they always do client-side auth rather than tradition server-side auth
They must have some server-side auth as well, otherwise I could just emulate requests from the bridge an pull all your PGP encrypted email from their servers. Even though it would be mostly useless it would still be a big vulnerability issue.
IMAP/SMTP-based provider to whom you always send your passwords in plaintext
Why do you say that? What led you to believe it?
Most providers are running IMAPS (IMAP over SSL) or IMAP with StartTLS (upgrade to TLS) and the same for submission to make sure there are no passwords in plain-text. Furthermore mail clients and servers also support password hashing and some, like Google, even go further and push people into IMAP/SMTP authentication with XOAUTH2 (OAuth token unique for each e-mail client).
Non-plaintext mechanisms have been designed to be safe to use even without SSL encryption. Because of how they have been designed, they require access to (…) their own special hashed version of it. doc.dovecot.org/…/authentication_mechanisms/#non-…
Going back to Proton, if they do use PGP in a generic way it means all your e-mail are encrypted and whenever you want to open the website or use the bridge they’ve to decrypt them. As you described before, they do this client side and that’s okay.
Now the next question is: how do they decrypt your mailbox? Their servers hold your private PGP key encrypted with your login password, once a client wants to decrypt your mailbox it has to pull that private key from the server and then use your password to locally decrypt it. Said now plain text key can then be used to decrypt the e-mails. This is a common security practice to make PGP and other asymmetric encryption schemes work securely without forcing the user to store and mange its own private key - that’s okay as well.
For e-mail coming from external providers (and people who don’t use PGP) Proton receives the unencrypted message (over TLS) and then encrypts it with your public PGP key. After this point you are the only person who can decrypt the message because while they also hold your private key it is encrypted thus they can’t use it to decrypt the message. This is reasonable and okay.
Now the thing is, all this can be accomplished via IMAP/SMTP, with the same level of security, if you employ a few rules:
Tell customers who want to use IMAP/SMTP that they’re required to configure PGP manually on their clients otherwise their mailbox will be encrypted / useless and they won’t be able to send e-mail;
Submission (sending e-mail via SMPT) servers configured to refuse any e-mail that isn’t PGP encrypted;
Only provide IMAP/SMTP authentication with SSL/TLS;
If they don’t go for XOAUTH2, then force people into creating a specific app password for each e-mail client - like Google also allows for legacy stuff that doesn’t support XOAUTH2.
Note that their current apps/bridge also needs to authenticate itself with some hashed version of your password, otherwise I could just emulate requests from the bridge an pull all your PGP encrypted messages from their servers. Actually using XOAUTH2 tokens or unique app passwords would be even be safer than what they’re doing.
Considering their PGP implementation is standard then doing those tweaks isn’t impossible and they would provide the same level of security their apps provide but also be flexible enough for more advanced users.
"If we were genuinely committed to actualizing the right to shelter in Nova Scotia, the provincial government would regulate the private market in a way that protects renters’ interests. We managed to do this until 1990, before the doctrine of deregulation and market supremacy was adopted, promising to provide for us all.
Gov't needs to BUILD/BUY/CREATE
NON_MARKET HOUSING, NOW!!
For components without major complexity, this is something that works well for me. However, I have also tried to rely entirely on WebC, which, as I understand it, is the intended approach.
Pour le plus proche de chez moi, c'est trop tard, mais t'façon ils sont en partenariat avec #BoycottCarrefour, alors #non. 😖
#SalonÀLaFerme
La #ConfédérationPaysanne organise son "Salon à la ferme" afin d'échanger sur le monde agricole et visiter des fermes non représentées au Salon international de l'agriculture. On fait le point sur les exploitations de #FrancheComté qui ouvriront leurs portes du 17 au 25 février.
Je suis tellement hébétée ce matin que je n’arrive pas à décider… si c’est le concert de ce soir, en sandwich entre deux (très grosses) tranches de Femme sans ombre qui est en trop, ou bien si c’est pas plutôt la Femme sans ombre de dimanche, en sandwich entre le concert ce soir et la Philharmonie à Paris lundi ? 🤔
(si ça se trouve j’aurai mouru sous les notes et/ou d ‘épuisement avant, cette « petite » Ouverture de Tannhäuser et ses 6 pages de merdouilles pseudo-chromatiques qu’il faut absolument bosser était décidément exactement ce dont j’avais besoin ! #non)
One goal of any good bonsai practitioner is to try and make their small pampered trees look like they “have been through some stuff” to signify age and experience.
So an 85’ fir tree fell across our garage and backyard, landing on the spot I had just moved the bulk of my trees to, to protect from the wicked weather we were expecting.
If the initial fall didn’t do the “fir”st damage…the cleanup will complete it. Many trees with absolutely all limbs stripped down their trunks. One of the trees I have been working on the longest lost one of its two primary trunks.
La ministre de l'#éducation Amel Oud-Elqass-Attala a scolarisé ses enfants dans une #école islamiste qui promeut la #non-mixité entre femmes et hommes, assimile l'#avortement à un "meurtre" et condamne l'#homosexualité.
#Darmanin demande son expulsion de la 🇫🇷 et exige des nouveaux ministres de signer un "contrat d'engagement républicain"
Ah, elle s'appelle Amélie #OudéaCastéra et c une école chrétienne fondamentaliste ? Bon, c pas pareil, hein!
Polling shows:
•66% of Americans & 80% of Democrats demand ceasefire—yet they aren’t being listened to.
•73% of Palestinians in Gaza demand peaceful resolution contrary to Hamas—yet they aren’t being listened to.
•76% of Israelis demand Netanyahu resign—yet they aren’t being listened to
John Oliver perhaps said it best in his last episode—we need new leadership if we expect peace and Justice to prevail over war and death.
I think I am going to try to make an actual experimental device THAT JOHN STEWART BELL COULD HAVE MADE though of course he was at CERN and could have programmed a computer and so experimented more straightforwardly.
In Millions Like Us Virginia Nicholson tells the story of the women's war, through a host of individual women's experiences. She tells how they loved, suffered, laughed, grieved and dared; how they re-made their world in peacetime. And how they would never be the same again ...
Millions Like Us
1/2
We tend to see the Second World War as a man's war, featuring Spitfire crews and brave deeds on the Normandy beaches. But in conditions of "Total War" millions of women -- in the Services and on the Home Front - demonstrated that they were cleverer, more broad-minded and altogether more complex than anyone had ever guessed.
Central Asia
1/2
: A New History From the Imperial Conquests to the Present
A major history of Central Asia and how it has been shaped by modern world events
Central Asia is often seen as a remote and inaccessible land on the peripheries of modern history. Encompassing Uzbekistan, Tajikistan, Turkmenistan, Kyrgyzstan, Kazakhstan, and the Xinjiang province of China, it in fact stands at the crossroads of world events.
Proton picks up Standard Notes to deepen its pro-privacy portfolio (techcrunch.com)
Gender (lemmy.world)
After a year of anti-LGBTQ+ legislation, a lifeline for trans and nonbinary people faces cuts (www.pbs.org)
The lifeline is facing a $2.5 million shortfall at the end of 2023, and has also paused its microgrants program.