Founders with US affiliation/physicist creating crypto products [1], faulty clai...

nl · 2024-10-11T02:43:32 1728614612

Doing crypto on the client side in JS is absolutely the correct way to do this if you want E2EE with a web client. You need to be careful about supply chain attacks etc.

> To me, this smells like Crypto AG

It's easy to throw around unsubstantiated, impossible to disprove theories.

devman0 · 2024-10-10T23:56:43 1728604603

How else would you do client side crypto for a website if not with JavaScript, isn't that kind of the point of how Proton does E2EE?

stavros · 2024-10-11T01:51:52 1728611512

Crypto for websites is completely broken (because the server can serve you whatever it wants), so doing crypto for websites at all is suspicious.

iknowstuff · 2024-10-11T02:06:36 1728612396

I guess they have this for local email decryption: https://proton.me/mail/bridge

idk if they have anything like that for their other products like calendar or file storage

Presumably if you stick to mobile apps you won't be using JavaScript served by their server? Unless they're just html wrappers

stavros · 2024-10-11T02:09:50 1728612590

Yeah, apps are generally OK, unless they're webviews, as you say.

The bridge looks good, though it seems really shady that it's not open source. I'd expect it to definitely be open.

bsx · 2024-10-11T12:17:34 1728649054

https://github.com/ProtonMail/proton-bridge

ranger_danger · 2024-10-11T14:34:41 1728657281

It's not "broken", please don't spread FUD. It's a whole lot more transparent than doing it on the server side. Client code can be inspected and publicly audited, and many times you can save/cache it so that it doesn't change. Also opens up the possibility for third party standalone apps that don't change often.

akimbostrawman · 2024-10-15T13:19:56 1728998396

this can be mitigated by using a browser addon to calculate and verify the web js content is matching the hash in a public code repo. That is how CTemplar Mail does it.

I'm disappointed they haven't implemented something like this.

ranger_danger · 2024-10-11T14:35:00 1728657300

WASM? I have seen it used a lot for this.

protonprivacy · 2024-10-16T21:32:47 1729114367

We are not affiliated with Crypto AG. Our encryption occurs client-side, our cryptographic code is open source, and our tech can and has been independently verified.

andrewinardeer · 2024-10-10T21:32:27 1728595947

Is the suggestion that founders who have US affiliation are automatically in bed with three letter agencies?

justinclift · 2024-10-10T23:58:53 1728604733

If they're physically located in the US, they have no way to stop (legal) coercion by the TLAs yeah?

willis936 · 2024-10-12T09:19:57 1728724797

How is this different than 90% of other VPN providers out there? The claim shouldn't be "Proton is a honeypot" but that "US VPNs are a honeypot".

bartbutler · 2024-10-18T13:50:26 1729259426

We aren't physically located in the US.

justinclift · 2024-10-22T04:41:28 1729572088

Who's the "we" in this context? :)