What is Nostr?
Terence Eden’s Blog /
npub1y66…eusx
2024-03-11 12:34:41

Terence Eden’s Blog on Nostr: **Can you trust ProtonApps.com?** ...

**Can you trust ProtonApps.com?**
https://shkspr.mobi/blog/2024/03/can-you-trust-protonapps-com/

I've recently signed up to the privacy-preserving service [Proton](https://proton.me/). All the email, calendar, drive, VPN, and other services seem to hang off the proton.**me** domain.

I wanted to download the Android apps to my phone - without using the Google Play Store. The [VPN app is on F-Droid](https://f-droid.org/en/packages/ch.protonvpn.android/) but none of the others are. So, because I'm lazy, I Googled "Download Proton Mail".

I landed on https://protonapps.com/.



It *looks* like a genuine site. But is it? .me is signed by Let's Encrypt, whereas .com is signed by Amazon. There is **no link** from Proton.me to ProtonApps.com. There's nothing I can find that shows it is genuine.

But, let's assume for the moment, that it is legitimate. What happens when you try to download the Android apps from it?<li>The <a href="https://protonapps.com/protonmail-android">email app page</a> links to the <a href="https://github.com/ProtonMail/proton-mail-android/releases">ProtonMail repository on GitHub</a> - there's no link from the .me site to their GitHub. But I'm reasonably sure that's them.<p></p></li><li><p>The <a href="https://protonapps.com/protonvpn-android">VPN app page</a> leads to a <a href="https://github.com/ProtonVPN/android-app/releases"><em>different</em>; GitHub organisation</a>! I don't know why they're different organisation. It isn't linked to from the the .me site, nor from the <a href="https://protonvpn.com/">https://protonvpn.com/</a>; site (yet another domain!)</p></li><li><p>The <a href="https://protonapps.com/protoncalendar-android">calendar app page</a> links to <a href="https://protonmail.com/download/CalendarAndroid/ProtonCalendar-Android.apk">ProtonMail.<strong>com</strong></a>; - is that them? The .com redirects to the .me, but anyone can set up a redirect.</p></li><li><p>The <a href="https://protonapps.com/protondrive-android">drive app page</a> and the <a href="https://protonapps.com/protonpass-android">Pass app page</a> do both link to Proton.me!</p></li>

So there are multiple domains - Proton.me, ProtonApps.com, ProtonMail.com, ProtonVPN.com - and there are at least 2 different GitHub organisations.

How do you tell which ones are legitimate? I signed up and paid on the .me page - so I have high confidence in it.

The [official Proton Mastodon account](https://mastodon.social/@protonmail/112053863641320051) says the ProtonApps.com site is legitimate (and the Mastodon account is verified by the .me site). But you can't expect users to chase through a dozen different pages and enquire on social media just to verify which page is safe.

This is my plea to *all* developers - simplify your customer-facing infrastructure to make your domains consistent & trustworthy.

https://shkspr.mobi/blog/2024/03/can-you-trust-protonapps-com/

#OpenSource #privacy #Proton
Author Public Key
npub1y66rre8r3yptrcumrxelkmpr2hd8tpg35rxsx4eqcuejpgj5dgcslreusx