webext-signed-pages
ProtonMail Web Client
webext-signed-pages | ProtonMail Web Client | |
---|---|---|
16 | 181 | |
180 | 4,146 | |
- | 2.1% | |
0.0 | 10.0 | |
over 1 year ago | about 1 month ago | |
JavaScript | TypeScript | |
BSD 3-clause "New" or "Revised" License | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
webext-signed-pages
-
E2EE on the web: is the web that bad?
There is "Signed Pages" by the debeloper of EteSync. It is a browser extension, that checks webapps based on signatures in the html file. The addon then warns the user if the signature is not correct or - if I remember correctly - the source changed. This allows you to be sure what webapp code was delivered. But it seems like it did not really get used outside of his own projects. https://github.com/tasn/webext-signed-pages
-
Cloudflare and CDNs - call for community opinions
EteSync has implemented something called Signed Pages, this might be worth looking closer at. This uses PGP keys which is preloaded into the browser; but I suspect that will be a barrier too high for most non-tech users.
- Is there any tool to verify client-side website code you get served is the same as the open source version?
-
Truly safe?
There are also projects like signed web pages which can also help increasing the trust level to some degree. But that requires that you can download the source code and regenerate the verification hash locally - or have other trusted methods to verify the hash value hasn't been modified as well. The current concept is reasonably sane, but it requires too much from users currently to make it widely used.
- A browser that verifies Javascript
-
Security experts declare all Proton apps secure after security audit
> The server can at any time start serving malicious payloads
True, and I call this threat model "Beware Each and Every Fetch" (BEEF) in contrast to the more common TOFU model (although if you trust a desktop app to auto-update itself then these two models might not be all that different).
In any case, I think you're being a little quick to dismiss the idea of server-hosted applications. It's true that browsers don't natively have a nice way of pinning specific versions of a web app, but there is the clever hack of SecureBookmarks[0] (if you're prepared to sacrifice the UX), or, more realistically, you can pin the web app version using some sort of browser extension.
Examples of the latter include the Signed Pages extension[1], and Code Verify[2], which is the result of a collaboration between Meta and Cloudflare (for securing the WhatsApp Web code, currently, but should eventually support other sites like Proton's too). Of course, it would be much better if this capability was natively included in browsers themselves, but hopefully adoption of this technology will pressure browsers and standards bodies to take ownership of this.
[0] https://coins.github.io/secure-bookmark/
[1] https://github.com/tasn/webext-signed-pages
[2] https://github.com/facebookincubator/meta-code-verify
-
ProtonMail Is Inherently Insecure, Your Emails Are Likely Compromised
Something like a browser extension for this does already exist, fortunately:
https://github.com/tasn/webext-signed-pages
-
"Were you able to subpoena ProtonMail?"
In regards to untrusted webapp, yes, that is a reasonable attack vector. That said, I've heard from ProtonMail they have been considering to implement Signed Pages to help mitigate (at least some of the) issues with this attack vector.
-
Proton’s priorities
Which is why it is important to get proper E2E encryption on e-mail, where the source is open source and can be audited. And then that there are verify mechanisms to verify that the source code has not been manipulated. For web services there are signed-pages which is quite interesting.
ProtonMail Web Client
-
Proton Mail Discloses User Data Leading to Arrest in Spain
> Is this password-derived key the "account key" which I see in the Proton Mail settings interface?
No, the account key is an OpenPGP key which is encrypted with a key derived from your password. The "key encryption key" is not separately visible. The address keys are in turn encrypted using the account key.
> Please clarify what key derivation function is being used.
We use bcrypt, in addition to the OpenPGP S2K (i.e. the bcrypt output is fed as the "password" to OpenPGP's key encryption).
We are in the process of rolling out OpenPGP.js v6, which supports Argon2 for the OpenPGP S2K step, after which we'll start using that - but we aren't quite yet.
> Are there instructions for verifying that all this is happening? I think a lot of folks on HN won't be convinced otherwise.
Take a look at https://github.com/ProtonMail/WebClients/blob/main/packages/..., for example. Though to be honest, if you want to verify that we aren't sending the password to the server anywhere, in principle you'd have to check the code of the entire web app. It's all open source, but it's a lot of work, of course. But you can also check the latest audit report: https://proton.me/blog/security-audit. They also verified all of this stuff.
> It's just that I'm going to create an OpenPGP identity for things like signing code commits on git, signing packages I publish. (...) So I was really hoping to be able to use Proton Mail with this identity instead of the key pair that's generated for the account.
Yeah, I understand. Though, the typical advice from a cryptographer's perspective would be, it's better to use separate keys for separate purposes; and the simplest way to do that is to generate separate OpenPGP certificates, so that's what we'd generally recommend. But, if you want to generate separate subkeys and sign them all using a common primary key, that's also reasonable enough. And, we can improve the documentation on that, although it's a bit of a niche use case (not for HN of course, but for the general audience it is).
> Thanks for reaching out here on HN. I've been a really happy Proton Mail customer and now I'm even happier.
Thanks, glad to hear! :)
- Has anyone tried to run the Proton Mail UI locally?
-
ProtonDrive encryption key
The source code is here https://github.com/ProtonMail/WebClients
-
Proton Pass – Protecting your passwords and online identity
> Finally, in keeping with our long track record of transparency, Proton Pass is open source so anyone can review and verify our security architecture
They sure do enjoy writing that sentence without including any hyperlinks. This (https://github.com/ProtonMail/WebClients/tree/main/applicati...) appears to be the browser extension and https://github.com/ProtonMail/WebClients/tree/main/packages/... appears to look like the backend referenced in the extension's readme, but that directory's readme is zero bytes so (shrug)
- Where is the source code for Proton Drive?
-
Basic HTML Mode?
Fork the frontend and make your own lightweight option
- Where can I find the source code of the web app?
-
Announcement: SMTP Server in Rust with DMARC, DANE, MTA-STS, Sieve, OTEL support
PS: I hope that we selfhosters will have a modern, efficient, easy to use mail suite one day with modern features like JMAP, good self-learning spam integration, automated checks and validations for SPF/DMARC/DKIM or whether the IP/host suddenly appears in a blocklist and integrated encryption at rest for emails. Something that isn't 30 services in a container image, with 30 different configuration styles. Maybe even with an API integrated that's compatible to the ProtonMail frontend (like the neutron server once intended to be). Anyway, I'm sorry for dreaming. ;)
-
Why is the "Special offer" button still there after I purchased 1 year of Mail Plus through that very button?? Not happy.
And if you want to customize it further you can use Stylus to add custom CSS, Tampermonkey to add JS, or even modify the whole thing yourself from source (if you run it locally it syncs with your actual account).
- Is Proton Drive better than Sync.com?
What are some alternatives?
photos-app - ➡️ Moved to https://github.com/ente-io/ente
SimpleLogin - The SimpleLogin back-end and web app
mailvelope - Browser extension for OpenPGP encryption with Webmail
Roundcube - The Roundcube Webmail suite
frame - System-wide Web3 for macOS, Windows and Linux
RainLoop - Simple, modern & fast web-based email client
pacman-bintrans - Experimental binary transparency for pacman with sigstore and rekor
Tutanota makes encryption easy - Tuta is an email service with a strong focus on security and privacy that lets you encrypt emails, contacts and calendar entries on all your devices.
leCrypt-web-extension - leCrypt is a decentralised password manager which is cross-platform, free and secure.
Mailpile - A free & open modern, fast email client with user-friendly encryption and privacy features
proton-mail - React web application to manage ProtonMail