this post was submitted on 22 Oct 2023
457 points (98.9% liked)
Privacy
31182 readers
1812 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
their clients use the same JS implementation, they are the web version wrapped in electron.
The major problem with these JS implementations (including Proton and any other program that uses JS for encryption) is that it would be trivial for them to grab your private key from your browser and send it to their servers. And yes, we have the code. But it's virtually impossible to verify that the code they are sending to your browser each time is exactly the same one that they publish on github, after JS minimizers and all that.
A third party that found a vulnerability in a browser could also inject their own JS and steal your private keys.
You're obviously right about everything else and email's inherent insecure nature.
I still find it useful because it's the only online communication channel that is widely adopted, that can be self-hosted without depending on third party servers or you can simply choose a provider you trust. I'd love to have that with XMPP or SimpleX or something like that, but currently we're stuck with email.
The point of a fully embodied app, is you don't have to pull the JavaScript from the website. It's distributed via the app system. Fdroid in many cases
yes, the clients should be good in most cases, as long as builds are reproducible or you compile yourself from the public code (which is not most cases).
Still, I'd rather do OpenPGP encryption on my client of choice with my implementation of choice that is provider agnostic.
Fair. Glad you found an email system that works for you, PGP is great.
They are in the f Droid repo, which means fdroid does build them from the source code.
I just don't think tutanota is shitty, they've just made different trade-offs.
I personally don't like Tutanota for a lot of reasons. The other day I recommended Tutanota to someone that needed a new email account and they weren't able to create the Tutanota account using Tor. They tried using a VPN and they weren't able. Tutanota said their IP address was being used for abuse.
What's the point of a private email if you block anonymizers?
Some people might find a use case for it, of course. And their post advocating against anti-encryption laws is good. But I don't think it's a good email provider and I won't be recommending them again.
For people willing to give up their identity, I've had no issues with them. Since I have a domain tied to them and the domains tied to an identity it's fine for me.
So I agree they're not an anonymous email provider.
They are however in encrypted at rest email provider. And and I'm happy to recommend them to anybody who doesn't need anonymity in their email.