Just wanted to warn everyone, I used to have proton set up to attach my PGP key to the message. However I didn’t notice that the name of the attachment is username@proton.me and is also sent when you use the alias send to address Not sure why they can’t a) remove the name of the email address from the attachement name and/or b not attach the key when sending via Simplelogin.
Just thought I’d warn anyone about this because I just ran into it. I rarely use the proton alias addresses to send emails so really no harm done
Yeah, this has annoyed me for a while; I similarly assume emails you send using aliases will be signed by your private key, and I assume that either explicitly exposes the email, implicitly exposes the email to any party willing to just try a bunch of public keys (which can be obtained at https://api.protonmail.ch/pks/lookup?op=get&search=<EMAIL_ADDRESS>), or at least leads to some confusion for people.
(this is all implied to be in the situation where you have proton sign your emails… which frustratingly only exists as a global toggle)
I’ve turned signing the emails and attaching them off in the meantime until I get more information. while I think it’s cool realistically I haven’t found anyone who wants to use PGP with me and those who would already have a proton account, lol.
Frustrating that this is the case though and I didn’t know about the API either, thanks for that. So in that case even if you were just signing the email vs attaching the key it can be matched via that API if you had some emails to try? A lower attack surface but wild to me that this is a public API
Yes, if I have some emails to try I can just look up your public key. I believe this is referred to as “Web Key Directory” and is a standard means of looking up public keys by email address. I don’t find it particularly surprising that it is a public API; public keys are meant to be public, and if you don’t want someone to know your public key, presumably you just won’t give them your email (and hope that no one else shares it with them - the key or the email).
Yeah, makes sense but breaks down when simplelogin enters the picture, but I know they bought out the company vs building it into Mail and Pass from the beginning leading to issues like this. Wish the PGP options had some more granularity and were smart about it, for now the only solution is turning everything off if you use any aliases that you reply to.
For signing messages, ensure “Sign external messages” is turned off.
For attaching your public key, ensure “Attach public key” is turned off.
As an additional point, when writing an email, check the lowest triple-dot-menu (there are two; this one is at the same height as the send button, not above it). There is an “Attach public key” option in this menu. If there is a white check mark next to it, click it to turn it off.
This also happens is you try to send password protected email through reverse-alias. If something after you open email content itself (after entering password) proton will show real email.
Thanks, that’s also good to know. I haven’t used it yet but that makes sense. Proton should for sure put big warnings and stop all these issues from happening if you’re using simplelogin and you’re using a proton feature which will cause the main email address to be exposed.
Not sure why they can’t a) remove the name of the email address from the attachement name and/or b not attach the key when sending via Simplelogin.