Proton: “We’re consolidating our social media presence due to limited resources and no longer posting on Mastodon. Follow us on Reddit for the latest updates: Reddit - Dive into anything”. This is unexpected, as they had around 50k subscribers on Mastodon, and mirroring posts is super easy. I find that concerning that they stopped posting on open and decentralized platform, but keep posting on Meta and X.

Proton: “We’re consolidating our social media presence due to limited resources and no longer posting on Mastodon. Follow us on Reddit for the latest updates”

  • DreamlandLividity@lemmy.worldEnglish
    1·
    11 hours ago

    Bridge did not exist back then.

    As for it being sophisticated attack, I think it is relative.

    Regardless, if Proton said it did not matter to most people, I would respectfully disagree and move on. They did not. They claimed it is not at all less secure than a native app, which is BS.

    • loudwhisper@infosec.pubEnglish
      1·
      11 hours ago

      I can see a threat model already from 2014.

      Anyway, I think it’s a tradeoff that it’s hard to assess quantitatively, as risk is always subjective. From where I stand, the average person using native clients and managing their own keys has a much higher chance to be compromised (by far simpler vectors), for example. On the other hand, someone using a clean OS, storing the key on a yubikey and manually vetting the client tool can resist to sophisticated attacks better compared to using web clients.

      I just don’t see this as hill to die on either way. In fact, I also argue in my blog post that for the most part, this technical difference doesn’t impact the security sufficiently to make a difference for the average user.

      I guess you disagree and that’s fine.

      • DreamlandLividity@lemmy.worldEnglish
        1·
        6 hours ago

        doesn’t impact the security sufficiently to make a difference for the average user.

        I think it is borderline. I am not advocating for PGP, I like the Signal model where you trust signal for introductions but have the ability to verify, even in retrospect. Trust but verify. Even a few advanced users verifying Signal keys forces Signal to remain honest or risk getting caught.

        I think the lack of meaningful verification for proton is a significant security weakness, though average user probably has bigger things to worry about.

        • loudwhisper@infosec.pubEnglish
          1·
          6 hours ago

          I think I can agree with that. Unfortunately PGP is the only alternative we have for emails (i.e., the client-side tools would still be doing PGP encryption), which is also the reason why it shouldn’t be used for really delicate communication. The fact that - whatever setup you use - there will always be metadata showing that person X communicated with person Y alone is a nonstarter for certain types of communication.

          Signal would be my recommendation.

          • DreamlandLividity@lemmy.worldEnglish
            1·
            6 hours ago

            Yeah, we should just ditch email for sensitive communications.

            Anyway, my point was that I lost trust in Proton back then over this and went to Tuta that has native clients. It makes no difference to my security since I don’t think I ever sent or received a single mail that was actually e2e encrypted. But Tuta’s more serious approach to e2ee made me slightly more confident in it as a company.

            Now it kinda looks like it was the right choice.