View Single Post
Old 31 May 2014, 02:45 AM   #59
rockman
Senior Member
 
Join Date: Aug 2013
Location: Seattle
Posts: 115
Quote:
Originally Posted by zimmermanfan View Post
It's security theater.

If the decryption happens server-side, then the server has access to the cleartext before sending it over the SSL tunnel. And if the decryption happens client-side, then the server is acting as an application server (probably sending java or javascript), in which case the server can target recipients and send a malicous app (something that sends the key back to the server).

Hushmail and Countermail have a substantially more secure way to send messages to outsiders (using asymmetric encryption and using the recipients [trusted] client software). See my recent thread for the full discussion.
You are comparing apples to oranges. Countermail is designed for more tech savvy folks who understand PGP and Java setups, not "normal" folks for which ProtonMail is designed.

Now, comparing Hushmail to ProtonMail is apples to apples. Hushmail is less secure since they hold the keys to decrypt your mailbox. Yes, ProtonMail serves JS to do the mailbox crypto client-side, but at least the private key is only used client-side for the crypto and is not transmitted to the server by design.

So, no ProtonMail itself is not security theater. The all of this security theater.
rockman is offline   Reply With Quote