• ethicallypulmonary@lemmy.ml
        0·
        3 years ago

        What part of Signal is not open source? Both the signal clients and server-side code is licensed under GPL and AGPL respectively.

        They hadn’t published the server-side code (which we can’t verify they’re running on their AWS/Azure servers anyway) for a long period of time, however, it’s now being released to the public again.

        • DnuOLp0@lemmy.ml
          1·
          3 years ago

          The problem with Signal is that you have to trust them instead of choosing a host that you trust or hosting a server yourself.

          • ethicallypulmonary@lemmy.ml
            1·
            3 years ago

            I agree. But it’s worse than what you’ve said here; Signal is only accessible on Android/iOS and not on the Pinephone and its myriad OSes, for example. People have to develop their own clients for Signal, but Signal has said that they will deny these clients access to the server. But there’s no way they’re going to develop Signal for these obscure platforms.

            Now, whether they’d actually do that is another thing altogether, but they’ve said they would, and they’ve done it before.

            As I mentioned before, Signal’s servers are hosted on AWS and Azure, which, even if that doesn’t concern you from a personal privacy perspective, Signal is funding these anti-privacy actors, and continued use of Signal increases its popularity, which increases the number of servers it needs to support users, which increases the amount of money it has to pay to these companies. So, by using Signal, you are indirectly financially supporting Amazon.

            That makes me a little uncomfortable.

            While you could make the argument that Signal’s servers can’t access your message content because it’s E2EE, metadata is still accessible, and probably accessible to Amazon and Azure, as they host the servers.

            And Signal is also making weird moves lately with MobileCoin, which seems directly related to withholding their server source code for over a year.

            Worst of all, you need a phone number to get Signal working. You could use a landline, or a free phone number, or a VOIP number, but you still need to do this to use Signal. Thankfully, it’s not limited to mobile numbers, because SIM cards are tied to your identity in some countries, but you need a phone number. This barrier to entry exists for no good reason. It exists for a reason (Signal was meant to replace SMS), but it’s not a good reason. Being given the option to link Signal to your phone is a good idea. Being forced to link Signal to a phone is dumb and annoying.

            Signal might be open source, but they’re doing everything they can to close it off, which really annoys me.

            But Signal isn’t proprietary, like @SudoDnfDashY suggested.

            • Sr Estegosaurio@lemmy.ml
              1·
              3 years ago

              Good comment exposing all. I agree with you, what signal has been doing sucks. But I heard somewhere that there was a signal based app that was a bit better (not requiring phone number etc) I will research a bit about it.

  • Sr Estegosaurio@lemmy.ml
    1·
    3 years ago

    That is a big Oof. But yeah, PM is far from being perfect. I use it bc:

    1. Better tan Gmail & etc
    2. Unable to selfhost email :c

    But one thing, how secure will be to selfhost your own eMail? If I selfhost one, which will be the most secure & private teaks that I can apply?

    • blank_sl8@lemmy.ml
      1·
      3 years ago

      If you selfhost the email on your own hardware, then the IP will be apparent to anyone. If you selfhost it on somebody else’s hardware, they can be legally compelled to log your IP as happened here with proton. But if you aren’t committing any crimes, selfhosting either way is probably more private than proton, since you are more confident in what software is running, while with proton you have to trust that the frontend being served is actually the e2e encrypted one

    • iortega@lemmy.eus
      1·
      3 years ago

      I personally use migadu. Don’t know about how private it is but I is cheap and allows for loads of addresses and domains.

    • blank_sl8@lemmy.ml
      1·
      3 years ago

      Even if their were, proton company would have been legally required to trace their connection through proton VPN. Using tor would have been the better move.

      EDIT: apparently swiss laws exempt VPNs from these sorts of legal issues.

  • k_o_t@lemmy.mlM
    0·
    3 years ago

    this sucks, but I also can’t blame them too much

    most people seem to have an unrealistic expectation for protonmail to function as an underground criminal organisation, providing email services to drug dealers, and wiping their asses with subpoenas, which runs contrary to their goal of providing user-friendly private email to as many people as possible, not only the ones that would go to extremes no matter what

  • johnsmith444@lemmy.ml
    0·
    3 years ago

    Really what is the average person suppose to do to have a private email? I heard Edward Snowden say that email is fundamentally flawed and will never be secure. I’ve thought about hosting my own email server, but even then i need to buy a domain name likely with my own card, buy a VPS with my own card and it traces back to me.

    • je_vv@lemmy.mlOP
      2·
      3 years ago

      Just in case, perhaps one can get away with dynamic DNS sort of pseudo domain, not a full domain, so that you can access services you host at home, without having to know the IP. At any rate, whether pseudo DDNS or full DNS, the IP is fully recognizable.

      The advantage of a VPS might be some protection against home blackouts and internet lost every now and then, depending where you live. However, self hosting poses several issues. Isolating your network (firewalls plus kernel hardening), hardening the servers,protect against common attacks such as denial of services, as well as infiltrating the services. All than not to mention dealing with spam and much more.

      However, I’m tending towards the idea the we have to self host, now a days. Trusting providers is not wise. Granted email is not secure, neither private, however the same applies to other services. FB is even looking at ways to extract information from whatsapp without decrypting messages… Signal leaks quite some information about its users, and though the advertise themselves about not able to decrypt messages, they can and probably do share all metadata they grab.

      I’d really like distributed mechanisms, to take over, and become mainstream, not just decentralized, because then there are no servers to depend upon, and the information is just shared among those whom the information was generated for, no trusting in servers, not even your own.

      • LemonWedge@lemmy.ml
        1·
        3 years ago

        I like the idea of self hosting email - it just seems to be a total pain however. I’ve done it a few times but the process is so fragmented and I just don’t have the time to dedicate to maintaining it.

    • Ferk@lemmy.ml
      0·
      3 years ago

      “Private” and “Anonymous” are different things.

      You can protect privacy with encryption, and I believe ProtonMail does work for that, but trying to protect anonymity is an entirely different beast. I’m not convienced it’s possible at all in any way that’s reliable (not just email but also even simple web browsing) unless there’s a change in how routing works in the internet, or a new layer is developed (like I2P, but even that’s not really a warranty).

        • Ferk@lemmy.ml
          1·
          3 years ago

          Sure, someone can have high standard for privacy and at the same time have no desire for anonymity. But what was compromised in this case is the identity of the person who owns the email. The email remains private, just not anonymous.

            • Ferk@lemmy.ml
              1·
              3 years ago

              What the email provider snitched is the IP address (which wasn’t “tori-fied”). So it was anonymity what was compromised in this case.

              The email was openly used for activism so the police was already investigating it, they only wanted to know the identity of the physical person behind it, and that’s what ProtonMail helped with, since the activist didn’t use anonymizers. The police didn’t need to decrypt the contents of the account or compromise its privacy (which is what using ProtonMail would have protected against), just its anonymity.

    • Jedrax@lemmy.ml
      2·
      3 years ago

      I expect far better quality than Reddit here.

      Yes, but we need people like you to provide that content. In short, don’t expect other people to be that change; that change starts with you. Thanks for the resources and level-headed opinion. People in general who use any service provider for “privacy reasons” should only do so to keep the issuing company from scanning their messages and selling data about you. Email itself, regardless of how it’s set up, will fail you if you’re thinking it will keep you hidden.

    • bluetoucan@lemmy.ml
      21·
      3 years ago

      This is not a question of ProtonMail vs Gmail.

      What do you mean by this?
      Presumably for a lot of people that is going to be the main, perhaps only, question.