• John Richard@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    33
    ·
    6 months ago

    So sending a company your private key and trusting their servers to do E2E encryption despite them being able to modify their code whenever they feel like it to capture your password without encryption and masked in obfuscated JavaScript is now considered security? Wow, people really are gullible.

    • experbia@lemmy.world
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      2
      ·
      6 months ago

      I agree with your general sentiment here (that such an arrangement is not trustworthy enough for me to feel completely private) but your delivery of said sentiment is really fucking rude, dude.

      Even if it’s not secure enough for you or I to feel private, it likely exceeds the security necessary to satisfy most people’s threat models so they can not only feel private but objectively be more private than if they just used Google docs.

      incremental or opportunistic privacy improvements are better than none, a fact that has seemed to be lost in elitist privacy circles these days.

      • John Richard@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        21
        ·
        6 months ago

        Incremental in what way? There is an illusion of privacy. If that makes people feel good then sure, you increase your illusion of privacy.

        • nieminen@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          6 months ago

          Dude, you’ve made your point on virtually every comment on this thread. We get it, you don’t trust them. The world has given all of us every reason not to blindly trust this sort of thing. But I’ve done enough digging that I’M happy with the security, and the fact they’re not feeding my private content to the AI monster.

          Please, for the love of the flying spaghetti monster, don’t keep spamming EVERYONE with the same 3 points you’ve already made elsewhere.

    • brochard@lemmy.world
      link
      fedilink
      English
      arrow-up
      15
      ·
      edit-2
      6 months ago

      I’m not sure what you’re talking about ? You’re not sending your private key to their server without first encrypting it first locally. Their servers are not doing the E2EE, your client is. The website front and apps are open source.

      Yes they could send you a compromised front if you use it via their website, that’s a compromise you accept, otherwhise you could only use their apps which are open source.

      • John Richard@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        11
        ·
        6 months ago

        Tell me… when you visit a website that gets updated daily, if not hourly. If it served you a different version of JavaScript than what it served someone else… would you know?

        • brochard@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          1
          ·
          6 months ago

          I already answered that. Yes you can’t trust a website’s content, that’s why they offer apps. It’s your choice to trust the website which is as secure as they can make it, or you simply use the apps…

          • John Richard@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            2
            ·
            6 months ago

            How does a WebView wrapped app offer much more security than a website? Why do they require a paid subscription to use the desktop apps?

          • John Richard@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            2
            ·
            6 months ago

            Last I checked the apps are mostly just wrappers around WebView, so either way you’re getting served different content randomly without ever knowing. AND, Proton specifically prevents the desktop apps from functioning on unpaid accounts. That would be like Gmail disabling IMAP for unpaid users.

            • brochard@lemmy.world
              link
              fedilink
              English
              arrow-up
              7
              ·
              6 months ago

              That’s not how electron apps works. When you load a website with your web browser you get served the front and execute it. When you have an electron app, the front is in the source code of the app, and you decide when to update it so you don’t get served unexpected compromised updates. As for the paid service : They don’t sell your data and don’t show you ads so they need money, it’s that simple.

        • sunzu@kbin.run
          link
          fedilink
          arrow-up
          2
          ·
          6 months ago

          Ain’t this a website issue? Or is somebody doing it better?

          No JavaScript?