this post was submitted on 26 Feb 2025
534 points (98.0% liked)

Technology

63401 readers
6483 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s
enu
technopagan
L4s
534
Proton will no longer post on Mastodon (discuss.privacyguides.net)
submitted 2 days ago by ForgottenFlux to c/technology
154 comments fedilink hide all child comments
 

Proton: “We’re consolidating our social media presence due to limited resources and no longer posting on Mastodon. Follow us on Reddit for the latest updates”

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 1 day ago (1 children)

I can see a threat model already from 2014.

Anyway, I think it's a tradeoff that it's hard to assess quantitatively, as risk is always subjective. From where I stand, the average person using native clients and managing their own keys has a much higher chance to be compromised (by far simpler vectors), for example. On the other hand, someone using a clean OS, storing the key on a yubikey and manually vetting the client tool can resist to sophisticated attacks better compared to using web clients.

I just don't see this as hill to die on either way. In fact, I also argue in my blog post that for the most part, this technical difference doesn't impact the security sufficiently to make a difference for the average user.

I guess you disagree and that's fine.

[–] DreamlandLividity 1 points 1 day ago* (last edited 1 day ago) (1 children)

doesn't impact the security sufficiently to make a difference for the average user.

I think it is borderline. I am not advocating for PGP, I like the Signal model where you trust signal for introductions but have the ability to verify, even in retrospect. Trust but verify. Even a few advanced users verifying Signal keys forces Signal to remain honest or risk getting caught.

I think the lack of meaningful verification for proton is a significant security weakness, though average user probably has bigger things to worry about.

[–] [email protected] 1 points 1 day ago (1 children)

I think I can agree with that. Unfortunately PGP is the only alternative we have for emails (i.e., the client-side tools would still be doing PGP encryption), which is also the reason why it shouldn't be used for really delicate communication. The fact that - whatever setup you use - there will always be metadata showing that person X communicated with person Y alone is a nonstarter for certain types of communication.

Signal would be my recommendation.

[–] DreamlandLividity 1 points 1 day ago* (last edited 1 day ago)

Yeah, we should just ditch email for sensitive communications.

Anyway, my point was that I lost trust in Proton back then over this and went to Tuta that has native clients. It makes no difference to my security since I don't think I ever sent or received a single mail that was actually e2e encrypted. But Tuta's more serious approach to e2ee made me slightly more confident in it as a company.

Now it kinda looks like it was the right choice.