2·
27 days agoNot PGP (see footnote in article). PGP is actual E2EE. Rather this is about services such as ProtonMail that don’t make the difference clear enough
- 3 Posts
- 5 Comments
Joined 27 days ago
Cake day: January 14th, 2025
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
Here is a reference from ProtonMail: https://proton.me/support/proton-mail-encryption-explained
The email is encrypted in transit using TLS. It is then unencrypted and re-encrypted (by us) for storage on our servers using zero-access encryption. Once zero-access encryption has been applied, no-one except you can access emails stored on our servers (including us). It is not end-to-end encrypted, however, and might be accessible to the sender’s email service.
This is exactly what this article addresses. ProtonMail does NOT encrypt on the client side unless you use PGP or email other ProtonMail users. Imagine sending an email to a gmail user. To actually send the email, ProtonMail’s servers have to read the full un-encrypted contents to post over to Gmail’s servers. The gmail user, and by extension Google, has full access to the email’s contents unencrypted.
This is not disputed by ProtonMail, but unfortunately they hide it behind secondary pages on their website. It’s not just ProtonMail either, but really all E2EE email services
I know it seems paradoxical, but the argument is all email is unencrypted anyways! It’s only encrypted after being seen by the server, at the provider’s word. So just like unencrypted email, a server vulnerability can leak your emails even in a service like ProtonMail (Well, unless using PGP or in-platform encryption which is very rare). To me this is misleading to the everyday user and a really dangerous issue that I want to bring more attention to
But you just posted the following quote from their website, which is clearly misleading. Imagine a non-technical user reading this, and trusting secrets to ProtonMail.