Started to move off Google (not strictly self-hosted) - eviltoast

Started to move off Google’s services to proton:

  • Atemu@lemmy.ml
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    11 months ago

    They’re not doing like proton and close basic stuff like IMAP and SMTP as a way to force you on the official apps

    The reason Proton cannot do IMAP/SMTP is that they cannot read your emails which is required for both. That’s a feature, not a bug.

    PM works with any app as long as the app implements their custom protocol for which there are at least two FOSS implementations as a reference.

    proton is a “fake” open source that is mostly used for marketing: they opened only the UI, which communicates with a proprietary protocol to a proprietary server - useless

    While I’d also prefer their back-end to be OSS, it’s not nearly as critical as the clients.
    As a user, it doesn’t make a difference. I’m paying for an opaque service either way.

    All the interesting stuff (E2EE, zero access storage) happen in the clients anyways. The BE is fairly uninteresting; it’s a mail server + zero-access encryption + Proton account handling. If you really wanted to build a mail service similar to Proton, you could build that yourself and probably would have to anyways.

    • Moonrise2473@feddit.it
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      2
      ·
      edit-2
      11 months ago

      i think instead the opposite. The backend is the real interesting part, and the only way that we can be sure that “they cannot read the emails” (they arrive in clear, saved with reversible encryption and they have a key for it - if you use their services to commit crimes they will collaborate with the law enforcement agencies like everyone else)

      imap/smtp can be toggled with a warning, if that’s really their concern. As of now i have the feeling that’s instead blocked to keep users inside (no IMAP = no easy migration to somewhere else) or to limit usage (no SMTP = no sending mass email)

      • Atemu@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        The backend is the real interesting part, and the only way that we can be sure that “they cannot read the emails”

        While I’d still prefer it, OSS can’t really help with that because what’s really required here is remote attestation.
        That is an unsolved problem to my knowledge; there is no way to know which software they’re actually running. Even if they published the source code, they could trivially apply a patch in their deployment that stores all incoming email somewhere and you’d be none the wiser.

        Even if they published source code and could somehow prove to you that they’re running a version derived from it, you would still not be safe from surveillance as one could simply MITM all connections. See i.e. https://notes.valdikss.org.ru/jabber.ru-mitm/.

        That’s likely one of the reasons they do everything they can to make PGP accessible to every user.

        imap/smtp can be toggled with a warning, if that’s really their concern

        It’s plain and simply not how their service works. They’d have to build most of their service a second time but unencrypted.

        It’s like asking Signal to build in support for IRC; it does not make sense for them to do that in any way without malicious intent needed.

        no IMAP = no easy migration to somewhere else

        You have IMAP access via the bridge. That’s what it’s for.