Also automatic PGP Encryption for messaging on orders
- Joined
- Oct 1, 2023
- Messages
- 9
- Reaction score
- 4
- Points
- 3
- By JankyCoyote
Also automatic PGP Encryption for messaging on orders
- Joined
- Jun 24, 2021
- Messages
- 1,574
- Solutions
- 1
- Reaction score
- 1,472
- Points
- 113
- Deals
- 667
- By HEISENBERG
-
29 Feb
Also automatic PGP Encryption for messaging on orders
↑View previous replies…
goatsemnleyEnabling auto-encription (like ProtonMail does) requires you to share your private key with the server. LE actually prefers this because it gives them a single target to gain access to numerous (anybody who used the auto-encrypt service) private keys and, by extention, access to anything sent or recived by, and even ability to pose as, the original owner of the keys. It's a horrible idea and should never be implemented. You should ALWAYS encrypt on your own hardware and avoid anybody who does not.
JankyCoyoteThen what is the point of encryption if the server owner owns all the private and public keys? Who is the data encrypted from?
The question is rhetorical. It is unequivocal that in any implementation of text encryption "on the fly" using PGP is not safe for anyone.
HEISENBERGPrecicely! It's the same reason having an email exchange with anyone who uses ProtonMail is so frowned upon. Since they offer auto-encryption, you can't tell if the other party is using proper opsec and encrypting on their own hardware, or if they are using auto-encryption, putting the entire conversation at risk of exposure if LE ever takes an interest in Proton's servers.
And, yes, I'm spelling that out for anyone else who's reading. I can't imagine it would be new information to you.
JankyCoyoteWhy would proton be a worse choice regardless of how you use it? I don't understand that type of technology well so I try to listen to those that do. Is it still an issue regardless of how thorough the opsec is on your end?
idlewildProton cooperates with law enforcement agencies and makes no secret of the fact that it passes user data to them if they receive such a request. Who decided that this is a safe way to exchange messages?
idlewildLets assume you (Agent1) have amazing op-sec on your end. Agent1 encrypts/decrypts using only their own hardware and are the only one who has access to their private key. Agent1 is talking to someone (Agent2) who uses Proton. Agent2 has decided to use the auto-encrypt feature that Proton offers. Agent2 comes to the attenttion of LE for possible illegal dealings, so LE files a legal request with Proton for any information they have on Agent2. Proton complies and sends them all stored information they have. This includes the private encryption key and any stored emails. Using Agent2's private key they can now read the entire conversation Agent2 had with Agent1. In fact, since LE now has Agent2's private key, they can pose as Agent2 to try and build a case against Agent1.
This gets even worse if LE decides to simply seize Proton's servers, giving them access to anobody's (who used the auto-encrypt feature) private keys and conversations. This has happened with a couple marketplaces already (LE seized the marketplace and continued to run it as an exit scam both to steal money and get as much user information as possible).
Because Proton encourages users to practice poor op-sec (use their auto-encrypt feature) it is simply a good idea to avoid exchanging emails with people who use Proton accounts, even if you don't use it yourself.
- Joined
- Oct 1, 2023
- Messages
- 9
- Reaction score
- 4
- Points
- 3
It is one more step the l*w e*force*ent has to go thru to get u. I think it is worth it since it is free.
- Joined
- Jun 24, 2021
- Messages
- 1,574
- Solutions
- 1
- Reaction score
- 1,472
- Points
- 113
- Deals
- 667
- By HEISENBERG
-
03 Mar
Enabling auto-encription (like ProtonMail does) requires you to share your private key with the server. LE actually prefers this because it gives them a single target to gain access to numerous (anybody who used the auto-encrypt service) private keys and, by extention, access to anything sent or recived by, and even ability to pose as, the original owner of the keys. It's a horrible idea and should never be implemented. You should ALWAYS encrypt on your own hardware and avoid anybody who does not.
The question is rhetorical. It is unequivocal that in any implementation of text encryption "on the fly" using PGP is not safe for anyone.
- Joined
- Oct 1, 2023
- Messages
- 9
- Reaction score
- 4
- Points
- 3
Then what is the point of encryption if the server owner owns all the private and public keys? Who is the data encrypted from?
The question is rhetorical. It is unequivocal that in any implementation of text encryption "on the fly" using PGP is not safe for anyone.
And, yes, I'm spelling that out for anyone else who's reading. I can't imagine it would be new information to you.
- Joined
- Apr 1, 2023
- Messages
- 61
- Reaction score
- 40
- Points
- 18
Precicely! It's the same reason having an email exchange with anyone who uses ProtonMail is so frowned upon. Since they offer auto-encryption, you can't tell if the other party is using proper opsec and encrypting on their own hardware, or if they are using auto-encryption, putting the entire conversation at risk of exposure if LE ever takes an interest in Proton's servers.
And, yes, I'm spelling that out for anyone else who's reading. I can't imagine it would be new information to you.
- Joined
- Jun 24, 2021
- Messages
- 1,574
- Solutions
- 1
- Reaction score
- 1,472
- Points
- 113
- Deals
- 667
- By HEISENBERG
-
07 Mar
Why would proton be a worse choice regardless of how you use it? I don't understand that type of technology well so I try to listen to those that do. Is it still an issue regardless of how thorough the opsec is on your end?
- Joined
- Oct 1, 2023
- Messages
- 9
- Reaction score
- 4
- Points
- 3
Why would proton be a worse choice regardless of how you use it? I don't understand that type of technology well so I try to listen to those that do. Is it still an issue regardless of how thorough the opsec is on your end?
This gets even worse if LE decides to simply seize Proton's servers, giving them access to anobody's (who used the auto-encrypt feature) private keys and conversations. This has happened with a couple marketplaces already (LE seized the marketplace and continued to run it as an exit scam both to steal money and get as much user information as possible).
Because Proton encourages users to practice poor op-sec (use their auto-encrypt feature) it is simply a good idea to avoid exchanging emails with people who use Proton accounts, even if you don't use it yourself.
Last edited: