Because the government isn't interested in prosecuting Antifa. Proton Mail is not secure. It's secure enough for most business applications, but I guarantee if the FBI asks them for data on you they will get it.
Any server based application is not going to be able to give you a guarantee of security. Very easy for them to intercept any encryption key generated at the time of communication if they wanted to. Need something with no server that uses a pre-shared key you setup with the other person ahead of time.
For example, a message app that uses SMS, but you and the other person setup a preshared key ahead of time, very long, maybe 64 to 256 character key, to encrypt\decrypt the messages when sent\received. The message looks like gibberish to everyone except the sender and receiver. If the cell carrier tried to read your messages it would just be a bunch of random characters because they would never have had access the the encryption key.
I made a Proton mail account and opted out of the backup email part. I saved my password and did everything correctly and still couldn't get back in. I'll try again to recreate what happened and why but I'm not giving them a backup email address. 🤷🏻♂️
For what purpose? For protecting your communications from malicious actors in foreign countries? Maybe. For keeping your communications private from illegal government searches? Nope.
I wouldn't trust any app for the second purpose that I or someone I trust has read through the code to ensure there is no backdoor and no copies of the encryption key sent somewhere and stored.
I'm not really familiar with Signal or Proton Mail, but encryption as a service is kinda oxymoronic. The way to make encryption secure is to not have the service involved in the encryption in the first place. I guarantee that if the FBI went to Proton mail and said "we demand you search all email for certain keywords or phrases or from this address and give us the data" that they would get it.
For real, secure, encryption it doesn't matter what email you use. Use gmail, who cares. The encryption and decryption would take place on your phone and gmail sees gibberish random letters. You'd just need an app designed to encrypt and decrypt the messages with a pre-shared key you setup with the other person ahead of time. Since Google doesn't have your encryption key then they can't read your email. The government can come threaten to shutdown Google if they don't decrypt your email, but it will be impossible because they don't have the key. The only way to decrypt the email would be to obtain your phone or the other persons phone and open the app. No other way as long as you didnt write the key down and leave on your desk and they raid your house and find it.
I don't know of such an app, but it probably does exist because it wouldn't be hard to make. Just have to make sure you trust the person who wrote it. Would be easy for them to put in a backdoor that sends the key and your data somewhere.
My problem is that I don't even trust the hardware itself. How do we know there isn't some kind of spy software installed on all of it? I'm not trying to pretend to be an expert here, I legitimately don't know. But if that's possible, then it won't help you to encrypt your message using software. You would want a separate offline device to encrypt the message and then you would type the already encrypted message in yourself.
But in any event my thought is that sensitive communication should be minimal over the internet and can probably hide in plain sight through regular services (just use coded language in what looks like an ordinary e-mail that's not trying to hide).
Total moron here with tech though so I don't know.
Isn't that what a Diffie–Hellman key exchange takes care of?
There's an algorithm so we each generate a public and private key on our own devices. We each send each other our public keys, but our private keys remain a secret. Using the algorithm my public key and your private key generate the same code as your public key and my private key. Then we use that code to encrypt our communications.
If someone intercepts both of our public keys, but doesn't have either of our private keys, then they can't decode the messages.
Yes, you're right. After thinking about it some more it isn't really a problem with key generation, the problem is whether the platform you're using actually uses a secure key generation method without a backdoor. Very easy for them to put in some code to make a copy of the key for recovery in the event that government requested access to your data. If you trust that the app has implemented a secure key exchange without a backdoor that would be fine.
If you want to be absolutely sure the government couldn't decrypt the communication then I still think generating your own key is simpler and easier. I'm definitely not a security expert so maybe I'm wrong, but I still think if people really want to be able to communicate securely then someone just needs to write an open source app that provide an encryption\decryption app that sends the encrypted data over regular channels like SMS and email. Simple, secure, and easy to read through the code and verify no back door.
Also, when designing an app you can really only get 2 out 3 when it comes to ease of use, functionality, and security. If you want to design something that is extremely secure with lots of functionality, then it will likely not be very easy to use. Stick with something simple and secure, easy as possible for non-tech people to use.
Help! Are you saying it's not secure? Trying to divorce the G
Proton mail is secure. Antifa uses it, and that’s how it relates to the thread
Because the government isn't interested in prosecuting Antifa. Proton Mail is not secure. It's secure enough for most business applications, but I guarantee if the FBI asks them for data on you they will get it.
Possibly but it’s servers are based in Switzerland.
Any server based application is not going to be able to give you a guarantee of security. Very easy for them to intercept any encryption key generated at the time of communication if they wanted to. Need something with no server that uses a pre-shared key you setup with the other person ahead of time.
For example, a message app that uses SMS, but you and the other person setup a preshared key ahead of time, very long, maybe 64 to 256 character key, to encrypt\decrypt the messages when sent\received. The message looks like gibberish to everyone except the sender and receiver. If the cell carrier tried to read your messages it would just be a bunch of random characters because they would never have had access the the encryption key.
Pede who sounds like they know what they are talking about:
(1) Signal - Yea or Nay (2) Proton Mail - Yea or Nay
If not, then what?
I made a Proton mail account and opted out of the backup email part. I saved my password and did everything correctly and still couldn't get back in. I'll try again to recreate what happened and why but I'm not giving them a backup email address. 🤷🏻♂️
For what purpose? For protecting your communications from malicious actors in foreign countries? Maybe. For keeping your communications private from illegal government searches? Nope.
I wouldn't trust any app for the second purpose that I or someone I trust has read through the code to ensure there is no backdoor and no copies of the encryption key sent somewhere and stored.
I'm not really familiar with Signal or Proton Mail, but encryption as a service is kinda oxymoronic. The way to make encryption secure is to not have the service involved in the encryption in the first place. I guarantee that if the FBI went to Proton mail and said "we demand you search all email for certain keywords or phrases or from this address and give us the data" that they would get it.
For real, secure, encryption it doesn't matter what email you use. Use gmail, who cares. The encryption and decryption would take place on your phone and gmail sees gibberish random letters. You'd just need an app designed to encrypt and decrypt the messages with a pre-shared key you setup with the other person ahead of time. Since Google doesn't have your encryption key then they can't read your email. The government can come threaten to shutdown Google if they don't decrypt your email, but it will be impossible because they don't have the key. The only way to decrypt the email would be to obtain your phone or the other persons phone and open the app. No other way as long as you didnt write the key down and leave on your desk and they raid your house and find it.
I don't know of such an app, but it probably does exist because it wouldn't be hard to make. Just have to make sure you trust the person who wrote it. Would be easy for them to put in a backdoor that sends the key and your data somewhere.
Thanks for reply. I know nothing except surface level tech knowledge. I built my PC and have a Steam account -- tech résumé complete.
My problem is that I don't even trust the hardware itself. How do we know there isn't some kind of spy software installed on all of it? I'm not trying to pretend to be an expert here, I legitimately don't know. But if that's possible, then it won't help you to encrypt your message using software. You would want a separate offline device to encrypt the message and then you would type the already encrypted message in yourself.
But in any event my thought is that sensitive communication should be minimal over the internet and can probably hide in plain sight through regular services (just use coded language in what looks like an ordinary e-mail that's not trying to hide).
Total moron here with tech though so I don't know.
Isn't that what a Diffie–Hellman key exchange takes care of?
There's an algorithm so we each generate a public and private key on our own devices. We each send each other our public keys, but our private keys remain a secret. Using the algorithm my public key and your private key generate the same code as your public key and my private key. Then we use that code to encrypt our communications.
If someone intercepts both of our public keys, but doesn't have either of our private keys, then they can't decode the messages.
Yes, you're right. After thinking about it some more it isn't really a problem with key generation, the problem is whether the platform you're using actually uses a secure key generation method without a backdoor. Very easy for them to put in some code to make a copy of the key for recovery in the event that government requested access to your data. If you trust that the app has implemented a secure key exchange without a backdoor that would be fine.
If you want to be absolutely sure the government couldn't decrypt the communication then I still think generating your own key is simpler and easier. I'm definitely not a security expert so maybe I'm wrong, but I still think if people really want to be able to communicate securely then someone just needs to write an open source app that provide an encryption\decryption app that sends the encrypted data over regular channels like SMS and email. Simple, secure, and easy to read through the code and verify no back door.
Also, when designing an app you can really only get 2 out 3 when it comes to ease of use, functionality, and security. If you want to design something that is extremely secure with lots of functionality, then it will likely not be very easy to use. Stick with something simple and secure, easy as possible for non-tech people to use.