waitwaitwait on Nostr: Thank you. The paper focuses on the fact that when using webmail the Proton server ...
Thank you.
The paper focuses on the fact that when using webmail the Proton server could serve you a malicious client-side code and steal or misuse your key. But all web apps have that problem.
Since Proton has implemented their "one-password" login, the PGP key is on the server, encrypted using your password salted+hashed. That means Proton could try to bruteforce it. But it also means man in the middle attacks are avoided.
I would call them tradeoffs, but I wouldn't say their implementation is fundamentally flawed or insecure.
The paper focuses on the fact that when using webmail the Proton server could serve you a malicious client-side code and steal or misuse your key. But all web apps have that problem.
Since Proton has implemented their "one-password" login, the PGP key is on the server, encrypted using your password salted+hashed. That means Proton could try to bruteforce it. But it also means man in the middle attacks are avoided.
I would call them tradeoffs, but I wouldn't say their implementation is fundamentally flawed or insecure.