That’s what I would say too, need to slim the herd before the 1st round of interviews.

For the majority of connections you can. Some connections bypass your VPN and there is nothing you can do about it. Its been reported to Google by multiple groups, including Mullvad but Google refuses to fix this.

Lol OK. Seems like its to much for you to consider you poorly communicated your point anyway.

I think if people read that comment and think they are being called dumb, that’s completely on them and probably a good time to look themselves in the mirror.

Nothing wrong with the design. Its literally just making thing easier at no cost to the user.

“Basically then it degrades to a very strong password that can’t easily be phished.”

I’m disagreeing with this, in that you are still (hopefully) using 2FA with your vault. Therefore whatever your accessing in that vault whether its a TOTP token or a password is still protected by MFA and not just a “very strong password”.

Putting a TOTP token inside a vault protected by a strong password and another form of authentication is no less secure then having it be separate from the vault.

Not really. You still should be using MFA to access the vault itself before you can even get to the Token.

Yes but you would still have 2FA.

You would still be using 2fa to access your vault. So in effect anything in that vault has more then 2 factors of authentication as it requires MFA just to get to the password.

Yes but you would still have 2FA.

You would still be using 2fa to access your vault. So in effect anything in that vault has more then 2 factors of authentication as it requires MFA just to get to the password.

This seems more like a user issue then a security issue. If you are avoiding this feature because you have to idiot proof your security against yourself, your probably going to be compromised at some point anyway.

As for your example, this seems easily avoidable by

1. just have the vault timeout be set low (1 minute) and to logout.
2. Not leaving your password manager unlocked and unattended (wtf are you thinking lol)

Seems a bit odd to roll this out without having the ability to import from other authenticators (at least on android). Feels like a pretty basic feature.

Why do you think its not safe? If you trust bitwarden to protect your passwords what exactly do you think is going to happen?

Even if bitwarden is compromised in someway in the future, all that data is still encrypted and would still be highly unlikely to actually be accessed in any usable form.

The only risk is if you use a bad master password. Which is the biggest risk of using a password manager regardless.

You seem to be avoiding the fact component, which is they have proven through audits, yearly, their security is what you would want in a service that holds your data and have decided to instead rely on one instance (in 10 years of that service being around), that has nothing to do with the issue and your own feeling of how companies operate (FUD).

My point is Proton did something every legit business would do.

If your threat model is such that governments are going after you, you should be aware enough to not create an email with an IP that identifies you. That email issue was bad opsec not some specific problem with Proton.

Not every concern is but ones where concern is based solely on fear and hypotheticals are. This all eggs in one basket line of reasoning is FUD and has no real bearing in reality.

Even this email issue, it really has nothing to do with if you should trust proton in terms of OPs post. If you really believe Proton is going to sell you out, you wouldn’t use them anyway and Proton following the laws is something every legit business is going to do, not something specific to Proton. If you have the threat model of an activist you need to careful about your opsec as i explained in a previous comment.

Proton can see my traffic. I already know that. Any vpn provider you use could. Its not that i trust proton implicitly its that i trust them more then my ISP that would be able to see it if i did not use a vpn. Couple that with their record of audits and im not sure what else you could expect from them.

It doesn’t matter what is being discussed, if its about proton the email incident gets brought up.

Here is the deal. No major company is going to break the law for its users. Had the activist been using proton vpn to create and access their email, Proton would not have had the info they were forced to give up. The takeaway from the story is bad opsec is usually what gets people caught whether its activists or hackers.

Whether you use Proton or someone else you will need to trust that service. If you don’t trust them, don’t use them. Its that simple, no need for conjured up FUD excuses.

If all your eggs are encrypted, having those eggs in one basket or five doesn’t matter from a security perspective. Its the same reason you wouldn’t split up your passwords to multiple password managers.

That being said the much more likely scenario is that at some point in your lifetime Protons values change (either by being purchased or new leadership) and you have to move on. That’s why, regardless of how good a providers security is, its good to have backups elsewhere.

“All security is porous” is pure FUD reasoning and, completely disregards the security audits Proton does to make sure its not anything like LastPass.

Using LastPass as a strawman is not a compelling argument.

OP and You are also assuming if Proton was breached that it means all the user encrypted data would somehow be available to the malicious party which is also extremely unlikely.

This whole line of thinking seems to be based on FUD more then anything else.

There is no evidence or reason to believe some major compromise of proton will happen.

If your that worried about proton you probably should just not use the service at all.

Also using the 3-2-1 backup rules should help mitigate this fear of having everything with one service.

Why? FOSS apps can still charge money. Remember its free as in freedom not free as in free beer.

A lot more of them probably should as the alternative usually ends up in some company buying them out, such as what happened to mobile tools set of apps.

Will be interesting to see how Mozilla handles this as this is the company they use for their Mozilla Monitor service.

Its always interesting when people have something other then “making a phone call” as the number one practical use case for their phone.

You may want to check out AirVPN - great port forwarding implementation.

Long history of being privacy respecting and completely FOSS but they don’t do audits (which is a super big deal to some and a big reason its not recommended on pg).

Just make sure to use the wireguard client as their own client kind of sucks.

Mullvad is the gold standard if you dont need port forwarding.

You may want to look into Filen - I know they have had issues with them not using the best encryption methods. Just remember “lifetime” refers to the life of the service (which they can change at any time) and not your lifetime.

Lmao how many times are people going to misrepresent the proton email issue

Depends on your use case.

I know for me, i don’t need all the services unlimited offers.

I created seperate accounts for the services i use as they don’t allow you to bundle only specific services together (ie just mail+ and drive+ together). This ends up saving a few bucks.

Oh for sure but I don’t think the ublock extension works for vanadium

Cool site. Scored 92% using Vanadium browser on GrapheneOS

Yeah disclosure is always good its just odd the way they handled it

-no official post (yet)

-makes the announcement as a reply to a forum post even though they have a specific forum thread for this exact thing

-all of a sudden has a 7 year wait time on disclosures policy

-not written very professionally (i tend to assume english is a 2nd language for the staff but still as an orginization the staff should be a bit more refined).

I’m a user of airvpn. I like them but they do odd things like this, or being very obtuse about why they wont get audited.

Yeah the whole thing is odd, especially since they disclosed it as a response instead of in the disclosure thread the first comment mentioned.

Lol this country has some of the best state sponsored hacking groups and the ability to build nuclear weapon. Its not like they are living under a rock technologically.

The government just doesn’t provide much of anything to its citizens as a form of control.

Thanks! Enabling webauth did the trick!