[PLUG] Proton Pass
Russell Senior
russell at personaltelco.net
Fri Mar 21 04:25:18 UTC 2025
One question I've had for a while is: how does key management work at
Proton. Public key encryption rests on a foundation where your private
key is exclusively known to you, and that all reasoning about what is
private is directly tied to "who has access to your private key". One
thing I have been unable to discover, which doesn't seem to be well or
transparently documented, is "where is my private key and how is
access to it managed?" Does anyone know?
My vague understanding is that, supposedly, proton stores an encrypted
version of your private key and supposedly when you type in your
password to the random javascript they send you, you get a copy of the
encrypted key and unlock the key in your browser, but ... and stick
with me here, what if they send you javascript that leaks your
password to them. In that case, they have the encrypted key and the
unlocking password and therefore, they have possession of your private
key and all privacy guarantees provided by the math of PK encryption
are lost. Can someone please help me understand why or how that isn't
possible?
Thanks!
--
Russell Senior
russell at personaltelco.net
On Thu, Mar 20, 2025 at 8:23 PM King Beowulf
<kingbeowulf at linuxgalaxy.org> wrote:
>
> On 3/20/25 17:41, Michael Ewan wrote:
> > I saw that Proton Pass sponsored a YouTube channel I enjoy (All The
> > Gear is in the UK). It looked good on the surface. I know some of you
> > use Proton Mail, any experience with Proton Pass?
>
> I've been using proton pass on my main linux box for a 2+ years with 90+
> password stored (mmm....I should check on some of those sites!). Works
> well, easy and transparent, with goo feature set. Only sloth has
> prevented me from migrating it to other devices.
>
> Highly Recommended.
>
> Diclaimer: I am a paying proton mail customer
>
> -Ed
>
>
More information about the PLUG
mailing list