Fair enough, I would daresay it is easy for them to respond inside the proton or tuta link the recipient was provided than to actually close the link and respond in plain text, I don’t get why people close it and respond in plain text.
Yes that’s fair enough, I do feel like if you give them a paper letting them know the password you’re gonna set and can store it, this can help alot or yeah over a secure channel like E2EE messenger (RCS, Signal etc.)
again yes fair enough, however I haven’t heard of anyone actually exposing them, like why would you bother copy pasting it for what, it’s already a waster of more effort than if you just typed the password and responded.
IF Unless, I’m missing something where they can forward an email and therefore exposes it in plain text, but I dount proton and tuta allows that so that it doesn’t get unencrypted or would send it in a password protected manner.
unless it’s a file we’re talking about.
This is FUD. Without a clear threat model, such advice is harmful to those who don’t need to secure against third party email vendors. If you are going to advice such harsh lines, you should provide evidence as to why said lines are needed.
When using password protection, one recipient replied outside the password-protected email handling interface and exposed my entire email plaintext. I don’t know how they achieved this. It seemed like they wanted to use their own email client instead.
When using PGP I have experienced, by people who should know better
Someone reply to me unencrypted asking for my public key (which I put in the body of my email) and exposing the entire plaintext of my email.
Someone join in an existing PGP-encrypted email conversation by replying to me without encrypting their first email and exposing details of the conversation that were encrypted. I guess they were forwarded my email but they failed to ask for my public key or simply forgot to encrypt.
Many email clients place a copy of the email the user is replying to into the reply email body (composer). It’s good for convenience but this is a key factor of previously-encrypted emails becoming exposed when replies are sent unencrypted.
I didn’t know this, thanks for letting me know. However, I assume it’s still generally unsafe to assume emails are wrapped by TLS, and TLS doesn’t stop the email providers from accessing emails.
in the end it only protects in transit not when stored
mm I get it, man people sure can fail spectacularly for some pecuilar reason
I get the PGP part right like you sure can fail the opsec here but password protected? man you joined the interface, you read it from there, you have a reply button at your fingertip (and maybe a forward but I think not considering how can you forward a password protected email). sigh
likely has to do with forwarding yeah.
Although that being said, our email system (like for this forum, and our personal mailboxes) does not send emails to servers that don’t support TLS anymore, and it does not accept emails that are sent to us without TLS.
Hopefully someday big mail servers will follow suit, just like how HTTPS has become ubiquitous on the web
i’d say don’t give financial data to google atleast, bank to protonmail is sort of e2ee as proton is zero access encryption and well bank knows what it sends and you don’t want to hide from your own bank lol.
True, TLS helps but only if both ends play ball. I still feel like email in general isn’t built for privacy. Tools like Proton are a step forward, but the whole system feels patchwork.
Exactly. Most of my frequent correspondence is with businesses, for which I am happy to use an alias if I’m not going to password protect my emails. Most businesses have their own domains and don’t use commercial addresses, though I have encountered quite a few that use Gmail.
If time is not an issue, I don’t have a problem asking someone’s phone number. And if they can’t give it, I try to find another way to send the password.
in the end it only protects in transit not when stored