• 2 Posts
  • 7 Comments
Joined 1Y ago
cake
Cake day: Jun 16, 2023

help-circle
rss

Yeah that’s what sucks about this. But you don’t have to really call for intimate messages. WhatsApp cannot read you message since it’s E2EE but they do store and use the metadata. So a casual message and an intimate messages are the same in a WhatsApp server’s eyes.


Funny thing is that a lot of people actually do give pins and shit. I know more than a few people that straight up gave me their card and the pin number to buy shit when I was a kid.

Besides, giving embarrassing information to a faceless billion dollar company does not feel as bad as giving it to someone who judges you if they find that info embarrassing. It’s illogical but that’s how a lot of people think.


That’s cool but I like to have a central client for all my email providers. I’ve decided to go to fastmail which is good enough for my threat model. The thing that really convinced me is their blog post.

The main thing I care about is the security of the text in transit, and the philosophy of the service I’m using. All respectable mail providers use TLS (even gmail and outlook) but I don’t like their advertiser dependent business model. Proton, tutanota, and I think startmail do respect privacy, but I believe it’s dumb to depend on an external server if you’re that paranoid about your communications that you need to have your email using PGP. Just encrypt your own stuff and tell the other party to do the same. Or self host everything.


Do you have to put in your password on every session in protonmail? If not, then that means that either the key is unencrypted and is stored somewhere else as plaintext or the password is stored somewhere also as plaintext, which would defeat the purpose.


You can’t search encrypted emails, period. The way I see the benefit of encrypting emails is to not have them compromised in the cloud servers. But on my own machine, if someone gains access to the files, then it’s all ogre. Maybe that’s just me IDK.


Why Not Store Encrypted Emails in Plaintext Locally?
Clients like Thunderbird are great because you have everything stored locally so you can easily search offline. They also support encrypting and decrypting emails in PGP. However, they seem to have the same limitation as protonmail where you can't search through encrypted emails. I know that protonmail can't just store your key at their server since that would defeat the purpose, so the emails are all ciphertext to them right? But in Thunderbird, you already have the key and decrypt everything all the time. So why can't you skip the middleman in your local machine and store everything locally in plaintext? It's not less secure since if your local machine is compromised, your private key is also compromised. Or at the very least give us the option and have a slightly less secure but much more convenient option.
fedilink

I said a keepass db but whatever homie


I use it and it’s great, but it’s not immediate a lot of the time.


Kind of a Rant
I love the idea of having privacy in independence from all the tech giants' services. I have a server at home that hosts my storage, media, synchronization, and backups, along with some other random services. Since all these services are basically my life, I sometimes read about better security practices to replace whatever I do. Although sometimes, I feel like I can't figure out what practices are actually bad and really put me in a bad spot, and if they are good enough for me. For example, I use a Keepass database to store my passwords. I want to sync them across all of my devices immediately. So I saved it in my VPS, and made the android client fetch it every time I sync. I also made a script that uploads the local database every time it is changed. However, I don't want it to override remote changes that I may have not saved on my local machine. To solve that, I made the script download the remote database and compare it to the local one before uploading. To compare, I made the script read from a PGP encrypted file that has the password to my database, and input that to keepass-diff. However, I read that using PGP is bad from [this](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) article. I can't say I completely understand what the author is saying, but I trust that they know their stuff. However, I feel like this is a bit nitpicky. Would using GPG make me exposed to massive risk as opposed to using any other service? I guess it's not that hard to move over to something like ccrypt or whatever, but why bother? Besides, I can tell GPG to keep my key in the session for a long time so that I don't have to input it every time. I don't know if ccrypt can do that. Another example is using F-Droid. I came across [this](https://privsec.dev/posts/android/f-droid-security-issues/) article and this one went way over my head since I'm not really well versed on android. But the gist I got is that F-Droid is not only insecure but is also bad for getting timely updates. I checked and some apps are something like 7 patches behind which is unacceptable for me. One last example and this one is kinda petty no lie. The fact that RSA is trash. I read here and there that RSA is an old and deprecated encryption algorithm that no one should use [this](https://blog.trailofbits.com/2019/07/08/fuck-rsa/) is another article that (surprise surprise) also went over my head. But what I could understand is that it is too easy to make mistakes using RSA and it should be in the history books. But I already made many SSH keys without choosing the encryption algorithm, so it's gonna be a bit inconvenient to change all of those. So my question to yall is that, how do I find the line between using an acceptable albeit non optimal practice, and using an unacceptable practice for security? Of course, I also have to put in mind the convenience, so I can't just change up my practices every 8 seconds when I find out that whatever program I'm using is a ticking time bomb.
fedilink