| ▲ | rvnx 3 hours ago |
| Most of the privacy claims (of all type of apps) are essentially garbage anyway because realistically, if a website or an app can be compelled to push an update to a specific user, then they can intercept anything they want. It doesn't even have to be a specific binary, it can be "just turn on this A/B testing / debug flag for that user" or a piece of javascript |
|
| ▲ | illiac786 34 minutes ago | parent | next [-] |
| Privacy and security are not binary. Statements like “because it isn’t 100% secure or private, then it is not worth it” means one has essentially no clue. There is not such thing as 100% privacy or security, for starters. It’s all layers of protection and/or trust and compromises. |
|
| ▲ | The_Goonies1985 3 hours ago | parent | prev | next [-] |
| >Most of the privacy claims (of all type of apps) are essentially garbage... True. Everything has backdoored CPUs as its foundation. Consider, for starters: (Intel's 'Management' Engine); AMD's (PSP); Apple/Arm (black-box hardware). You can layer as much theater as you like on top of the hardware-surveillance-layer in modern computers; it still won't grant you privacy. |
| |
| ▲ | txrx0000 24 minutes ago | parent | next [-] | | Counter-surveillance is not a binary switch. We can win by forcing the government to use increasingly expensive backdoors and exploits (>$10k per capita per year, beyond which mass surveillance is impractical even with a $1T budget). Hardware backdoor capabilities are costlier to maintain and use than something at the app level. Encrypting content and leaving metadata exposed is still better than encrypting nothing because they'll have less info to work with which means more effort. The point of all this is not to make it impossible for the gov and corps to surveil a targeted individual (of course they'd be able to if they expend enough resources). The point is to ensure that they only have enough resources to do targeted operations rather than blanket mass surveillance. The former is fine for a democracy, but the latter destroys it. | |
| ▲ | badgersnake 3 hours ago | parent | prev | next [-] | | Power is open. But nobody wants to build power devices for some reason. | | | |
| ▲ | fsflover 2 hours ago | parent | prev | next [-] | | This is security nihilism, https://news.ycombinator.com/item?id=27897975 | |
| ▲ | 3 hours ago | parent | prev [-] | | [deleted] |
|
|
| ▲ | boramalper 3 hours ago | parent | prev | next [-] |
| > Most of the privacy claims (of all type of apps) are essentially garbage anyway I think that’s a sweeping generalisation. |
| |
|
| ▲ | victorbjorklund 3 hours ago | parent | prev | next [-] |
| I don’t think that is a useful definition even if technically true. With that logic even Linux isn’t privacy because in theory they can push code that will only run for you. |
| |
| ▲ | palata 2 hours ago | parent | next [-] | | I think the argument is that when you load a webpage, you download the code everytime you want to run it, from servers owned by the company building the service. So they can choose to serve you different software (e.g. with a backdoor), just this one time and just for you, and you won't know (not that it would be impossible, but it is generally impossible in practice). When you download a program on Linux through the distro package manager, you download it once and run this, every time. You know very well when it gets updated. You can compare the hash of your program/package with the one distributed by the distro, and the distro is not the developer of the program (so there is another layer there). You can audit that code (if open source), and at the very least you can compare with others to see if they receive the same code. And again, the program is served by the distro, not by the developer. The backdoor situation would require asking the developer to implement a backdoor, and then asking the distro to server you a different executable, and then hoping that you never, ever check the hash of that program that you own offline. It's a lot harder. In a way, for ProtonMail (in your browser) to be "end-to-end encrypted", you have to trust Proton. But that kind of defeats the purpose of end-to-end encryption. Same applies to e.g. WhatsApp Web, which is an interesting example because there exists a browser extension allowing you to "validate" that you run the code Meta expects you to run. Though you still have to trust Meta: the extension only helps making sure that nobody other than Meta is abusing you. The WhatsApp mobile app doesn't have that problem, as it is distributed as an archive by a third party (Play Store). | | |
| ▲ | IAmBroom 41 minutes ago | parent [-] | | > In a way, for ProtonMail (in your browser) to be "end-to-end encrypted", you have to trust Proton. But that kind of defeats the purpose of end-to-end encryption. Yes, and every VPN in the world (that isn't self-hosted) relies on trust that they won't share your info, not even your fingerprint - which defeats the purpose of VPNs. It's very hard to have perfect security. OK, impossible. |
| |
| ▲ | maweaver 3 hours ago | parent | prev | next [-] | | Using what mechanism? Most Linux updates are not pushed but rather pulled at the user request. You can use Linux totally offline. This is fundamentally different than a webapp, where code is sent with every visit | | |
| ▲ | izacus 2 hours ago | parent [-] | | The automatic updates most distros have enabled by default. Signal desktop outright stops working if you don't constantly pull updates from them. | | |
| ▲ | 63stack an hour ago | parent | next [-] | | Debian requires unattended-upgrades to be installed (it's not installed by default), Mint and Fedora has the option of enabling automatic updates (disabled by default), Arch has no mechanism for automatic updates. Which ones are these "most distros"? | |
| ▲ | the8472 an hour ago | parent | prev | next [-] | | Distros have mirrors and they don't know which one you use. The updaters don't send user IDs and downloading the package lists is separate from downloading the packages. So targeted backdoor distrubution is much harder than a company's web UI with user logins targeting a specific user. | |
| ▲ | littlestymaar 2 hours ago | parent | prev [-] | | Signal pushing updates every other day is pretty much a security anti-pattern though. It makes it almost as vulnerable as a web app to this kind of thing, but this isn't the typical Linux software experience by any stretch. |
|
| |
| ▲ | progbits 3 hours ago | parent | prev | next [-] | | How will they push it? | |
| ▲ | 63stack 3 hours ago | parent | prev [-] | | Linux as in the kernel? Who is "they"? Torvalds? |
|
|
| ▲ | kalaksi 3 hours ago | parent | prev | next [-] |
| You'll have to be more specific what kind of "privacy claims" you're talking about. Proton is definitely a lot more private than, say, Google. But, as always, you'll have to trust the party delivering the binaries you run. Also, any company operating legally, have to co-operate with court orders etc., but afaik they try to push back |
|
| ▲ | akimbostrawman an hour ago | parent | prev | next [-] |
| >if a website or an app can be compelled to push an update to a specific user, then they can intercept anything they want yes which is why i hoped they would implement a verification system like with a browser addon that compares the website client code used for encryption and alerts the user if it does not match the one served everyone else. ctemplar mail used to have this many years ago https://web.archive.org/web/20200201012958/https://ctemplar.... |
|
| ▲ | Imustaskforhelp 3 hours ago | parent | prev | next [-] |
| I once did some tinkering with Proton Docs and I was able to find that the comments within Proton Docs when I used it via curl definitely felt like it had something like logs (I feel like I should try doing this again to have more definitive answer) Either way, the response was encrypted but they hold the encryption key atleast within proton-docs. I also want to say that Proton allows the ability to change password through OTP, (Something which I sorta appreciate[0]) but that means that their infrastructure can then have the ability to change password and you can toggle that functionality by sending a request to proton to allow OTP and on which number, so proton themselves can do that too. Unless, I am getting it wrong, by default, Proton still has your encryption keys and even if you change them (which 99% including me might not do), even then I definitely feel like there can be some concern. To be honest, There is nothing like zero trust, that's what I learnt, You are still trusting Proton Aka The swiss laws behind it so that you know that they won't get legally forced to give more data than usual (like US companies for example) but they will still comply with the swiss laws (recent proton incident) Then, secondly, you have to trust Proton themselves, but with something like this incident where Proton Meet might be omitting somethings, it doesn't paste a clear picture of transparency or trust. I don't really know why Proton might create something like Meet especially with its infrastructure relying on the CLOUD Act, and then, try to sell it within the idea of privacy. They both are contradictory. Proton is, creating lots of products, On one hand I can appreciate that, but on the other, as part of community, I feel frustrated/sad because they don't have some core features like proper proton drive rsync support or even some API[1]'s surrounding it. I tried to do the experiment in first place because I wanted to create a commenting engine for static websites which could use proton-drive as its backend. They really could gain a lot from transparency with proper API support and letting the community do things with it, but that's not really the case :/ I am still using Proton but they definitely aren't a bastion recently. I might still recommend Proton, but I sort of hope that companies self host some open source applications themselves, whether self-hosting with hardware or in a proper EU cloud like Hetzner/OVH. But Incidents like these are making me a little more hesitant to recommend Proton nowadays. [0]: as someone who had lost one of my previous accounts after my Keepassxc database got deleted because of me accidentally wiping my archlinux with tinkering with it, Now I use Bitwarden with OTP on proton. [1]: I was able to make something like an API myself by relying on something like puppeteer, even with puppeteer though, it was really hard to make something like that. I couldn't create a public endpoint of it because having puppeteer instances for a commenting engine would be very resource intensive. |
|
| ▲ | henearkr 3 hours ago | parent | prev [-] |
| Is there any evidence that the mechanism to do that is in place? I think that would be widely decried especially on HN if that is one day implemented. |
| |
| ▲ | chrismorgan 3 hours ago | parent | next [-] | | You need mechanisms to avoid the possibility. The mechanisms to do such things exist by default, by both the software provider (e.g. Proton) and the software distributor (e.g. Apple for App Store, Google for Play Store, Cloudflare or AWS for web stuff), and various countries have laws that allow them to secretly compel implementing specific backdoors. In order to block the distributor from going rogue, you need to be able to guarantee that the user device can only install/run code signed by the provider, who must never give those keys to the distributor. My impression is that Android is the only major platform that ever had this, but that Google ruined it a few years ago in the name of lighter bundles by insisting that they hold the keys. (I once had VLC from Google Play Store, but replaced it with a build from F-Droid under the same app ID; Google Play Store shows it has an update for it, but that it can’t install it.) In order to block the provider or distributor sending specific users a different build, you need something more like Certificate Transparency logs: make it so that devices will only run packages that contains proof that they have been publicly shared. (This is necessary, but not sufficient.) And if you’re using web tech, the mechanisms required to preclude such abuse do not at this time exist. If you’re shipping an app by some other channel, it can do a resource integrity check and mandate subresource integrity. But no one does things that way—half the reason for using web tech is specifically to bypass slow update channels and distribute new stuff immediately! | |
| ▲ | Cthulhu_ 3 hours ago | parent | prev [-] | | Yes? A/B testing flags, auto-updates, server-side re-routing, etc are just some mechanisms from the top of my head that can do that. The ways to avoid it is by having locked and cryptographically verified software and connections. | | |
| ▲ | izacus 3 hours ago | parent [-] | | That's not evidence, that's conjecture again. Is there evidence that this kind of client push is actually used to extract data in these projects? | | |
| ▲ | nextaccountic 3 hours ago | parent | next [-] | | That's evidence for the mechanism, as asked The evidence that it's being actively used in the US is in the secret proceedings of a secret court. I kid you not, look up FISA warrant | |
| ▲ | Imustaskforhelp 3 hours ago | parent | prev [-] | | Not sure if that counts as proper evidence, but I have seen some logs[0] albeit with encryption but from my understanding, they control the encryption keys or atleast certainly have the ability to change (if they get hacked themselves for example) Would you like to see a proper evidence of the logging policy? I feel like I can try finding that again if you/HN community would be interested to see that. Edit: also worth pointing out that keeping logs with time might be a form of meta-data, which depending on your threat-vector (journalism etc.) can be very sensitive info. [0]: my another comment here: https://news.ycombinator.com/item?id=47624960 | | |
| ▲ | izacus 2 hours ago | parent [-] | | I'd like to see any kind of evidence that there's any substance of in these accusations of services not actually being private - not just theoretical theorycrafting about mechanisms. And how does that compare to other services we have available and people actually use. |
|
|
|
|
