That's not a bad idea, I'll see what people think. Note that clicking on the unsubscribe link will unsubscribe you to whatever comms preference was specified in the sending and tell you what it was.
Hey, Proton CTO here. There was a bug, and we fucked up. Support should have reported it up the chain and acknowledged this. Things happen, especially at scale, but we take comms consent seriously and will fix it.
We (Proton) have had our own CAPTCHA for a year or more now.
We aren't physically located in the US.
We do support automatic forwarding, have since last fall.
The author mentioned WKD but was mistaken. The culprit was keys.openpgp.org, not WKD.
Proton does this.
There aren't any links between Proton and Crypto AG, none at all.
This is Bart, Proton CTO here. For clarity, the issue mentioned here only impacts Proton Mail Bridge, our desktop IMAP/SMTP gateway to Proton Mail encrypted email. The fact that Bridge and its client can become…
As of a month or two ago, it does not redirect to the cleartext site and stays on .onion.
UI refresh, SSO/persistent sessions, and because this crowd might care, the whole app was rewritten from scratch to transition from Angular v1 to React, which simply had to be done and retired an enormous amount of…
We are aware of the the issues brought up in [0] and [1]. As suggested in [2], we are already considering to switch to an implementation in WebAssembly to mitigate the possibility of timing attacks on the web platform.…
Hi there, I'll ask someone to reach out. In the future, please file a support ticket at: protonmail.com/support-form
It's not a small use case for corporate users where the internal mail is all encrypted. We also have full PGP support and the bridge is fully integrated with this, so we hope the garden aspect will decrease with time,…
We (ProtonMail) don't provide a server-side IMAP/SMTP interface because we don't want to see your cleartext mail. And if you are doing the encryption and key management yourself locally, then you can literally use any…
We sent out an update about security features.
It is something we'd like to do, but it's still a little experimental and it hasn't gotten to the top of our priority list yet.
1. ProtonMail implements the OpenPGP standard and is fully interoperable with other OpenPGP email systems. 2. The web app is a single page application so it does not reload on every request. That said, you are correct…
I also think exploiting it would be extremely difficult. IIRC, it was NIST ECC curves which are hard to make constant time and do not have WebCrypto primitives. We are still going to see what we can do to address this.
You are confusing crypto primitives with a high-level spec like OpenPGP. OpenPGPjs used WebCrypto and node crypto libraries when available for primitives. You still need a library for the OpenPGP stuff.
Import/export tool is in beta now and will be available for all users on launch. Export is available now via the web interface but it's a little clunky. The reason this stuff is complex and taking a while is not…
These are good points, though at this point I think it does make sense to wait a bit to clean up the deprecated stuff, given that a lot was waiting on this release and we'll probably drop the old stuff in a month or so.…
1. Mobile apps are native, not web views 2. That's not what the TLS key was subpoenaed for--it was a very different system with a set of vulnerabilities we don't have, including a server-side encrypt mode and non-PFS…
> You're expecting us to believe nobody on your team would take a payout from or be coerced by US LEO's or spooks. That's crazy. No, we're saying that we don't store the data partly so that such a scenario isn't…
That's not a bad idea, I'll see what people think. Note that clicking on the unsubscribe link will unsubscribe you to whatever comms preference was specified in the sending and tell you what it was.
Hey, Proton CTO here. There was a bug, and we fucked up. Support should have reported it up the chain and acknowledged this. Things happen, especially at scale, but we take comms consent seriously and will fix it.
We (Proton) have had our own CAPTCHA for a year or more now.
We aren't physically located in the US.
We do support automatic forwarding, have since last fall.
The author mentioned WKD but was mistaken. The culprit was keys.openpgp.org, not WKD.
Proton does this.
There aren't any links between Proton and Crypto AG, none at all.
This is Bart, Proton CTO here. For clarity, the issue mentioned here only impacts Proton Mail Bridge, our desktop IMAP/SMTP gateway to Proton Mail encrypted email. The fact that Bridge and its client can become…
As of a month or two ago, it does not redirect to the cleartext site and stays on .onion.
UI refresh, SSO/persistent sessions, and because this crowd might care, the whole app was rewritten from scratch to transition from Angular v1 to React, which simply had to be done and retired an enormous amount of…
We are aware of the the issues brought up in [0] and [1]. As suggested in [2], we are already considering to switch to an implementation in WebAssembly to mitigate the possibility of timing attacks on the web platform.…
Hi there, I'll ask someone to reach out. In the future, please file a support ticket at: protonmail.com/support-form
It's not a small use case for corporate users where the internal mail is all encrypted. We also have full PGP support and the bridge is fully integrated with this, so we hope the garden aspect will decrease with time,…
We (ProtonMail) don't provide a server-side IMAP/SMTP interface because we don't want to see your cleartext mail. And if you are doing the encryption and key management yourself locally, then you can literally use any…
We sent out an update about security features.
It is something we'd like to do, but it's still a little experimental and it hasn't gotten to the top of our priority list yet.
1. ProtonMail implements the OpenPGP standard and is fully interoperable with other OpenPGP email systems. 2. The web app is a single page application so it does not reload on every request. That said, you are correct…
I also think exploiting it would be extremely difficult. IIRC, it was NIST ECC curves which are hard to make constant time and do not have WebCrypto primitives. We are still going to see what we can do to address this.
You are confusing crypto primitives with a high-level spec like OpenPGP. OpenPGPjs used WebCrypto and node crypto libraries when available for primitives. You still need a library for the OpenPGP stuff.
You are confusing crypto primitives with a high-level spec like OpenPGP. OpenPGPjs used WebCrypto and node crypto libraries when available for primitives. You still need a library for the OpenPGP stuff.
Import/export tool is in beta now and will be available for all users on launch. Export is available now via the web interface but it's a little clunky. The reason this stuff is complex and taking a while is not…
These are good points, though at this point I think it does make sense to wait a bit to clean up the deprecated stuff, given that a lot was waiting on this release and we'll probably drop the old stuff in a month or so.…
1. Mobile apps are native, not web views 2. That's not what the TLS key was subpoenaed for--it was a very different system with a set of vulnerabilities we don't have, including a server-side encrypt mode and non-PFS…
> You're expecting us to believe nobody on your team would take a payout from or be coerced by US LEO's or spooks. That's crazy. No, we're saying that we don't store the data partly so that such a scenario isn't…