In no world is it excusable to have your ostensible competitor sign your binaries or certificates. They can make all the excuses they want, but it doesn't dissolve their incompetence, and shows they are unfit for running such a user-critical business.
No third party signed their certificates. Just a contracted employee who worked for Tesonet typed in his company name instead of ProtonVPN. That's just the Android keystore, nothing else. Google supports keystore rotation only starting with Android 9.
It's actually not even a contracted employee actually. It was a Proton employee who in 2016 was getting payroll through another company before we had our own corporate entity. Keystore rotation is still not yet available yet in Android, so the old key (which we solely control) can't be changed or modified. Android actually also hashes with the certificate metadata so even that can't be edited separately.
On principle I am not impressed with what happened and I think it's very sloppy. After the Lavabit fiasco we have to be extra scrutinuous about the leadership in privacy-oriented companies. That said, I still have a few accounts with Protonmail and I think the service itself is pretty good.
There's a couple ways to look at this.
On one hand, there's an anonymous website and hundreds of Twitter bots pushing a story that is demonstratively false (just check public records).
Then, on the other hand, you have Mozilla and the EU (which has access to all European corporate records) vouching for Proton (since they partially fund Proton). We also operate in a highly transparent way, so all information debunking this is actually in public record, details here: https://protonvpn.com/blog/is-protonvpn-trustworthy/
Proton definitely has an office and subsidiary in Vilnius, it's not a secret because it's on Instagram: https://www.instagram.com/p/BxMz62oHb6K/ The office is inside a 30 storey building, so it is not surprising the address is shared with quite a few other companies. But that doesn't mean Proton on a whole is based in Vilnius.
The people spreading the false information are also falsely implying that Proton's subsidiary controls the Swiss parent company, which is never the case as it's always the other way around (parent controls the subsidiary). And its super easy to disprove because unlike most companies in the VPN space, the directors of Proton's Swiss parent company are in public record, and are all well known people who have been in the public eye for years (e.g. at TED: https://www.ted.com/talks/andy_yen_think_your_email_s_privat...)
Can you explain how Mozilla entering into a partnership is the same as vouching? Did they do any particular vetting or analysis, or was this just a marketing partnership?
Quoting from the blog post:
"We therefore set out to conduct a thorough evaluation of a long list of market-leading VPN services. Our team looked closely at a wide variety of factors, ranging from the design and implementation of each VPN service and its accompanying software, to the security of the vendor’s own network and internal systems. We examined each vendors’ privacy and data retention policies to ensure they logged as little user data as possible. And we considered numerous other factors, including local privacy laws, company track record, transparency, and quality of support."
It was quite intensive, with on site visits to our office in Geneva and discussions with Mozilla technical leadership.
