Open ghost opened 3 years ago
Okay, it seems ProtonMail is maintaining their cryptography component OpenPGP.js separately from ProtonMail, so that it can be re-used in other projects. This is good.
@mpfau @bedhub Maybe you are not reading this, so I mention you so you can give a proper answer here.
Yes, you are correct, ProtonMail is by all means a centralized service, but to be fair none of the projects listed in this repository are truly decentralized. Most contain some decentral features but as far as I am aware decentralization is questionable to achieve and impossible to sustain.
What ProtonMail brings to the "decentralized" table is that the service provider themselves has vowed to leave your communications private and not relentlessly datamine all your plaintext emails such as the other actors you mentioned.
They also make it dead simple for you to utilize encryption with those contacts that you have exchanged public-keys with and by using an open standard such as OpenPGP they've ensured your recipients have the freedom to choose their own email-client without lock-ins. At the end of the day you have to make your own choice if you trust ProtonMail to be your personal courier. They're is just another service provider with a privacy focused business model.
If you don't want to trust them, then there is nothing stopping you from setting up your own email server such as postfix. The email protocols are theoretically decentralized as in anyone can run their own node. But that is also the root cause for the unfixable spam problem. (For freedom to exist it must be equally extended to all actors, good and bad) So be aware that if you choose to run your own node, then you're still going to be drifting towards centralization due to dependency on DNS and SSL that are two centralized systems tethered to the world economy.
TL;DR; the world's entire email system has for the past 5 decades been and is continuing to drift towards centralization. The day when there is only one email provider left is the day when it's game over. If you want to avoid that, then it doesn't matter which provider you choose or self host as long as you don't go for the most popular one. Also you can try to sway your friends opinions, it's not gonna make you popular or rich, but I think it's an interesting subject.
I hope this helps, good luck with mailing! :thumbsup:
@telamon Thanks so much for your detailed response. :-)
@wigy-opensource-developer @telamon
I came across this article (https://seirdy.one/2021/02/23/keeping-platforms-open.html), that explains this situation.
Protonmail and Tutanota are only really secure in the sense that they are encrypted between users of the same service, sent within the service. AKA: from user1@protonmail.com to user2@protonmail.com - this will be encrypted, fully. Same as with tutanota. Though sending from user1@protonmail.com to guy@tutanota.com - this will not be.
Like with cryptocurrency:
"not your keys? not your wallet not your money"
I find this to generally be a good rule of thumb.
none of the projects listed in this repository are truly decentralized.
Aether is actually P2P, and I'm sure there are others that are too.
@netluxe
Protonmail and Tutanota are only really secure in the sense that they are encrypted between users of the same service, sent within the service. AKA: from user1@protonmail.com to user2@protonmail.com - this will be encrypted, fully. Same as with tutanota. Though sending from user1@protonmail.com to guy@tutanota.com - this will not be.
I think you confused something there, Protonmail uses the standard OpenPGP, so Protonmail <--> ANYTHING-using-OpenPGP will be encrypted.
I don't know anything about Tutanoa but if they are using some kind of proprietary encryption then yikes be careful of what you communicate...
I think you confused something there, Protonmail uses the standard OpenPGP, so Protonmail <--> ANYTHING-using-OpenPGP will be encrypted.
More like can be, right? Because there has to be a prior knowledge of the public keys, without a key exchange mechanism.
@blacklightpy yes. You have to email/send your public key to the person you wish to talk. If they reply with their public key then the rest of the conversation can be carried out in private.
Hello Folks!
I have been thinking about this lately. Their client and server components are designed in a custom way to provide the desired features. So their clients can interact with a server only if its compatible. Since these services chose not to release their server-side code, it is not possible to setup different servers for decentralized communication, using the respective clients. I am very concerned that this scheme is going to steer email ecosystem towards centralization, along with the current email centralization issues with Google and Microsoft.
Any thoughts?
Regards, RG.