against supporting these services or them making money, it’s the aggressiveness of the advertising. It shows a degree of disrespect for the users when they refuse to leave them alone.
Can you give an actual example of this or are you just making a broad accusation against anyone that uses something other than Proton?
The quote you are referring to is about people who have such specialised security needs that they choose to self-host. i.e. its about people who won’t use Proton because it doesn’t suit their needs. The only ‘accusations’ in the post are against Google & Microsoft, who are accused of buying the souls of their users and selling their data - which I think is a fair accusation. No other company or service is referred to, explicitly or implicitly.
No accusations intended. My point is if you’re clued up enough to be comfortable making your own decisions then fill your boots. I’m not here to convince you. The “aggressive” advertising is the only way they are able generate revenue. And I’m fine with that compared to the alternatives. I find it far more disrespectful to have my data skimmed and monetised by a system of exploitative consumption.
You’re just going to rub people the wrong way being condescending like that. Find another way to try and bring people to your point of view.
And no, I’m not a shill for Google or Microsoft, I’m a happily paying user of Proton’s products.
People are perfectly within their rights to be rubbed up the wrong way.
Find another way to try and bring people to your point of view
Thanks for your great example of condescension for clarity. A little unsolicited feedback though… other people, unaware of your virtuous intent, might view it as a petty attempt to belittle a stranger on the internet. Other than that, a solid comment. B+
… that’s condescending.
People are perfectly within their rights to be rubbed up the wrong way.
Except in Florida and Texas. That shit gets you arrested these days.
Or so I hear.
I was considering Proton Unlimited and moving away from separate SimpleLogin and Bitwarden Premium to get my costs down. Has anyone moved from Bitwarden to Proton Pass? How was the experience?
I moved FROM Proton when I started looking into using unique addresses for everything via my own domain.
Fastmail + Bitwarden is way cheaper than Proton + SimpleLogin.
I found myself wondering why Proton, which I was already paying for, required an additional cost to implement masked email addresses via SimpleLogin when they own the damn thing.
Fastmail just has all of that baked in for cheaper. Then Bitwarden can create masked addresses from its interface via API when you create logins.
I liked the look of Fastmail but I read that it doesn’t work offline which seems to be a massive oversight. I also only really need basic mail but their 2GB limit felt way too low for a paid service.
Hm. I guess I’ve never had the need for offline support so I didn’t notice. Though IMAP works so other clients could take care of that.
Why did you compare the lowest tier with Proton Unlimited?
- Proton Unlimited: $120/500GB/15 addresses. Add cost for SimpleLogin to manage masked addresses.
- Fastmail Standard: $50/30GB/600 addresses. Masked addresses built in at no extra cost.
I don’t know your storage requirements but for me, I never went over the 15GB free limit in Gmail after many years of use so I don’t see 30GB ever being a problem.
Edit: After more looking, SimpleLogin may be included with Unlimited? Still… Unlimited is expensive. This may have been what caused me to start looking elsewhere. I had been paying for Proton Mail Plus plan for a few years before I started looking at implementing masked email addresses and got frustrated with the price to use SimpleLogin features which weren’t included in Plus.
As a counterpoint, I’m specifically keeping passwords with a separate service out of concern in having a single point of failure for the majority of my online persona. I do pay for proton unlimited but mostly for VPN, simple login, and email.
Vaultwarden is completely in my hands though
True, just hope they eventually get passkeys for mobile.
If you’re on Android, you could probably use the Firefox extension.
I don’t like passkeys yet because they’re implemented poorly on most platforms, IMHO, because they replace two factors with one. Some don’t let you also turn on two factor auth at all which is dumb, but the ones that do then often only have options that use your device as a factor either through text or email. So if the passkey is your phone and you add text messages as the 2 factor option, that’s still your phone. Or if your passkey is your laptop and you’re logged into your email on the laptop, it’s just one.
I believe passkeys are supposed to replace 2FA and passwords. If you have a passkey, you’re not supposed to need 2FA.
Passkeys are 2FA
Could either you or @phoneymouse@lemmy.world explain this for me? If all that’s required to log in using a passkey is access to a single device/provider (e.g. Proton Pass in this case) how does it replace 2FA?
That’s because it’s not 2FA, strictly speaking. The second factor is whatever the device uses to verify you. So, essentially:
You go to a webpage, then go to sign up. Instead of inputting a password, you just input some ID, like a username or email. The device generates a cryptographic handshake with the webpage and your ID. You don’t (can’t, unless you can memorize a string of thousands of letters and numbers and be really good at math with prime numbers) have to remember it.
Now, when you go to login to that page again, the device just remembers and exchanges the keys with the webpage for you. That is NOT 2FA. But, you can configure your device to require another verification (most do). So, when you go to login, then the device asks you to use your fingerprint, or a remembered PIN. Or whatever that confirms that the one handling the device is indeed you before sharing encryption keys with the webpage. This is sorta 2FA, but not really because the webpage is delegating the second factor to the same device actually doing the login. Which might be compromised altogether, but that already happens with most 2FA implementations.
If you go to a second device, and wish to login, then your second device will fallback to other 2FA versions, like sending a OTP to the verified email or phone, or asking you to verify on the one device that is already logged in.
For an authentication flow to qualify as two factor authentication, a user must verify at least two factors - and each must be from the following list:
- something they know, like a password
- something they have, like a phone or security key
- something they are - fingerprints, facial recognition (like FaceID), iris scans, etc…
Passkeys require you to verify a password or authenticate with biometrics. That’s one factor. The second factor is having the passkey itself, as well as the device it’s on.
If you login to your password manager on your phone and use your fingerprint to auth, that’s two factors right there.
But authentication to access the passkey is on a remote device. So the server doesn’t have any information about if or how authentication was performed for the person to access the key. If they use a 4 digit pin or, worse, the 4 point pattern unlock, it’s easy enough to brute force on most devices.
This is also why using a password manager is not two factor authentication. It is one factor on your device and one factor on the server. But no one monitors the security logs on the device to detect brute force attacks and invalidate keys. Most don’t even wipe the device if the pin is being brute forced.
None of what you’re saying has anything to do with whether an authentication flow is effectively implementing two-factor authentication.
The server doesn’t need to know details about which two factors you used. If you auth with a passkey and it knows that passkeys themselves require an additional factor to be used, then it knows that you’re using 2FA.
If they use a 4 digit pin or, worse, the 4 point pattern unlock, it’s easy enough to brute force on most devices.
This is true, but that doesn’t mean it doesn’t qualify as an authentication factor. Nobody should use a 4-6 digit PIN for their phone, but this is a matter of individual security preferences and risk tolerance. In a corporate setting, the corporation can set the minimum standard here in accordance with their own risk tolerance.
My password could be “password123” and it would still be one factor.
I’m not saying it doesn’t count as authentication, it just doesn’t count as authentication to the security of the server directly. That’s the device’s security and configured by the user, not the server. And user devices are very prone to exploits to the point that many law enforcement agencies don’t even bother asking for a password anymore to access a device.
So, let’s move to a physical model as an example. Let’s say you have a door. It has a very simple door handle lock. You keep your key inside a hotel safe. Sure it might be difficult to get the key if they had to enter the hotel room, cut open the safe in place, and get the key while they’re standing in front of the secure door, exposed. But that’s dumb. They could just as easily grab the safe out of the room and open it later where there’s room for proper equipment, use a known exploit for the particular safe, or use other exploits all out of view of the door/server and at any time until the user realizes you know how to open their safe, because the door/server will never find out. Once that safe is open, you have not just the key to the door, but the key to all locks the user uses since now we only have “something you have” factors and the user uses only one device. Just like when we only had “something you know” factors and the user uses the same password everywhere.
So what does the passkey help with? It makes the lock and thus the key itself more complex. This makes it so that brute force attacks against the server are more difficult. But it doesn’t solve anything that existing TOTP over text messages didn’t solve, other than some complexity, and it eliminated the password (something you know) factor at the server. Something a lot of companies are already doing and we already know from experience is a bad practice. It has changed the hacking target to the device rather than the person. But still just one target, you don’t need both. Sure it’s better than a really bad password that’s reused everywhere. But it’s not better than a really good password unique to a site that’s only stored in a password manager on the user’s device that requires a separate master password to access (outside of MitM attacks that TOTP mitigates).
Now, what if we have a door with two locks, one that requires a code, and one that requires you to have access to a device. Now in order to attack the door, you need two factors right at the time you’re standing at the door. Also, there’s probably a camera at the door and someone paid to check it periodically when someone tries too many times, which isn’t the case in the user’s safe/device. So even if you get the key from the user, you still need to brute force the second lock efficiently or you need to implement a second exploit to get the second factor ahead of time. This is the idea of two factors at the server and the current state of things before passkeys.
A passkey that’s generated on any given device is tied to that device, and is never sent to the server you’re authenticating to. What’s sent instead is a time based challenge/response that functions similarly to TOTP except that it’s not based on a shared secret like TOTP is. Since the Passkey is both a file, and is tied to the device you generated it on, it satisfied the something you have factor. Then in order to use a Passkey to authenticate, you need to unlock access to it using either biometrics (something you are) or a PIN (something you know).
Now storing your passkeys in a password manager does muddy the process of it a bit. The “something you have” part is no longer a device, but the key file itself, which is still arguably “something you have” but it is to a degree less secure than keeping it tied to a device. But you can think of storing passkeys in a password manager similarly to storing your TOTP in your password manager. It’s a tradeoff.
I know that with 1Password, even if I authenticate to my vault using my master password, when I go to use any particular passkey, it still requires biometrics.
Problem is that if the factor is not authenticated by the server, it doesn’t count. Not saying it’s not helpful, but it’s not part of the consideration when designing the security of the system.
The device can be attacked for an indefinite time and the server knows nothing about that. Or the device can disable that additional security either knowingly or maliciously and the server has no knowledge of that breach. So it’s still a single factor, “something you have” to the perspective of the server when considered security.
I’ve worked with healthcare data for decades and am currently a software architect, so while it’s not my specialty directly, it is something I’ve had to deal with a lot.
Everyone should downvote ads type post if you want to keep the community clean.
Is this an ad?
No, an ad would have come out when it was launched, and an ad would try to sell something?
an ad would try to sell something?
You’re trying to sell people on Proton over Bitwarden.
Firstly, the point was made that the passkey functionality in Proton Pass is free (no account needed or “selling”) and that is for unlimited logins. Anyone can just use it. I pay for, and am still using Bitwarden. I posted about this because it is interesting that Pass has implemented passkeys for mobile, while I still wait for Bitwarden, so I’m interested in testing this out with Proton Pass. I post about all sorts of things that I find interesting, and sometimes I do switch my services across if I find it can match or better what I already use. That’s the bottom line.
I was just as interested when I was considering moving from LastPass to Bitwarden, but then I was accused of “selling” free Bitwarden to people. Everyone must make up their own minds as their circumstances are different. But if no-one posted about what they found interesting, we’d have no Lemmy, and we’d all forever just stay stuck on whatever we personally know. Certainly Bitwarden and Proton Pass are not the only good password managers out there, but this week I was interested to see an article about Proton Pass, and I had not even known they’d rolled out passkeys yet. It seems like quite a few others did not either.
I’m sure others also post about what new stuff 1Password has just rolled out, and I’d be interested to hear about that too. That is how I decide whether I want to try something better.
If I wanted to try to sell something, I’m sure Proton Pass probably has some loyalty link for paid accounts, but no, you did not see me sharing anything like that. I mentioned the access was free.
How do I create a passkey with Proton Pass then? I don’t see that option when pressing the big Plus button.
It is the same for Bitwarden. What I noticed is if I go to a site with passkeys, then Bitwarden prompts me with a pop-up to want to add a passkey. It’s not something you manually add, apparently.
Thanks, buddy! 🙏
If the site you’re using supports passkeys, it should have an option in your account settings somewhere to create one. When you do, proton pass (or whatever other password manager) will prompt you to save that passkey. You can’t manually create one in Proton pass, it has to be the website requesting to save one.
Oh I see! So essentially it’s like creating a separate key pair for each login/site? Or will I be able to reuse the same public key/passkey for many different sites once it’s created?
The first, each account gets its own passkey.
all devices
Lies, there’s no Linux app yet. As usual, Proton Inc continues to treat Linux users as third-class citizens, all whilst claiming they care about privacy and security.
I tried their mail app, it’s Electron garbage. I love all their other stuff tho.
TBH KeepassXC + SyncThing is superior in every way.
I’m using the browser add-on in Linux across all my browsers. I do have the Bitwarden app for Linux, but to be honest I never open it as it is a pain to have to open a separate app, and then copy and paste. Isn’t it just more seamless to let it replace the browser password manager on Linux? If I want to tidy up my Bitwarden vault, I also do that in the browser.
Devops here. I use the 1Password cli constantly to feed auth tokens and passwords and identity overrides into other shell commands. I’d lose my shit if I had to keep opening my browser to login to all my various workflows. The CLI even integrates with biometrics so my hands never leave the keyboard
Have you used KeepassXC or BitWarden? Just curious.
Yes. My personal vault is Bitwarden and my work vault is 1Password. It’s actually nice they are separate so I have a hard mental context switch. If I want to do something to my personal services, it’s a different set of commands to inject my tokens than my work ones and not something easier to leave on like an env var to target a different profile
Passwords are used in more places than just browsers though. If there wasn’t any need for a dedicated app, why did they bother making one for Windows?
But personally, I dislike Bitwarden as well. I prefer KeepassXC as it works fully offline and I don’t need to depend on a cloud-based provider (or spin up a server). The best part about KeepassXC is that it supports auto-typing credentials, so you don’t need to copy-paste - and it works across a multitude of apps, such as remote desktop / terminal sessions.
I have the app and the browser extension. I usually open the extension and copy from there rather than use the app for things outside of the browser. It’s just quicker.
This is what I do as well. I always have Firefox running and can easily search the extension for whatever password I need and it is just as easy to copy from there as opening another tool.
That being said the iOS app is great for when I am away from my laptop.
Yeah but I trust bitwarden
Passkeys seem like mtls…so much so that I’m not sure what the difference is.
MTLS is for transport layer security, not authentication security. This is closer to those RSA keys where there is an RSA server keeping track of all the fobs that can be queried to figure out what number they are currently showing. Acting as a something you have factor of authentication, proving you are who you say you are.
There is a difference but right now as long as one uses a good password with a 2FA it is probably good enough. Too many services with passkeys are still quickly offering password resets via e-mail or text, so they, as sites, are not secure. And unless you can move your passkeys with you, like you can with passwords, you don’t want to get locked into a single device or OS.
I started using Strongbox on iPhone & Mac for passkey support Bitwarden is still there too, esp for PC, but I may move to an all KeePass setup.
Can I get an explanation on what exactly passkeys are? I already use bitwarden for passwords, is there any good reason to switch to passkeys if that works for me?
Passkeys are a form of passwordless authentication. You store them in Bitwarden like regular passwords, but when you want to access a site that supports them (e.g. eBay) instead of asking for you password and autofilling or copy pasting it from Bitwarden your Bitwarden pops up and asks you if you want to login and it just happens (if you have multiple passkeys associated with a site you can select which you want to use). That’s it. No password fields which get autofilled and no password in your clipboard (history).
Sounds a lot like SSO no?
It is a similar experience, but you don’t need any infrastructure for it. Everything is handled by your device.
Thanks for the explanation. From the sound of it I’ll probably stick with passwords—i like being able to copy them, cause I’m often signing in to an application, not a website, etc.
Not really, right now as the password resets all undermine passkeys for many sites. One day if/when passwords get replaced then there will be a need, but that is a long way off probably. A good random password along with any 2FA is really good enough for most cases, and Bitwarden already does that very well along with even random e-mail addresses.
I really really like proton pass, was using Google password manager prior but I primarily use Firefox and Firefox’s password syncing is just bad. Proton pass has been a surprisingly reliable password manager.
It does seem to have innovated quite quickly. I’m still using Bitwarden as I have the paid access to biometrics etc, and it has a nice tweak also to add unique e-mails for every login, etc. But I’m interested to see where Proton Pass will be in another few months, seeing I’m already paying for their service, and maybe I can consolidate my expenses a bit. I actually got drawn into paid Proton by leaving ExpressVPN, which I needed for Netflix, and then found Proton (with one or two others) were the only one’s handling Netflix’s geofencing quite well. Looking at options is always good.
I don’t trust proton and I don’t know why anyone would
Well, at least say WHY? We know we can’t trust Apple (because of the recent backdoor that had to be closed down), Facebook because of the Cambridge Analytica scandal, Microsoft because the NSA were given first access to vulnerabilities before patching), the NSA because of the CLOUD Act), etc as these are all documented, analysed and reported on. Your comment really adds zero value to the debate. Proton is under Swiss law for a start, which has a way higher barrier to entry for law enhancement to get any access to metadata. In the USA the law enforcement just buys that data from data brokers. Proton is not in the business of advertising.
I don’t trust them because they don’t use established security practices and their interfaces abstract away the internals and they have complied with law enforcement and admitted they could compromise contents(not just metadata) and they don’t accept anonymous payment.
They do accept Tor connections though… But I think you have the facts wrong about that access to data unless you have a credible source you can share: They are legally obligated to comply with lawful requests from Swiss authorities if they meet specific criteria (just like every other country except the USA where law enforcement [used?] could just request access. In a US case involving threats against immunologist Anthony Fauci, ProtonMail confirmed they received a legal request from Swiss authorities. However, due to end-to-end encryption, they could only provide the date the account was created, not the content of emails.
they could ship malicious js to their frontend that would give them access to the unencrypted session. you are going on faith every time you load the interface.
Vulnerabilities on the client end are the only way right now for most state actors to gain access to messaging. So yes, various actors are already exploiting that as they have a lot at stake to gain access. But with others already able to exploit that, why would Proton want to do that? Their model is not about advertising or selling data, and they have 100 million paying customers as I understand it. The one’s that have been spying and exploiting have been the likes of Meta’s Facebook with their app present on the client device, and then trying to break Snapchat’s encryption this was (this came out in March 2024). Anyone “can” but we need to also consider “why” and what business model they have.
>But with others already able to exploit that, why would Proton want to do that?
to comply with a warrant
Just be carefull with “Swiss laws” defense. The laws are for Swiss citizens only. The same applies to “German privacy” laws.
Well German is EU, whilst Swiss is Swiss. But either ways, their requirements are way higher than US law for access to any records or metadata. The other thing is, if you live outside of Switzerland, your own government has to arrange legal access via two countries’ jurisdictions. And of course too for the USA, neither the Swiss or the Germans are allowed to just sell off data to data brokers.
this idiot again
Don’t call people idiots. If you don’t agree, tell us why.
Their post history really is something lol
What a damaged mind.
