Aaaand it’s electron garbage.
Out of the loop, what’s wrong with electron?
It’s basically Chrome. It’s not a real application, it’s a website pretending to be one. It uses a metric fuckton of RAM and eats your battery faster than Prince Andrew a minor.
If Firefox could allow their engine to be packaged like this I’d use it. The problem I see here is chromium. Everything is a trade off and we need more ways to build maintainable cross platform applications.
Slack, for example, is Electron and it runs great. One of the best apps I’ve used. And it works better than the browser version…
The hate on Lemmy of electron is a bit of an overreaction if you ask me. Yeah it uses more ram than is necessary but again everything is a trade off. Not everything can be a hard to maintain rust app. Let’s try to embrace cross platform solutions, though yes fuck chrome/google, so sure criticize that part of it.
There is Tauri which packages it with WebKit and uses Rust as backend.
I think tauri uses the OS web view, so it depends
The hate on Lemmy of electron is a bit of an overreaction if you ask me
The issue is mainly developers using Electron when things like React Native and Flutter exist. I don’t know a lot about Flutter, but React Native uses native UI widgets and feels a lot nicer than Electron.
Rust is infinitely easier to maintain than mountains of untyped js garbage libraries built upon left pad
🙄
Let’s try to embrace cross platform solutions,
[JavaFX has entered the chat.]
I don’t know what javafx is, but java is hell. For me. I’m glad it works for others
I don’t know what javafx is
Let me get this right… you’re complaining about Chromium, but you use Slack? You do realize Chromium had better Linux support for things like HW-accelerated decoding than Firefox? Also, the Chromium sandbox is superior to Firefox.
I realize Firefox business practices aren’t total garbage for humanity and that they are constantly working to improve it on like .1% budget of Google. And that they are the only real competition which keeps us in a situation where we actually have a choice in browsers. So yeah let’s only care about the technical aspects, or something
And that they are the only real competition which keeps us in a situation where we actually have a choice in browsers.
That isn’t true. You’ve got WebKit-based browsers, LadyBird/LibWeb/LibJs, Goanna, and others. Why choose Mozilla to lead the efforts, when another open source community/foundation may be better? You can also participate in the various new web specifications yourself too if you’re not happy with the direction they’re headed.
They said competition, not alternatives. As things are right now, and knowing people, not just trying to make a technical point, Firefox is the only competition.
Chromium had better Linux support for things like HW-accelerated decoding than Firefox?
Source? Experienced the exact opposite, especially on Wayland.
You can track the bug history here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1751363
You can see here Chromium had support for this for several years prior:
https://aur.archlinux.org/cgit/aur.git/log/PKGBUILD?h=chromium-vaapi
Android being based on Linux prob has something to do with Chromium’s strong Linux support, but Mozilla has consistently prioritized Windows/Mac. Despite it still be challenging, building Chromium from source has always been a lot easier IMO than trying to create a custom build of Firefox.
Regardless, when it comes to privacy, Chromium itself is pretty stripped down and has policy-based integrations that put it on par with Firefox in terms of security. Even with Firefox, you’d have to modify quite a few policies to improve security. Tor/Mullvad Browser though do a better job in many ways and there is no equal to those privacy enhancements on Chromium that I know of, unless you’re using something like GrapheneOS.
Point being, people like to complain about Chromium a lot & act like Apple fan bois for Firefox, when in reality privacy is nearly the same with both with some minor configurations.
Chromium is not stripped down at all, just use googerteller and see. It contacts Google everywhere, on the password list, on the account list, in some settings pages, and just randomly sometimes.
It is very crazy. And also it is not fingerprint resistant at all.
I am using all flag settings, policies and GUI settings possibly existing and it still is like that. So no, it is not the same privacy-wise.
What the heck are you talking about? Chromium is one of the hardest packages to build and it takes forever. Firefox has FAR fewer dependencies. Chromium’s privacy enhancements are a joke.
No, one Chrome tab does not eat that much RAM. Yes it is not as good as native, but it is more platform agnostic, and an Electron app does not really go above 300 MB RAM.
Each electron App is actually a full independent chromium browser install running a website. It’s easy to code for and works cross platform as a result, but it’s essentially just a website, although they can run offline depending on what’s been built in to the local app.
Each electron app running on your system is a separate full chromium app running, with no sharing of resources between each instance. So they take up a lot of space each and duplicate all the resource usage, and potentially the security flaws.
oh yikes. that sucks.
It’s just the webapp. If we want the webapp we use a browser.
This. Its webapp with more persistent storage maybe. If the Browsers could integrate this, it would be a gamechanger.
I am also very sure that Chrome preloads google. com to make it seem to “load faster”. Its all just preloading or persistent storage
It’s what you deploy to your users if you want to work around ad blockers and browser extensions. It’s a great tool to get operating system level access to exfiltrate information about your users and identify them uniquely, even if they would prefer that not to happen.
All that with the help of Google’s telemetry engine aka Chrome, which further helps Alphabet to manifest their interpretation of web standards in the world.
We worked to move things onto the web. Now people bring the web back to your desktop with every application bringing it’s own browser shell. We have come full circle and we’re now using 10x the resources.
Electron is the prime example of everything that is wrong in IT.
Wow. That sounds horrible. Do you have a source about the system level access statement? I would like to see people’s thoughts on it, if it’s as bad as it sounds, I’m surprised I haven’t heard about it before
deleted by creator
Do you have a source about the system level access statement?
Electron apps are native apps with the Chromium browser embedded in their windows, so they can do anything a native app can. It supports Node.js modules for things like filesystem access, and can interop with C++ code by writing an add on (https://nodejs.org/api/addons.html)
Ah ok gotcha. Thanks.
What source do you need? It’s almost literally the mission statement of Electron.
I’ve never gone to the webpage of electron
Everything
Electron runs a core Chromium Browser + NodeJS + a bit more.
Unlike Chromium itself it is not backwards compatible and removes a ton of things like its sandboxing capabilities.
I am not sure how it is less secure, but it may use more RAM (also not always but generally yes of course), doesnt allow hardening (unlike android WebView apps) and breaks LD_PRELOAD-ing another memory allocator.
This is only a big problem in special cases, in general it makes apps strictly dependend on GNU glibc and others, no idea how it works on Alpine or others (that actually try to make a secure system).
If somebody knows more about security concerns about Electron, please add.
Ugh, I was looking forward to replacing Thunderbird/Bridge, but never mind.
No way.
I went here for this info. Thanks.
Yeah, Proton is awesome, that’s for sure. Now, being a “security and privacy” company, it blows my mind that they put so much effort on making apps for Windows and Mac first, leaving Linux behind, and when they finally get to it, they just dump in a glorified PWA. This world is really weird 🤣🤣
And that they decided to go with RPM and DEB instead of just doing a Flatpak
Are you kidding me? Doesn’t bother me that much, as I use Thunderbird with Protonmail bridge. I’m still waiting on Proton Drive for linux. Well, I’m gonna end up self hosting at this point. :(
Capitalism is weird? Ok, but this is what we have.
I had no idea the whole world was capitalist, but I guess I don’t know everything. And there’s the fact that I mentioned the world, not a form of political economy. But yeah, capitalism is weird.
It’s a native app on Windows and Mac?
I don’t use either OS, but the apps are .DMG (Mac) and .exe (Windows), so I believe they are, yes.
PWAs can be packed in .dmg and .exe.
I had no idea. That’s good information to have. And my wife doesn’t get why I spend so much time in Lemmy. I learn more here than with all the online courses I take regularly put together. I love this community.
“After years of pushing their proprietary and closed solutions to privacy minded people Proton decided that it was in their best interest to further bury said users into their service as a form of vendor lock-in. To achieve this they made more non-standard desktop clients for their groupware features (contacts and calendars) and the bridge will be discontinued soon.”
Only if there wasn’t CardDAV, CalDAV, IMAP, SMTP and dozens of other highly standardized protocols to handle e-mailing and groupware.
“Finally” really is the key word, waiting for Proton to add features or apps is painful at times.
Glad they’ve finally made progress with this.
Its just a webview app…
Yep. Installed it, started it, saw it is basically the website in an embedded browser, uninstalled it.
Like, come on, you have a web version. Why should I use an extra application to view a website. This seems like a cheap excuse for a desktop app.
To save myself the hassle of having to rebuild the electron app every once in a while? I’d rather not open my browser, go to their website and log in with 2fa every time I want to read an email.
The main benefit is since it is locally installed, it is harder for proton’s server to access your encrypted data by serving you malicious JS. A malicious desktop app/update could be served too, but that may be trickier.
Idk, got thunderbird set up and feeling pretty happy with it.
The proton desktop app was pretty slow when i checked it. I might give thunderbird a go.
Have to use a student account, gmail and my main protonmail account. Tying everything up in one window is just nice.
Speaking of mail apps, has anyone used Thunderbird recently? I had used it for a year or two up until . . . a year or two ago (probably two or three, actually) and then switched to kmail to satisfy my masochism. Thunderbird just hadn’t been doing it for me with meh functionality and slightly more meh looks.
Fast forward to yesterday when I’m updating my steamdeck desktop to use nix stuff instead of rwfus+pacman and I couldn’t get kmail from nix to behave right so I thought I’d give thunderbird another look. I’m several hours into tinkering with it and holy hell has it changed pretty much completely from a few years ago. Looks fantastic and works pretty much exactly how I want/expect it to. Good job mozilla!
Yes Thunderbird is getting really nice nowadays.
Good job mozilla!
Mozilla don’t work on Thunderbird any more. It’s an independent project now. https://support.mozilla.org/en-US/kb/thunderbird-faq#w_who-makes-thunderbird
Thunderbird is fine.
Tbh I have no idea what they are doing though, they have more funding than GNOME but after Supernova I didnt see any updates.
See my list of flatpak repositories
There is an unofficial Thunderbird nightly Flatpak, that will likely reveal what the hell they are doing.
So Supernova is kinda nice, mainly a big overhaul of the underlying stuff, making it easier to maintain.
It lacks a ton of things like Threads (the addon TB Conversation works though). Also their “spaces” bar is useless, as it just opens tabs, so it is redundant. Good idea, but only if it could replace tabs.
Their search and filter stuff is still the same, really bad. Either displaced in the message list column, as the global search still opens a new tab which is kinda bad UI.
Some addons broke too, not a big deal though.
I have the feeling they removed nested filters, which is extremely bad, but filters still work.
Thunderbird works well.
I believe I read somewhere they’re focusing heavily on the mobile app at the moment (or rather turning K-9 into their mobile app). Once they get that out, we’ll see where the desktop goes.
That too but afaik thats a separate Android dev
Yeah I’ve started using it again the past year. I use Proton Bridge with Thunderbird, and it works well. Much prefer it to webmail interfaces.
Yeah I installed it recently on my widows and it is super sleek.
It’s not developed by mozilla anymore. they stopped updating it a couple years ago.
That’s not true, the latest release was two weeks ago.
Not from mozilla, they spun it off a couple years ago
“Thunderbird is completely independent of the Mozilla Corporation, the makers of Firefox.”
Edit: from 2012 apparently. time flies https://blog.thunderbird.net/2023/02/the-future-of-thunderbird-why-were-rebuilding-from-the-ground-up/
It’s still under the Mozilla foundation though, which is what people who are talking about Mozilla usually mean (they’re the ones collecting donations and the parent organization).
Proton Drive though 😭. The Windows app is so nice, wish we could get that for Linux.
I’ve set up an Rclone for the time being, not great but it works well enough for basic bisynchronisation.
Oh… I thought they meant Drive is finally out. That sucks. :(
Ugh, they took too darn long. I’m probably going to switch to Nextcloud.
I would too, but after like a week I get bored of maintaining it myself when all the expenses summed together aren’t much cheaper than Proton or likewise. This is what I was doing before submitting my independence to Proton.
Furthermore Nextcloud is just too damn sluggish. The web interface makes it seem like my server’s idea of a CPU is a kid with a calculator and WebDAV isn’t designed for cloud storage. I’ll take new features being slow over my whole experience being even slower any day of the week.
I never really understood the need for such apps when mail clients such as Thunderbird exist.
Proton mail has some extra (security?) feature, or they just lack smtp support, and you cannot directly use it on thunderbird. They offer a “bridge” app which allows you to do it, I just use that.
Proton’s whole thing is it’s meant to be secure, private, encrypted, etc. To achieve that, it requires the Proton app or website as an endpoint, so your email never leaves Proton’s environment. As long as your reading your email in the Proton app/site, they can guarantee its privacy and security.
Once it sends your emails to Thunderbird or another client, it’s leaving the Proton environment, and they can no longer control it. You’re sacrificing the inherent privacy/security of Proton when you use Thunderbird (they claim).
All of that being said, it’s an absolutely bullshit excuse. Tutanota does this same shit, only they don’t even provide the bridge like Proton does.
It’s true it’s technically more secure for those emails to stay in the Proton environment, but they’re still your god damn emails, and they should operate like every other email service by giving the user the option to export those emails in whatever way they damn well please, for free.
It’s just more platform lock-in garbage. Your emails are trapped on their server, so they’ll be no moving away to a different provider easily.
It’s more that they claim they cannot decrypt your data, so how do they send it to Thunderbird? The bridge does the decryption. Theoretically Thunderbird could add support for it.
Corps have used that BS excuse for ages. The whole “your phone is more secure when we control it” is a garbage BS line. Make it open source, give developers the tools & they’ll make any app more secure than some bureaucracy that is constantly influenced by the national security agencies.
None of those actually document their API nor provide source for the backend server code. Other than building hydroxide from PRs for CalDav, are there even any other open source implementations of CardDav/CalDav for Proton? I can’t find a single implementation of Proton Pass that allows you to sync your passwords locally and be used in a different app. There is no shortage of people complaining about this:
https://protonmail.uservoice.com/forums/932842-proton-calendar/suggestions/8985673-cardav-caldav-support https://brainbaking.com/post/2023/01/goodbye-protonmail/ https://minutestomidnight.co.uk/blog/email-migration-from-proton-to-mailbox/
Why would anyone be interested in efforts on a platform with a closed-source backend and that is not developer focused? Not to mention, entirely unnecessary why you should have to use a bridge gateway in the first place with IMAPS & PGP/GPG, CalDav & CardDav. Like I said, Proton is engaged in some questionable practices.
Why would anyone be interested in efforts on a platform with a closed-source backend and that is not developer focused?
Because most people don’t care about those particular things. Almost all the world uses completely proprietary tools (Gmail) that also violate your privacy.
Not to mention, entirely unnecessary why you should have to use a bridge gateway in the first place with IMAPS & PGP/GPG, CalDav & CardDav. Like I said, Proton is engaged in some questionable practices.
It’s not unnecessary, it’s the result of a technical choice. A winning technical choice actually. PGP has a negligible user-base, while Proton has already 100 million accounts. I would be surprised if there were 10 million people actually using PGP. They sacrificed the flexibility and composability of tools (which results almost always in complexity) and made an opinionated solution that works well enough for the mainstream population, who has no interest in picking their tools and simply expects a Gmail-like experience.
And if you really have stringent requirements, they anyway provided the bridge, so that you can have that flexibility if it’s really important for you.
IMAPS & PGP/GPG, CalDav & CardDav
- IMAPs is just IMAP on TLS, so it does not have anything to do with e2ee in this context.
- PGP/GPG is what they use. They just made a tool that is opinionated and just works, rather than one which is more flexible but also more complex. Good choice? Bad choice? It’s a choice.
- *DAV clients expect cleartext data on the server. If you encrypt the data, you need to build all this logic into the clients, and you are not following the standard anymore, which means you will anyway be bound to your client only (and those which implement compatibility). Proton decided that they want to implement e2ee calendar, and they decided to roll their own thing. It’s up to everyone to decide whether e2ee is a more important feature than interoperability with other tools. I don’t care about interoperability, for example, and I’d take e2ee over that.
IMAPs is just IMAP on TLS, so it does not have anything to do with e2ee in this context.
If you use GnuPG or one of the GUI implementations it does.
You do realize e2ee merely means that two users share public keys when they communicate in order to decrypt the messages they receive, right?
*DAV clients expect cleartext data on the server. If you encrypt the data, you need to build all this logic into the clients, and you are not following the standard anymore, which means you will anyway be bound to your client only (and those which implement compatibility).
You’re talking about people paying for cloud services that manage everything for them. Nothing to stop you from hosting your own on an encrypted drive. EteSync does E2E already, and there is already a plethora of apps supporting PGP on Android and Desktop to encrypt/decrypt messages.
Proton forces you to pay for a bridge to use Thunderbird.
Tutanota doesn’t even provide that.
These “privacy respecting” email services don’t respect the user enough to let them use third party email clients easily if the user chooses to.
They cannot decrypt your data while sitting, so IMAP cannot work.
Go ahead and explain what you mean. I don’t believe you & think you’re just parroting their corpo speak.
It’s actually fairly simple: if the server never has access to the keys or the plaintext of messages (or calendar events, etc.), then you need a client tool to handle decryption and encryption operations.
They use PGP, and they have implemented this feature in a way that it’s completely transparent to the user to make it mainstream. So they chose building dedicated tools (bridge, web client), rather than letting users use their own tools, because the PGP tooling sucks hard and it’s extremely inaccessible for the general population.
This means that you need a fat client, whatever you do, or otherwise the server will have access to the data and there is no e2ee. Instead of using enigmail or other PGP plugins/tools, they built the bridge.
if the server never has access to the keys or the plaintext of messages (or calendar events, etc.), then you need a client tool to handle decryption and encryption operations.
Proton stores your keys, and you have the decryption password. How do you think they handle password-based logins? Only the user should ever generate and store the private key. All they need now is your decryption password & they can read your messages. This is reason #1 not to trust Proton.
They use PGP, and they have implemented this feature in a way that it’s completely transparent to the user to make it mainstream.
It isn’t transparent, because most users aren’t running their own frontend locally and tracking all the source code changes. They’ve already violated the first rule of PGP privacy by having your private key. Now you’re merely trusting them to not send you a custom JS payload to have your decryption password sent to the server. How many users are actually utilizing their hidden API to ensure that decryption/encryption is only done client-side? If they have your private key, how many users do you think are using long enough passwords to make cracking their password more challenging? This is reason #2 to not trust Proton.
PGP tooling sucks hard and it’s extremely inaccessible for the general population.
This is just entirely inaccurate and you’ve failed to provide any "proof’ for your generalizations here.
This means that you need a fat client, whatever you do, or otherwise the server will have access to the data and there is no e2ee.
If you actually understood PGP you’d know you can generate and use local-only keys with IMAPS and have support to use any IMAP client. Furthermore, the other apps by Proton like Proton Pass, Calendar, etc… all use undocumented APIs that they have yet to implement in their bridge using standard protocols like CalDav/CardDav/JSON or whatever else in order to be able to integrate with local tools. There is no security benefit in their implementation other than to lock you into a walled garden and give you a false sense of security.
Proton stores your keys
Proton stores an encrypted blob.
All they need now is your decryption password & they can read your messages
“All they need now is your private key”. It’s literally a secret, they use
bcryptand then encrypt it. Also, “they” are not generally in the threat model. “They” can serve you JS that simply exfiltrates your email, because the emails are displayed in their web-app, they have no need to steal your password to decrypt your key and read your email…It isn’t transparent, because most users aren’t running their own frontend locally and tracking all the source code changes.
Probably we misunderstand what “transparent” means in this context. What I mean is that the average user will not do any PGP operation, in general. Encryption happens transparently for them, which is the whole thing about Proton: make encryption easy and default.
Now you’re merely trusting them to not send you a custom JS payload to have your decryption password sent to the server.
Again, as I said before, they control the JS, they can get the decrypted data without getting the password…? You always trust your client tooling. There is always a point where I trust someone, be it the “enigmail” maintainers, Thunderbird maintainers (it has access to messages post-decryption!), the CLI tool of choice etc.
How many users are actually utilizing their hidden API to ensure that decryption/encryption is only done client-side?
I mean, their clients are open-source and have also been audited?
If they have your private key, how many users do you think are using long enough passwords to make cracking their password more challenging?
I don’t know. But here we are talking about a different risk: someone compromising Proton, getting your encrypted private key, and starting bruteforcing
bcrypt-hashed-and-salted passwords. I find that risk acceptable.This is just entirely inaccurate and you’ve failed to provide any "proof’ for your generalizations here.
See other post.
If you actually understood PGP you’d know you can generate and use local-only keys with IMAPS and have support to use any IMAP client.
Care to share any practical example/link, and how exactly this means not having a fat client that does the encryption/decryption for you?
There is no security benefit in their implementation other than to lock you into a walled garden and give you a false sense of security.
Right, because *DAV protocol are so secure. They all support e2ee, right…? There is a security benefit, and the benefit is trusting the client software more than a server, especially if shared. You can export data and migrate when you want easily, so it’s really a matter of preference.
You are awesome!
Proton stores an encrypted blob.
It doesn’t matter that your private key is stored on their servers encrypted/hased or whatever. If you were simply storing it there, that would not be an issue. The problem is that you’re also logging in and relying on whatever JS is sent to you to only happen client-side.
Probably we misunderstand what “transparent” means in this context. What I mean is that the average user will not do any PGP operation, in general. Encryption happens transparently for them, which is the whole thing about Proton: make encryption easy and default.
Most users aren’t sending emails from their Proton to other Proton users either. Furthermore, the users that want encryption seek it out. They don’t need to use Proton for encryption, especially when it would be easy for them to get an unknowing users decryption password.
Again, as I said before, they control the JS, they can get the decrypted data without getting the password…? You always trust your client tooling. There is always a point where I trust someone, be it the “enigmail” maintainers, Thunderbird maintainers (it has access to messages post-decryption!), the CLI tool of choice etc.
Yes, you have to trust source code somewhere, but with Thunderbird or other mail clients that is open source and their apps are signed or you can reproducibily build from source. However, once that is built it doesn’t change. With Proton, everytime you visit their site you don’t know for sure that it hasn’t changed unless you’re monitoring the traffic. A government is much more likely to convince Proton to send a single user a custom JS payload, than to modify the source code of Thunderbird in a way that would create an exploit that bypasses firewalls, system sandboxing, etc.
I mean, their clients are open-source and have also been audited?
You mean their PWA/WebView clients that can still send custom JS at anytime, or their bridge?
Care to share any practical example/link, and how exactly this means not having a fat client that does the encryption/decryption for you?
First, explain what you mean by a fat client? GnuPG is not a fat client.
Right, because *DAV protocol are so secure. They all support e2ee, right…? There is a security benefit, and the benefit is trusting the client software more than a server, especially if shared. You can export data and migrate when you want easily, so it’s really a matter of preference.
Being able to export things is a lot different than being able to use Thunderbird for Calendars, or a different Contacts app on your phone. DAV is as secure as the server you run it on and the certificate you use for transport.
some people want to be swindled.
"Anyone can download the app, but free users will be given a 14-day trial to test drive it.’
So it’s only for premium users ?
Give us IMAP/SMTP support instead of this garbage
Don’t quote me on this, as I’m not 100% certain, but I believe they do allow IMAP on paid accounts. Can someone confirm/deny this?
last time I checked, IMAP/SMTP required not only a paid account, but running Protonmail’s proprietary bridge app
That could very well be the case. I guess I’ll only find out if I ever feel like I need the paid version. For now, I’m doing golden with the free one 😁
I think it’s allowed on paid business accounts
I sure hope they make a Flatpak like they did for VPN (although it’s not working properly at all rn). I don’t get why they are still troubling themselves to support two other formats already during beta, when this is probably just an Electron app.
Protonmail still does not have an official app in F-Droid. Just because of this reason I ended my paid subscription and moved to Tutanota.
On a related note? When my friend on proton send me (regular imap, openpgp) and several others (gmail, outlook) an email with all of us as recipients, it seems that proton cheats? I get to decrypt the message, where’s the others just read plain ø, unincrypted text.
At first i thought this smart. But now i kind of realize how much of a nightmare this seems to be.
On the other hand, i am not really sure how they do it? Is it to different mails, with fake headers? Or is it more like: if no encryption is available, show thisb (dentical) text instead?
So whats more privacy friendly, using a browser to check email, og using the official Proton app?
deleted by creator
Make sure to encrypt messages with a ceasar cypher.
