John Richard

deleted by creator

Two people that look alike but aren’t related. That’s what I’m talking about!

I use Hyrpland, and so there are times where I need to use GTK or Qt tools. I generally don’t like KDE-based tools though because they are dependency-heavy.

So does many of the GTK tools though… so, again… why use Qt at all if you want to save memory.

I like some of LXQt tools, but at one point do you decide if you’re going to use Qt… why not just go all out and use KDE?

Why is it that it seems like Gnome seems to be implementing Windows bad practices? The last thing Linux needs is a Windows registry. One of the greatest benefits of Linux IMO is the ability to configure applications in config files… not having to use some custom tool to manage the configuration.

You summed it up better than I ever could. I’d give you lemmy gold if that was a thing.

Great… now if AMD actually cares about virtualization, maybe they can stop limiting virtual GPUs to their enterprise GPUs. Damn monopolies really don’t want to see consumers have full virtualization support for Windows on Linux.

deleted by creator

deleted by creator

Okay, well it’s just the vulnerabilities you mentioned were geared towards email client issues that among other things would automatically load HTML data upon decryption. Furthermore, primary vulnerable targets were 10 year old email clients at the time that hadn’t received any security updates. The SE data packet issue had been documented even in the spec since at least 2007 about its security issues and recommended rapid mitigation techniques. All in all, the EFAIL documented issues with mail client failures, not with OpenPGP itself.

Second, OpenPGP web-of-trust, or whatever you want to call it (public keyservers) is entirely optional. In fact, Proton relies heavily on this in from what I can tell actually enforces it in a more insecure way, but opting users into their internal keyserver automatically.

It’s quite possible that privacy is too hard for you and trash talking open source makes you feel better about the money you’re paying to someone else to say they’ll do a better job for you.

You should go tell that to the maintainers of GrapheneOS, which is known as the most secure mobile OS… which uses a custom Chromium build, because of Chromium’s superior sandboxing.

Oh really, what policies are you using? Cause my Firefox does all the same things you mention regarding calling Mozilla services for all sorts of things, including telemetry. Oh, and it isn’t fingerprint resistant either… so please, share what you’re doing.

All good points. It seems like we mostly agree on the same concepts. I don’t disagree that people using Proton may have better privacy overall than other services, but I do disagree on the way they implemented it and find their design decisions and approach to be questionable. It screams that they are profit-hungry and admire Apple’s walled garden.

You can use PGP with just about any email service. I personally just use SimpleLogin, where you can add your public key to have all your messages encrypted. But Thunderbird, KMail, Evolution, FairMail, etc all support email encryption too with IMAP.

IMAPs is just IMAP on TLS, so it does not have anything to do with e2ee in this context.

If you use GnuPG or one of the GUI implementations it does.

You do realize e2ee merely means that two users share public keys when they communicate in order to decrypt the messages they receive, right?

*DAV clients expect cleartext data on the server. If you encrypt the data, you need to build all this logic into the clients, and you are not following the standard anymore, which means you will anyway be bound to your client only (and those which implement compatibility).

You’re talking about people paying for cloud services that manage everything for them. Nothing to stop you from hosting your own on an encrypted drive. EteSync does E2E already, and there is already a plethora of apps supporting PGP on Android and Desktop to encrypt/decrypt messages.

Proton stores an encrypted blob.

It doesn’t matter that your private key is stored on their servers encrypted/hased or whatever. If you were simply storing it there, that would not be an issue. The problem is that you’re also logging in and relying on whatever JS is sent to you to only happen client-side.

Probably we misunderstand what “transparent” means in this context. What I mean is that the average user will not do any PGP operation, in general. Encryption happens transparently for them, which is the whole thing about Proton: make encryption easy and default.

Most users aren’t sending emails from their Proton to other Proton users either. Furthermore, the users that want encryption seek it out. They don’t need to use Proton for encryption, especially when it would be easy for them to get an unknowing users decryption password.

Again, as I said before, they control the JS, they can get the decrypted data without getting the password…? You always trust your client tooling. There is always a point where I trust someone, be it the “enigmail” maintainers, Thunderbird maintainers (it has access to messages post-decryption!), the CLI tool of choice etc.

Yes, you have to trust source code somewhere, but with Thunderbird or other mail clients that is open source and their apps are signed or you can reproducibily build from source. However, once that is built it doesn’t change. With Proton, everytime you visit their site you don’t know for sure that it hasn’t changed unless you’re monitoring the traffic. A government is much more likely to convince Proton to send a single user a custom JS payload, than to modify the source code of Thunderbird in a way that would create an exploit that bypasses firewalls, system sandboxing, etc.

I mean, their clients are open-source and have also been audited?

You mean their PWA/WebView clients that can still send custom JS at anytime, or their bridge?

Care to share any practical example/link, and how exactly this means not having a fat client that does the encryption/decryption for you?

First, explain what you mean by a fat client? GnuPG is not a fat client.

Right, because *DAV protocol are so secure. They all support e2ee, right…? There is a security benefit, and the benefit is trusting the client software more than a server, especially if shared. You can export data and migrate when you want easily, so it’s really a matter of preference.

Being able to export things is a lot different than being able to use Thunderbird for Calendars, or a different Contacts app on your phone. DAV is as secure as the server you run it on and the certificate you use for transport.

At least you’re open to moving on. I think keeping an open attitude in any scenario is prob the best option. For most people, I’d recommend they keep using whatever works for them. If you’re happy with Proton then switching may just cause frustration. However, if you’re very much security focused and also care about things like being able to access your calendars/contacts in the apps you want, then I’d prob suggest just using SimpleLogin for email with their GPG feature, vaultwarden for passwords (you can still use the BitWarden phone apps), and Nextcloud for Calendar/Contacts which also supports DAVx for mobile.

My sincerest apologies. I misread the thread and thought you were advocating for Proton, which IMO is a questionable company. Thanks for the clarification.