• sudneo@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    ·
    3 months ago

    It’s not “insecure”, it’s simply a supply chain risk. You have the same exact problem with any client software that you might use. There are still jurisdictions, there are still supply chain attacks. The posture is different simply by a small tradeoff: business incentive and size for proton as pluses vs quicker updates (via JS code) and slower updates vs worse security and dependency on a handful of individuals in case of other tools.

    Any software that makes the crypto operations can do stuff with the keys if compromised or coerced by law enforcement to do so.

    In any case, if this tradeoff doesn’t suit you, the bridge allows you to use your preferred tool, so this is kinda of a moot point.

    The main argument for me is that if you rely on mail and gpg not to get caught by those who can coerce proton, you are already failing.

    • endofline@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      I used bridge for many years. It was totally unusable - 1) you cannot delete emails with it ( deleted emails were coming back ), 2) synchronization issues so it made me move to another “plain and simple” email provider offering pop3 and imap and also gpg integration ( but without that e2e hype talk )

      • sudneo@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 months ago

        I can’t comment on this, since I don’t use the bridge for a while. But it’s just an IMAP/SMTP server, so not sure why certain features wouldn’t work. What service did you end up using which has gpg integration?

        • endofline@lemmy.ca
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 months ago

          I used protonmail for 3 years - bridge issues have been being ignored by protonmail support in my opinion. “Clean cache and try again”. I stopped using protonmail and switched to mailbox.org. So far so good.

          • sudneo@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            From what I read though, the GPG security model for mailbox.org is the same as it is for Proton webmail (except for the browser plugin, where the difference is not really there). I like mailbox.org, to be clear, but I don’t get how it is an alternative to the bridge.

            • endofline@lemmy.ca
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              3 months ago

              I don’t use mailbox gpg sevice simple as that. I use mailbox perfect imap (k-9) / pop3 (desktop) integration and use gpg natively in case if that person uses gpg. Thunderbird (desktop), k-9 with openkeychain on android. I don’t say proton is bad. It’s quite good if you never want to export mails outside our webmail. I do want it so protonmail is not for me. Most my protonmail issues were with their bridge they, until the moment I migrated to mailbox, have not resolved.

              • sudneo@lemm.ee
                link
                fedilink
                English
                arrow-up
                1
                ·
                3 months ago

                Oh that makes sense. Yeah, definitely simple encryption and exported (unencrypted) emails are not going to work together.

                I am all in support for European tech companies, so I think that mailbox.org, tuta, proton etc. Are all good options.