This title is the definition of sensationalism and only by reading the article do you find the truth: "Their tests uncovered no major issues or security vulnerabilities". This is a bad look for them and I'm wary of their company now...
Using openssh as an example, would you say it's secure when you're using public keys for the authentication? Their track record seems pretty good for the last years, but there might still be uncovered vulnerabilities, could it still claim to be secure?
The security auditors themselves would never actually word it like that in their reports, because the statement implies a degree of certainty that cannot really exist.
Here's an example of what the auditor's actually said:
"Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest."
There's a reason that audit reports will never say outright that something is "secure". They may say something like "strong and effective security measures are in place", but that's a very different kind of statement.
I think the article itself is great but the headline just falls on the wrong side of being a bit hyperbolic and seems to be optimised for marketing impact over accuracy.
Nothing at all; it's a broken model. The server can at any time start serving malicious payloads [0]. The server hosts your mail but they also serve the webapp. The clientside decrypts the mail, but the server hosts the client code...
It's a fundamentally flawed idea, trying to retrofit encryption into email in this way, when the server essentially has to hold all of your mail. In this case, the only thing that would make me feel secure in using it, is a third-party OSS client that downloads the mail without using the webapp, using only client-side code. And even then, of course, the mail can simply just be not encrypted when being ingested by Proton. So even then I wouldn't really trust it without external encryption like PGP. In which case, why bother?
To be clear I do use private email services (protonmail, tutanota) but I am simply not going to fall for the illusion of guaranteed privacy; I just trust that they are what they say they are. They are still a better option IMO than something like Gmail, but I don't think they're a silver bullet.
[0]: If you think this is unlikely, see this: https://news.ycombinator.com/item?id=25337507
Typically: don't do that.
Nevertheless, if you insist: you can claim a certain abstraction of a system guarantees certain mathematically expressed requirements cannot be violated by a certain attacker model once you've formally proved that.
Of course, all implementations have implementation details which violate the abstraction, your mathematically expressed requirements may not fully capture your intentions, and in practice, an attacker may have additional options that your model doesn't consider. But hey, now you can truthfully claim that "the system" is "secure" - for some values of "system" and "secure".
https://en.wikipedia.org/wiki/Evaluation_Assurance_Level
Proton is claiming something similar to EAL4, which is not secure, there is an assurance that not all trained reviewers can find a vulnerability. Openssh is a little less secure than that formally, but has more trained reviewers informally, which probably cover some parts extremely well and other parts sparsely.
You can write all of the tests, you can get all of the audits, but there’s nothing that’s going to stop a 13-year old polish kid from mucking about in the guts of your tech. Security isn’t a promise you can make in absolutes, at some point you have to ship and you hope that you did everything well enough that there’s no low-hanging fruit.
There’s no such thing as a secure system, only systems which are more expensive to compromise.
It does build confidence in the security to perform security audits.
here’s a maybe wild take, uh, never?
Have they proved the non-existence of bugs? Nope. But the title is also not the complete opposite of reality, which is what their competition seems to doing.
If you cover your ass in a headline, which ultimately ends as legalese, the average person will completely ignore it due to wordiness or they will become suspicious and assume the worst.
The body and attachments do not mislead at all and that should be commended.
All this pedantry is counterproductive unless you truly know and trust your audience. Proton should be for the masses, not just for the technically adept.
Yes, they support Multi-Factor authentication, but only via phishable methods (TOTP)[1]. They have been "trying" for years[2] to implement U2F but for some reason haven't been able to figure it out yet /shrug
[1] https://protonmail.com/support/knowledge-base/two-factor-aut...
[2] https://twitter.com/protonmail/status/1300758061255217153?la...
When someone makes a stronger claim you're left wondering if it's the original source or the messenger that's after oversimplifying the situation and it looks bad for one or the other.
https://www.engadget.com/protonmail-climate-activist-ip-swis...
I know that ProtonMail doesn’t claim to protect your IP address, but I don’t expect the average user to make that distinction.
This is another dumb article. Getting your service tested for vulnerabilities is good hygiene but it shouldn’t be used as marketing material to make users think your service is Fort Knox.
Well, conflating "security" with "following the law" seems odd. Do anyone realistically expect a legally incorporated company to not follow laws? They have to respond to lawful requests, otherwise there will be no business at all.
As long as they fight against unlawful requests, they are what they make out to be. If they're found to be spying on their users when it's not lawfully requested, then you have some bite in your argument. But otherwise, I'm not sure what you expect them to do.
By the way, they seem to be pretty upfront about how they collaborate with law enforcement, at least according to https://protonmail.com/law-enforcement Maybe it wasn't like that in 2021 when the article you linked was published?
In the end, if you rely on any single company for both your security and privacy, you're playing a loosing game. Not hiding your IP when signing up for something when you're planning to do illegal activities? Maybe time to reconsider your opsec strategy.
I’m talking about privacy, not security. And again, this has nothing to do with their official policies listed on their website, but rather their tendency to market themselves as “a super private e-mail provider built by CERN scientists.”
I think for many use cases (e.g., political activism) most peoples intuitive idea of privacy does not align at all with what ProtonMail actually provides.
> In the end, if you rely on any single company for both your security and privacy, you're playing a loosing game. Not hiding your IP when signing up for something when you're planning to do illegal activities? Maybe time to reconsider your opsec strategy.
Totally agree. But again, this is less about getting the average individual to rethink their op sec strategies, and more or less about ProtonMails proclivity to market themselves as an organization that solves these opsec problems for you.
This article is yet another example.
Joking aside - making good privacy laws is not an easy task. “privacy” is not even easy to define, much less create fair laws around what will likely be an imperfect definition.
More over "Tests have been carried out in September 2021 in accordance with generally accepted methodologies, including OWASP Top 10 and SANS Top Issues".
It's hard to believe that one can call apps being secured after pen testing especially when the two highlights are such low hang fruits that are OWASP top 10 and SANS top issues..
It doesn't really give any confidences into Proton, but then again, I am not an expert, and have seen such useless reports at different clients.
