this post was submitted on 07 May 2024
15 points (89.5% liked)

Proton

5301 readers
8 users here now

Empowering you to choose a better internet where privacy is the default. Protect yourself online with Proton Mail, Proton VPN, Proton Calendar, Proton Drive. Proton Pass and SimpleLogin.

Proton Mail is the world's largest secure email provider. Swiss, end-to-end encrypted, private, and free.

Proton VPN is the world’s only open-source, publicly audited, unlimited and free VPN. Swiss-based, no-ads, and no-logs.

Proton Calendar is the world's first end-to-end encrypted calendar that allows you to keep your life private.

Proton Drive is a free end-to-end encrypted cloud storage that allows you to securely backup and share your files. It's open source, publicly audited, and Swiss-based.

Proton Pass Proton Pass is a free and open-source password manager which brings a higher level of security with rigorous end-to-end encryption of all data (including usernames, URLs, notes, and more) and email alias support.

SimpleLogin lets you send and receive emails anonymously via easily-generated unique email aliases.

founded 1 year ago
MODERATORS
 

AFAIK when you log in to Proton, you send them your password, they do the standard hashing and checking against the hash stored in their database, and if it matches them they let you log in by sending you a token of some sort.

If the your password is your encryption key, and if at some point Proton needs your plaintext password in order for you to log in, then doesn't that mean they still have a way to access your data? They could take the plaintext password and decrypt everything in your account without you knowing, right?

top 3 comments
sorted by: hot top controversial new old
[–] [email protected] 38 points 6 months ago (1 children)

Your Proton password is not the encryption key for your data, not directly. Basically, your password is used to encrypt the actual encryption key inside your browser, and that encrypted encryption key is stored on Proton servers alongside your data. Proton can't access your data because they don't know your password which was used to encrypt the encryption key.

When you want to access your data, Proton servers sends the encrypted encryption key to your browser, and your browser decrypts it using the password you entered. Proton servers then send you your encrypted data, and your browser decrypts it using the decrypted encryption key and shows it to you. There's no point where Proton has enough information to decrypt your data. Your actual plaintext password never leaves your browser.

This is a simplified high-level overview of how it works, of course there's a lot more details to the actual implementation.

[–] asdfasdfasdf 4 points 6 months ago

Awesome, very well explained! Thank you.

[–] Linguist 12 points 6 months ago

"To solve this problem, we have re-engineered our entire login process to never send the login password to our server, which has the added benefit of helping protect against MITM (man-in-the-middle) attacks."

https://proton.me/blog/encrypted-email-authentication