Thank you.
The paper focuses on the fact that when using webmail the Proton server could serve you a malicious client-side code and steal or misuse your key. But all web apps have that problem.
Since Proton has implemented their "one-password" login, the PGP key is on the server, encrypted using your password salted+hashed. That means Proton could try to bruteforce it. But it also means man in the middle attacks are avoided.
I would call them tradeoffs, but I wouldn't say their implementation is fundamentally flawed or insecure.
waitwaitwait
npub1ps7…2j5c
2024-06-16 11:08:14
in reply to nevent1q…rtza
Author Public Key
npub1ps7hna5ss07mmu4gezzte8mhhwxq8lhek0eefjkxjua8kma76qxq782j5cSeen on
wss://nos.lolPublished at
2024-06-16 11:08:14Event JSON
{
"id": "4af0c6089566fccf98d88ccd7cb6c5db21f577e2ab671e21e5725ea211a87a63",
"pubkey": "0c3d79f69083fdbdf2a8c884bc9f77bb8c03fef9b3f394cac6973a7b6fbed00c",
"created_at": 1718528894,
"kind": 1,
"tags": [
[
"p",
"0c3d79f69083fdbdf2a8c884bc9f77bb8c03fef9b3f394cac6973a7b6fbed00c"
],
[
"p",
"ac3f6afe17593f61810513dac9a1e544e87b9ce91b27d37b88ec58fbaa9014aa"
],
[
"e",
"9c77ce5cb02eb93b16091241a9551df8d264a4485d7e78469147a9702e90fb0a",
"wss://relay.nostr.bg",
"root"
],
[
"e",
"ce48b0039d8030f3696407b3ff43f5e1060efe54d612936c3956355c0f87cca0",
"wss://relay.primal.net",
"reply"
]
],
"content": "Thank you. \n\nThe paper focuses on the fact that when using webmail the Proton server could serve you a malicious client-side code and steal or misuse your key. But all web apps have that problem. \n\nSince Proton has implemented their \"one-password\" login, the PGP key is on the server, encrypted using your password salted+hashed. That means Proton could try to bruteforce it. But it also means man in the middle attacks are avoided.\n\nI would call them tradeoffs, but I wouldn't say their implementation is fundamentally flawed or insecure. ",
"sig": "24ca7c342c3de3eb971302b5754e72de15d6e9101b8e76a758cade0886b7bdcf3a3d48c1ab3b29a27dcadc9b54f2871ec473a165f83084de8b838bfdd6a13656"
}