Now can I just start by saying I’m not a complete idiot, but I am not “tech savvy”. I have only very recently become aware of just how bad privacy has got on the internet and irl. And I started researching how to improve my online (and offline) privacy (and that’s a whole can of worms that will give anyone sleepless nights!). I am obviously very late to this party!
Anyhow, after lots and lots of research, I had thought I was starting to understand the basics of the direction I needed to go in, and after much deliberation decided to initially go with an everything Proton subscription so I can get off Google et al, sort my passwords etc and have some basic protections in place (after which I could consider not having all my eggs in one basket in the longer term).
No sooner had I done this and signed up when I come across this article which to the untrained eye, seems to be saying that the Protonmail E2EE is breakable, and here’s the exact instructions to do it. Now the encryption is not the only reason I have Protonmail (I want Google and yahoo to stop scanning my emails for a start), but it is one of them and the way the article reads is if you have a bit of know how and equipment, breaking the encryption is fairly straightforward. Which is more than a little alarming.
Now I can’t profess to understand everything in the article. There are many terms I don’t understand and so I don’t know whether I am right to be alarmed. Am I failing to understand some key things here, are there settings I can put on to make these steps impossible, does the new setting on ios26 to allow wired connection data transfer to be disabled help prevent this?
Also, this is a 4 year old article. I would not trust anything more than a year old especially in the privacy tech realm as things change, improve, and get better everyday.
Rest assured, your encrypted emails are fine with Proton and they do maintain and keep up with their promises.
All that said, someone more technical can clarify this better for you. But this is not alarming or a concern today, that much I know.
But feel free to ask questions to keep learning and understanding. This forum is a great resourse and glad you found it! You are new to privacy and security so I encourage this.
This is just a marketing fluff piece for their forensics software. The best mitigation is keeping your devices up to date (to prevent exploits), choosing hardened options such as GrapheneOS or iPhone with lockdown enabled (to prevent advanced exploits), using strong passwords (to prevent bruteforcing), and minimizing any physical access (to prevent dumping).
The article expects full file system access. So someone either needs physical access to your device or significantly comprise it before they can start with that.
As device passcode has to be known in order to decrypt data, this does not enhance security in our forensics scenario.
They even expect the device passcode to be known to the attacker.
This is only somewhat worrying if, you expect a very targeted attack on you or that your devices get ceased.
Generally protecting against an attacker who knows the device passcode is next to impossible.
Thank you, I am on it with keeping devices up to date, strong passwords and trying to avoid physical access where possible, but do I really need to enable lockdown mode? Would I not lose loads of functionality? I thought that was more for people who were being individually targeted? I think my key concerns are Mass Surveillance, Public exposure and Surveillance Capitalism, rather than targeted attacks., and I don’t have much risk of being stopped by police etc at the moment, although I am conscious with the increased surveillance, authoritarianism, global instability, and the growing potential of hard right parties gaining power that these issues are probably more relevant to everyone. I also have zero faith in our justice system, and anyone could be the victim of a miscarriage of justice if they are in the wrong place at the wrong time, plus the more information law enforcement have, the more they can put two and two together and make five, so I’d rather not make that easy for them. I also strongly feel that my information should be private and I don’t want anyone just having access to the details of my life unless they have very, very good grounds to do so. We hold so much on our phones, it feels so invasive that anyone could just access it with minimal grounds and no warrant! There is also the risk of course that my device could be lost or stolen. Sorry waffling a bit but I think what I am trying to say is that logically, I am not likely to be arrested or the victim of a targeted attack, but given where things are heading politically, and with increasing tech used in law enforcement etc, it makes me very nervous and uncomfortable and so I’m trying to find a happy medium between move to the highlands, and get rid of all electronic devices and something more logical and practical.
You appear to be an average person trying to be better with their tech, internet, and digital habits and activities. I don’t think you need it but it doesn’t harm you if you do enable it. You lose little so might as well use it. You can learn about it by looking it up but here is a page to get you started: About Lockdown Mode - Apple Support
I would not say loads, no. But this is subjective.
That is correct.
–
Seems like you’re learning and understanding things privacy related well. Good. There’s always more you can do to keep bettering your digital habits, activities, etc. but the key is finding the right balance between it all and convenience - like you already alluded to.
Small feedback: reading a large paragraph with no breaks is a little jarring visually. I recommend adding a few breaks like I have. It breaks down each main point so its easily read and understood. FYI.
OK thank you. He mentioned in the article “bruteforcing” the Proton 6 digit PIN - can that be done with the device PIN which is also normally 6 digits?
I’m so sorry about the paragraphs, I am usually really good with this as I hate big walls of text myself! The window to reply in is really small and I didn’t notice how long it had got. I’ll try to remember to expand the window so I can keep an eye on this. Nothing worse than a wall of text!
Thank you for your helpful reply, I’ll have a look at the link and think about trying it to see what it’s like. I have looked at threat modelling, and that’s what I meant when I said I think these are what my biggest threats are, but I found it quite hard to nail down; it’s hard to answer the questions when you don’t really understand how everything works. or what the options are.
So I have the threat model in mind, and as I research and get a better understanding (hopefully!) of the options, how the tools work, and from that where the middle ground sits between privacy and practically sits for me, the answers to the threat model questions should become apparent.
Thank you so much for taking the time to reply, this is all so helpful. The world of privacy and security is absolute minefield now I’ve started delving in, and the minute I think I’m starting to get to grips with it (or as much as I need to understand) I read something else and I am completely confused again - so I am really grateful for any help or guidance navigating it.
It does make you wonder how the “average” person, who isn’t minded (or has the mindset, the time or the bandwidth) to sit for hours working all this stuff out, would have a hope in hell in improving their online privacy. It is certainly not easy. I can see why most people just accept it rather than try to fight it.
and something more logical and practical.