• dan@lemm.ee
    link
    fedilink
    English
    arrow-up
    17
    ·
    1 year ago

    Right, but what the author is trying to implement is what is generally considered best practice for secure email.

    You’re right that what Proton are doing is a compromise that’s reasonable for most people, but the author here is annoyed that there’s no way to turn it off so he can implement best practice E2EE himself.

    Ironically he could probably do that with the vast majority of providers that aren’t Proton, so to me it seems like a totally reasonable ask that a self described privacy focused email provider has some way to allow you to implement best practice email security.

      • dan@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I guess they were probably so caught up in making it easy to use they forgot about the best practice use case.

        I agree with you - I don’t think it would take much to adapt their system to support both, even if it’s a manual “I know what I’m doing” power user option hidden away somewhere.

    • slowbyrne@beehaw.org
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I’m on the fence about this since how would proton verify that “best practices” were followed? They are a privacy focused product and a feature like that could be used to decrease their services privacy. This author would likely implement best practices and many other likely would too, but say a competitor wanted to prove that their product was more secure, a feature like that could enable a competitor to showcase a security “flaw”. And since headlines are all people read these days it would be damaging.

      The feature the author described would be great but ProtonMail would need to make it fool-proof and temper-proof which requires a lot of Dev time and effort. I’m still waiting on proton bridge to work with calendar and contacts. Or contacts birthdays to show up in my calendar.

      Like I said, its a good feature, but its likely a large ask for a niche group of customers.

      • dan@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Eh, I don’t think it’s be a big deal. Slap a giant warning on it, all good. Super common on all sorts of platforms. Anyone trying to claim their encryption doesn’t work because they have a (scarily labelled) option to disable it can be easily demonstrated to be disingenuous.

        And worst case if someone does disable it but doesn’t implement their own then their email I just falls back to… the same as any other platform.

        They might not want to take the time to build it, but I think what this dude is asking for is a totally reasonable thing.