STOP Using Proton & Signal? Here’s the TRUTH
Вставка
- Опубліковано 6 чер 2024
- Are Proton privacy and the Signal messaging app still secure? Every year this gets called into question, yet rarely is the full story ever told. In this video, Josh explains what's really happening with these privacy and security apps as well as how it affects YOU directly.
Watch this video on the 12 privacy and security apps I use EVERY DAY: • 12 Privacy & Security ...
YES, I still use and recommend Proton & Signal:
▶ Try Proton Unlimited: www.allthingssecured.com/yt/p...
▶ Get the Signal app: signal.org/
If you care about your personal security and privacy online, download my free security checklist here:
✅ Security Checklist: www.allthingssecured.com/secu...
🔹🔹What to Watch Next🔹🔹
We've got a lot of great privacy- and security-related content here on the All Things Secured UA-cam channel (although we admit we're a bit biased). If you're wanting to increase your online cybersecurity, here's what's next:
✅ Which is the most SECURE email service? • I Tested 5 Secure Emai...
✅ Which is the BEST Password Manager? • I Tested 7 Password Ma...
✅ iPhone Mistakes the RUIN your Privacy: • iPhone Mistakes That R...
🔹Support All Things Secured (Recommended Tools)🔹
If you enjoy this kind of practical security and privacy content, one of the best ways you can help support this channel is by using these affiliate links to our favorite products and services. When purchasing through these links, you not only get the best available deal, the companies will also pay us a small commission. Thank you for your support!
✅ Recommended Password Manager: www.allthingssecured.com/yt/1...
✅ Recommended Identity Monitoring: www.allthingssecured.com/try/...
✅ Recommended 2FA Security Key: www.allthingssecured.com/yt/y...
✅ Recommended Secure Email: www.allthingssecured.com/try/...
✅ Recommended VPN: www.allthingssecured.com/try/...
*********************
Video Timestamps
*********************
0:00 - Are Proton & Signal still secure?
0:36 - Cybersecurity confirmation bias
1:20 - Privacy companies & government data requests
2:15 - Encryption & data requests
3:41 - Signal accused of having encryption broken
5:12 - Understanding personal OPSEC with privacy apps
5:50 - How to Remove Proton Recovery Email address
6:23 - How to Hide IP address from Proton
6:36 - Practical privacy in the digital age
7:21 - Should you stop using Proton & Signal?
*********************
It's easy to get swept up in the news that a privacy company has handed over user data to a government intelligence agency. But what are the limitations of companies like @ProtonAG or Signal? Or perhaps more importantly, what is YOUR responsibility when using such apps, considering the fact that no single software or service can guarantee you privacy and anonymity?
#privacymatters #cybersecurity #onlineprivacy - Наука та технологія
What's your take? Do you think I'm letting Proton and Signal off the hook here? Leave your opinion here and let's discuss. Then make sure to watch my video on the 12 Privacy & Security tools I use EVERY DAY: ua-cam.com/video/XNOAOQktG6U/v-deo.html
4:48 yeah, a proponent of censorship, looks bad… Not sure what “apparent” intelligence connections means, but paired with supporting censorship, could be really bad.
“Free service” has tended to mean we, (our data) is the product.
@@TrggrWarning Agreed. Sure, the code is the code, but Signal's leadership were the ones who decided that phone number are still required. Signal has a huge trust problem. Also, Durov has a valid point: Signal doesn't have reproducible builds on iOS. Telegram does. And Meredith Whittaker, who worked 10 years for Google before she realized that surveillance capitalism is a problem, lies about this and claims that Apple prevents Signal from having reproducible builds.
I agree that criticism from anyone regarding a widely used e2ee protocol ought to be corroborated by evidence. But then again, much of the criticism on Telegram relies on its protocol, mtproto, being "homebrew", or the company founder being Russian, or its creators not being world-famous cryptographers.
A few minor flaws on Telegram have been proven in the past, they were acknowledged and readily patched by Telegram, and bounties paid. It's not as technically secure or private as Signal, to be sure, but I think Telegram has another paradigm and focuses on a different risk profile. It's much more like Discord, and way better in every respect.
What about the tutanota. Is it safe?
I'm more concerned about the NSA and Clearview AI, since they've collected the data of almost everyone in the world.
There have been multiple* court cases where law enforcement agencies submitted a subpeona to signal. And signal replied "Sorry, we have no data" If it were a front for the US govt the result SHOULD be different. HOWEVER if enough people were made to believe that Signal was insecure, they might abandon an actual secure platform.
That makes sense.
(tinfoil hat on) Or Signal *is* a front and their SOP is to say "Sorry, we have no data" while the 3-letter agency they're fronting for has access to everything already.
@@JohnTurner313 the fact it is open source says otherwise.
@@donh8833 That’s just the code. That is not the company, nor is it certificate, key or infrastructure management. See the recent xz vulnerability as an example of why “oh, it is open source” is not an automatic pass.
Only the client unfortunately
I've been using Proton services for a while now and I must say this is the only company which provides both anonymity and convenience at there highest levels.
But there's still need for personal OPSEC!
@@AllThingsSecured - Best to delete the recovery email and store the encryption keys locally on an encrypted storage. imo
@@ForAndroid101 Operational Security = everything you do or dont to maintain your anonimity including physical things besides online. And about paying, there's no other way i imagine. They dont accept crypto as far as i know.
yes of course, they accept crypto
This is what so many people don't seem to understand, a company HAS to hand over data asked of them by law otherwise they will get shut down and possibly get employees jailed. You have to minimise what data you give to ANY service.
Exactly 👏
one of the things that can end this is, for example, a law that the EU wants to approve, which prohibits encrypted communication, so services like Proton and the like could have a serious problem :/ of course, there are a lot of other options, but every other option takes away "comfort"
Lavabit shut down their company rather than give out information
@@matejkuka797are you serious? They got USB-C & now they want to HTTP all the things? 💀
I appreciate you talking about the big picture instead of being emotional and reactive like so many tend to be. I'm still going to use Proton. I'd also like to have people ask themselves one thing. If you're abandoning Proton due to fear of security, who exactly are you switching to? Proton is still the best available without making your own email server and making sure everything is encrypted with nothing overlooked in terms of security.
Instead of freaking out and shooting yourself in the foot, think through what you're going to do, be reasonable and rational and then make your decisions.
Agreed 👍🏻
I love proton mail and tutanota
Great video! Especially the last part where you state the obvious fact - something that most people in this always online world fail to realise - don't share every damn part of your life with the rest of the world.
ha! I know, right?
@@AllThingsSecured I don't remember where I read it but a while back I saw someone posting something like this:
"the Internet is down at the moment so I went out into the real world. Here I'm shouting to everyone I see how I'm feeling, what I just did, what I got for breakfast and so on. So far it's going great - I've already got three followers, a doctor from a psych ward and two police officers".
@@henrik2117hilarious and so true but I'm concerned that the US wouldn't be able to care for homeless influencers if the Internet ever really did break
Thank you so much, many people need to hear this and use their minds before making judgements!
Thanks 🙏
That would require actually thinking for themselves and making a personal opinion - not sure the majority of people are ready for that.
Proton yeah, but Signal is open source I've looked at the code myself, your data is 100% safe, because Signal by design is made so that the company (even if it wanted) can't access any of your data except for your number (which the person requesting your data already needs) and account creation date.
Github code may be secure but if you take closer look in 0:18, it says Signal doesn't allow researchers to verify the app deployed in iPhone is the same as the code in Github 😅
Thanks for sharing.
Telegram CEO is referring to Tucker Carlson, TC interviewed Pavel Durov last month, Tucker claims his Signal was compromised
@@NomadKev it's a claim based on no evidence, I also say the US bank was compromised. People seem to forget Signal is competition to Telegram, he has everything to win by saying that baseless claim.
@@NomadKev it's a baseless claim.
Given the open source nature of Signal I have a feeling that IF somebody's Signal messages were compromised and used against them in court, it wasn't because of a flaw in Signal, but because they made some other mistake with their OPSEC. Perhaps their device, or the device of the person they were talking to, was infected with some sort of malware that could read the messages after they arrived on the device. End-to-end encryption only means from one end to the other, but the messages have to be decrypted once they arrive on a device or else they couldn't be read, so malware running locally on the device could potentially read them. It's also possible, though less likely that they managed to add a device to somebody's Signal account and they didn't notice it because they don't regularly check which devices are authorized to send/receive messages for that account. With how modern encryption works, it's much easier to trick somebody into installing a piece of malware than it is to break the encryption.
Very true.
Thank you for making this video. The message here isn't letting these vendors off the hook; it's a reality check for the digital frontier as a whole. More specifically "due process". It's the only 'real' sense of security we need to focus on, "did an agency use due process?" But also (and more importantly) are software vendors 'only' providing information under circumstances of due process? As a systems administrator, I applaud the message of User responsibilities and as a personal privacy advocate, I salute the message of due process.
Fear mongering and baseless accusations run rampant over social media outlets as it is. Thank you for providing a voice of reason and a means of laying a basic framework of the legal challenges.
Thanks Josh. I’m glad you speak with a voice of reason!
Thanks! 🙏
Signal is open source and has gone through several law suits. Proton is very similar in that the law suits it is gone though proves that they will only give over what they keep, which is nothing. This is very similar to Private internet access.
True.
This only applies to VPN. Everything on there web servers, mail servers, and database servers is logged. You can access Proton's website through tor. But, you can no longer create a proton account through tor which means the account is linked to you.
Personally, the only VPN I trust is Mullvad.
Maybe, but Proton was funded by the EU and are funding nefarious projects. The company you keep says a lot about you...
@@imFruzzythis argument holds very little water. The tour project used to get DOD funding but they are very clearly not a Honeypot. There has been plenty of actual court cases that have proved that the US government cannot abuse that Network in fact, the US government uses Tor and I'm pretty certain the same situation exists with the EU and proton. The EU probably pays proton a little bit of money because the EU uses proton.
Also saying that proton is funded by the EU is a little bit stupid because proton is not a donation-driven company. They are funded by their users. They may have gotten a few EU grants, but that's very different from being funded by the EU
PIA was purchased buy some mossad bros
Thank you for thorough clarification.
Keep up the good work, you just earned a new subscriber for the amazing content!
Awesome, thank you!
Thank you for this! I was just thinking along those lines, you confirmed them for me!
I’m glad it was helpful!
Personally I still use Proton and have for over a year now. In my case it is because I wanted a service with a good reputation and does not have any notable security issues.
I also take into account that the level of security of my account is truly on me not Proton. Proton provides the service and Proton is a Swiss owned company.
If you want something secure, it is YOUR job to make it secure over the provider.
💯🙌
Couldn’t agree with you more.
There are a lot false information on the internet creating FUD. Be smart, question everything and do the research if you have to!
Absolutely 👍🏻
I keep seeing not only news but messages from friends and other acquaintances in Linux and privacy communities that keep propagating a lot of these conspiracies. I agree most of the time that people are not just doing their jobs in the security field right.
Thanks for going over them in such a manner! 🤩
Thanks for watching and commenting 🙏
People should always be finding sources and verifying. Seems like if people even see something at all that they just share it without validity as a thought at all even afterthought. I mean its ridiculous. On the other end not everything can be verified so i dont believe only speaking about verified stuff especially with the ACT checkers... People need to look at who would benefit from each thing... Possible motives... Credibility... Then it could be clearly seen when people are being put in a situation to discredit themselves and others in the long term by not considering these things. The long term is more important.
Well reporeted, Josh! I can’t count on my fingers, toes, and other appendages how many people I have to educate that software is not a cure-all. It takes human intervention and understanding for it to work 99.9999% of the time.
Thanks 🙏
Do people not read the TOS and Privacy Policy? I recently read Proton's, and this is not new information to me.
No, most don’t.
Why even pst this comment? Of course, most people dont.
In general, the TOS is full of legal jargon that is difficult for the average user to decipher, and it is also usually as long as the LOTR.
@@Physis_88exactly the TOS can take literally hours to comb through. Who actually has time to read through it?
Ignorance or sarcasm?
Thank you. will you do a review on TeleGuard by SwissCows?
Never heard of them.
One thing that I feel like people never mention is the extensive list of terms and conditions for iOS & Android, considering that’s where proton and signal appear to be used the most. Although signal and proton themselves may never store any information, how are we suppose to feel secure in the fact that the operating system we’re running these apps off of aren’t spying on us equally as bad as people would fear one of these messaging apps would? I’m curious for your take on that
well, that's exactly the point. If your threat model includes big govt/big tech, using a proprietary mainstream OS already invalidates every action you take further - which was more or less confirmed in 2013 by Ed and hasn't changed since, more or less gotten worse. Everything you do in that OS can and is being recorded, the OS can take and does make screenshots for example. Some people don't realize this, but as long as you don't know what the OS underneath is doing, no E2EE, Signal or Protonmail is gonna help. These solutions only make sense if the threat model is 3rd parties and ad companies.
If you are concerned about that you can always use a privacy-respecting fork of Android like GraphineOS or CalyxOS.
@@PvtAnonymous makes sense, but in that case signal shouldn’t make itself seem “encrypted” because if the operating system can and does use the info you type then it may as well not be encrypted, I personally don’t give a damn about ad traffic or anything along those lines, the entire point of using signal is for encrypted messaging, which if that’s undoable via a normal Android/iphone shouldn’t be available on the App Store/play store
Well said, and thank you for your rational explanation
My pleasure!
7:03 Excellent video! I'm glad you included that second part, _don't _*_send_*_ comprising pictures,_ because people shouldn't be shamed for taking compromising pictures of themselves. Don't get me wrong, I advise my friends and family against it, especially women, but I wouldn't shame them for it. On a related note, I have personally always wanted to journal. I've always wanted to have a place where I could write my most intimate thoughts. Preferably on a secure digital journal, because I've had bad experiences as a kid with the security of physical journals. But most journaling apps don't have end-to-end encryption, which is why I have never done it. I don't want to keep everything in my head because writing can be really cathartic. It can help people heal.
Very interesting thought on the journaling. Thanks for sharing.
You could just write your journal using a local app on your laptop and make sure the drive is encrypted. Or there are ways to create encrypted "files" which can contain multiple files, folders, etc. You decrypt it, update your journal, and re-encrypt it.
@@Ck87JF I hear you, but in terms of UI & UX it's not practical. I want a specific app designed for journaling. And those exist, but they're not end-to-end encrypted (E2EE). I have heard of DayOne, which is a promising E2EE journaling app, but they are not natively E2EE so I have some reservations. That said, the biggest hurdle for this magnificent app is that it's only available for Mac and I use Windows. They said they are working on a Windows app though, but I suspect that will take forever as they seem more dedicated to Mac users.
Unless I suddenly need to run from the law, these particular things don't really worry me too much. Yes, if Proton was hacked, they could see my recovery email, but I have a strong password and use security keys to sign in to my account. I am still learning how to become better at cyber security (my anxiety suddnely made me hyper aware of it).
While I am very concerned about privacy, I would want law enforcement to be able to find a dangerous criminal.
I don't think your privacy has to connect in any way to law enforcement finding a dangerous criminal. It's simply how we handle our own data, not expecting a company to do everything for us.
Good job on this video! You eliminated all the diagrams or explanations for HOW these 2 companies encrypt your data, reducing or eliminating unnecessary confusion in order to make your larger points. You made the whole video accessible to a consumer level audience, The exact group who do not know how to evaluate the accusatory assaults made by telegram or by privacy advocates objecting to there being any form of legal compliance with the country you're operating in.
Good choices, resulting in very easy to understand video about something very important and critical.
Never have illusions about the tools you use. It's a lesson I've learned (sometimes in hard ways) over the years.
Does this fact that they give over the data they have also apply for their VPN service? Proton VPN has the encryption keys would they had that over too? i have always praised Proton VPN for being the best free VPN
It’s different because that data isn’t stored.
The title is a bit clickbait, but i think you videos are still very imparcial and informative.
So I have a question: Is there any reason to keep recovery email on if you know you won't lose the password? As in, are there other cases where you could get locked out of your account unless you use a recovery email?
How do I verify that the Signal application that I downloaded from the apple app store was built from the open source code that is published?
Can you register without an email or mobile number over tor? if the answer is no they dont care about your privacy.
For some people, I get it - that doesn't fit their threat model. But that doesn't mean there isn't privacy.
@@AllThingsSecured First time visitor, and I really like your presentation. I wish you had spoken to this aspect a bit more, I think it belongs in the frame of what you were speaking to. Going to check out your channel, and thank you.
Hi I keep getting this message in my Google authenticator "Syncing will continue when your device is online and you refresh your Authenticator codes"
I just can't figure out what is the issue. It would be great if you make a video addressing this issue.
Hi there there first thank you for the amazing content I learn a lot by watching your content
I would add that you have to understand the core of the technology you are using.
You have to know exactly what happens when you send an email. You have to know how does encryption work. And it’s always evolving so you have to update your knowledge as well. Only there it make sense to choose proton or signal or whatever so it would have been cherry on the cake if you link in the description videos where you talk about the technical aspect of it.
I was wondering though.. is it possible that an open source software has a different code than advertised and nobody realises it ?
It would be difficult to do that kind of fraud, I believe.
Thanks- Good content presented in a reasonable amount of time.
Much appreciated!
Shoot. So what services to use ? What VPN service use for anonimity and no logs policy ?? Because I am protons user for a while...
How many people review the open source code, and then compile it themselves? If not, how do you know the installed code matches the open source version?
Most people don't, but you can be sure that it is being reviewed by people who are looking for bug bounties at the very least.
Great video! Subscribed to your channel.
Thanks!
I understand very lil lol but was questioning proton.
Do you still question them after watching this video?
very well explained.
Glad you liked it.
Hey Josh, I can't afford a security key, however i have a usb flash drive.
Is there's any way I can turn my usb flash drive into a security key? If you can then please make a video on that.
@AllThingsSecured Hi there! Have you utilised or noticed Spark, myMail, and Airmail? Are they safe in terms of privacy and what are the best ways to use them?
Never heard of any of them. Sorry.
@@AllThingsSecured Okay with thx.
Do you have personal reco? If signal is not safe anymore.
Personally I use Signal - I said as much in the video. Beyond that, it gets really hard to migrate to a new platform AND get all your contacts to do the same.
Threema is the best of the best! But you need to buy a lifetime Threema license first. Luckily it doesn't cost a lot of money. The license is cheap.
WOW you really hit the nail on this. Things I overlooked myself, especially with legal stuff. Hey, great video sir!
Looks like some people here in the comments think privacy and anonymity are same banana.
Unfortunately Josh even with the great clarification you gave there are people that are stubborn with their beliefs where no one can change them
As always. Thanks for watching and commenting.
No surprise for me, for privacy I have my own ejabberd server and also a matrix server. Both work like a charm if you know how to proper configure them. Cheers!
That’s impressive, but beyond the ability of most people to set up.
@@AllThingsSecured I agree, indeed....
There are 2 majors problem, the error 18 aka between keyboard and chair, and the platform used to access websites or run applications. And in case of anything related to messaging, the same problems on the other counterparts of these exchanges.
Put differently one might be the problem, no end-to-end encryption tools.
Nice analogy there❤❤
Thanks 🙏
In the video, you brought up the point about being careful of what recovery email you specify. If the recovery email is from iCloud or Microsoft or Google, then I understand the point that the authorities will have to hand any email id to the authorities. What if it was another Proton email account itself?
2 Things:
1. The people who had their "Private Signal Messages" compromised probably had it all on their phone and either the phone was compromised and swiped or the authorities gained physical access to the phone when they arrested the person in question, none of which are signals fault - good OPSEC here would be to not leave signal logged in on your phone.
2. FUD is interesting, I treat FUD as a means and reason to look deeper into claims - false or not, and learn more about the issues they have. FUD has such negative connotations, but really is a great means of criticism and a good reason to improve something - yours or not. Ignoring FUD just proves that a person is both Arrogant and Ignorant.
Good information!
I appreciate it!
Why and How should always be asked. It's just part of critical thinking. Thanks Josh for being a critical thinker!
My pleasure! Thanks for watching and commenting.
what do you think about telegram?
I'm ambivalent. I don't use it, personally.
Well explained. The biggest security vulnerability of all time is the user.
The same people complaining about companies legally being required to hand over data they have are here in a UA-cam channels comment section… a Google app.
Feel free to jump over to Odysee for those who don’t want to use a Google app!
Odysee and rumble are good alternatives to this.
The primary message you should be taking away from this is if have something private to say, do it face to face, in an appropriate place.
That's one way to look at it.
Pavel criticising Signal is pretty ironic when he's turning his own platform into a Facebook-like nightmare
And also not using encryption by default, giving people a false sense of security because they "have" end-to-end encryption... But the so called "Secret Chat" function only works mobile-to-mobile.
@@APIAlchemist and it's not even advertised as much, considering that's the only encrypted chat
@@blackpurple9163 Besides, isn't Telegram closed source? How can we even verify it's end-to-end? If we try to sniff for the packages sent, they will all be encrypted in transit so it would be very hard to decode to try and find out, especially since they use a proprietary encryption algorithm called MTProto that they won't open source even if they do give a detailed description of how it works (and it was analised by a few people, it has several security flaws too).
And the same encryption is used to send regular messages and end-to-end to their servers. We should just assume that they don't have the key to decrypt the secret chats too?
Zero metadata messaging, is it possible? I sat down and thought about exactly what is gathered in messages and how to remove it from the equation.
I believe it is possible but it's a little complex and involves individual and different 'mx' servers for each 'contact pairing' - messages are sent to hashes of unique id pubkeys only known to the users in the contact pairing.
You would need to independently conduct a key exchange with a contact through some kind of centralized server and assign an external messageing exchange server to each contact - at these individual 'mx' servers only hahses of pubkeys that are not quite so public would be used. I did not develop the idea any further, just a thought experiment. Storing initial id and encryption keys on a blockchain type system would allow initial id keys to be distributed through registered 'services' which could be on Tor for example.
It's a rabbit hole for sure
Definitely a rabbit hole.
I wouldn't choose any kind of direct communication/connection between two endpoints. One could do what these ominous radio stations do that still seem to exist. Exchange some encryption-code in some other way beforehand and then blast the message out via radio signals for the world to hear and pray that your encryption is good enough. Or post the message on some publicly accessible forum which looks unimportant for anybody but the recipient.
When i saw one of the articles claiming proton shares info with law enforcement, i was kinda skeptical. Than i read that they only handed out the recovery email. It was the persons stupidity to use apple id as recovery.
Proton can protect contents of your emails with encryption, but they cant protect you from your stupidity...
@AllThingsSecured What are your thoughts on Next DNS? I been using it for a while and it served me well so far AUD$3/mth worth it.
I haven't used it myself, but I've heard good things.
About encryption, there are sometimes backdoors built-in, so even if the software itself open-source the choice of some parameters that are supposed to be random on the site where the software is running can heavily jeopardize the encryption strength. So in here we have to trust that Signal and Proton have not allowed external agents to push them to leave some holes that we may not even know about (Crypto AG being the most iconic example, Tetra is another one).
That is correct, but we have to use the tools we are provided, and we have to trust those that are more knowledgeable than us. Simply because building our own secure tools is mostly a braindead idea. No homegrown solution will be as secure and as foolproof as tools created by professionals. I am using both Proton and Signal and I would much rather trust these two companies with minimal (if any) security problems in the past than most other apps that are out there somewhere. And having said that, if there are security problems, they'll most likely stem from my own stupidness or the people I communicate with.
@@stephanhuebner4931 Indeed, I was just reminding that even with open-source software, when it is hosted somewhere there is always uncertainty and one can never be sure 100% of the full confidentiality of the data.
What protects the phone from hackers Norton?
What do you mean?
i think he means what would prevent your cell from being hacked , using a servcie like norton or something like them , i dont think norton provides a service for your phone to not get hacked but idk , other than being vegilant by not opening links or emails you dont know are secure and or trusted its kinda up to us to not get phished or download stuff to are phones
Thank you for sharing and breaking this down for the average users so many misconceptions and myths floating around out there.
great take
Thanks
There are 2 fundamental points on Proton: (1) Even if you use a VPN or TOR whenever you access Proton's website to configure or read emails ... as soon as you run one of their apps, e.g. ProtonVPN or Proton Drive as local app on your machine ... Proton will automatically get your IP address (unless you additionally use TOR or onion service) Isn't it? (2) Most people think, that Proton or Signal have no possibility to get your private key, which is used for their end-to-end encryption, but it could be easily sent encrypted... and whether this actually is done or not... fully relies on how well their Open Source code is audited in this regard, isn't it?
Great video. People now days react with the first thing they hear without looking at all aspects. Is mind boggling how the truth can be misconstructed these days.
Being open source doesn’t mean anything without a guarantee that the code submitted by signal or protonmail to the Apple App Store or Google Play Store is the same exact code that they show the sources code for.
Searching for privacy while using third-party networks, devices, or operating systems is essentially wishful thinking.
Consider three neighbors living side by side. The first and third neighbors want to have a conversation in their backyards. As they start talking from their respective gardens, the second neighbor, situated in the middle, can always hear their conversation. This analogy illustrates the basic principle: you can build a temporary communication channel (like a pipe) for the neighbors to talk privately, but this pipe must be entirely your own construction, not provided by services like NordVPN or OpenVPN.
Once people grasp this concept, the issue becomes clearer. As long as you rely on third-party systems, true privacy is unattainable, which is the case for 99% of users. Genuine privacy is nearly impossible in these scenarios.
If you truly desire privacy, consider having face-to-face conversations, perhaps during a walk in nature or while swimming.
Best security related advice on UA-cam, period. Nothing is black and white, you should build threat models based on what your concerns are and be aware of what you are sharing and who potentially can see it. All this commotion about "proton bad" "telegram bad" "mullvad bad" only has meaning if you understand the weaknesses of each tool and how they apply to your situation. Thank you and have a sub
It's absolutely silly that people have this notion that private email services will provide you with total anonymity. In my opinion people fear monger when these companies get subpoenaed for information as if Google would not hand over every bit of data they have when asked. If your goal is complete and total anonymity then a subscription based email service clearly isn't going to be a part of your threat model. Or they fundamentally misunderstand what exactly a service like this is supposed to do for you.
It's like some of these content creators forget who exactly these products are marketed toward and that's average everyday users who are simply looking for a slightly better alternative to the all seeing eye that is Google and it's web of tech. When you look at these services through that lens Protonmail is fantastic. I appreciate your level headed take about this. Too many fear mongers
Seems like pidgeons will be the secure protocol of the future.
Pidgeon2Pidgeon
@@SuperM00bhahahahaha
I think there's a difference between privacy and anonymity....you can use this services for privacy and not for anonymity
Great point 🫡
Exactly my take away. If you are using Protonmail for "anonymity" there is a flaw in your threat model long before email services come into play.
Never create text of any compromising information. Share that info in person without your phones around for maximum privacy.
Agreed, but that's often easier said than done.
I had a phone on by accident and the so-called AI search engine made a relevant comment. I've never trained it to my voice.
I highly doubt the "maximum privacy" via sharing something in person. If some state organization wants to listen to what you do or say, there are countless methods to do so, no matter the way of communication. Unless, maybe, you're able to build a bunker without anybody knowing anything about it and then you're also able to get the people you want to talk to there in absolute privacy.
A frustratingly number of times people miss the fact that someone ... nefarious, shall we say, may not *need* to have the encryption key if the endpoint is compromised.
The reality is this: If you are online, there is no way to be completely secure from online threats.
Proton and Signal give you better tools to safeguard your privacy than others, by a significant margin. They are still however online.
It took a multi-national government order with proof of terrorism to just get the recovery email address. If that isn't secure, then what is?
Well created video, thanks for sharing.
And this will always be the case with centralised systems. If there is somebody to call, they can pressure/bully them into giving up the information.
Enjoyed your take on this matter.
You could do a one way encryption or hash on a recovery e-mail address and then only 'check' when supplied rather than have the recovery e-mail in plain text. Could be enumerated obviously so a bit more complex but can be fixed if someone wanted to.
signal is most likely NOT compromised, however the amount of oxymorons and false equivalences you try to pass as arguments is astonishing
Great video and you bring up a lot of good points. FWIW, Tucker Carlson said the US gov found out about his trip to Russia via Signal...
Interesting
Proton isn't quite transparent in more than one thing. I hoped to get 1GB data on the free plan just by signing up. That I had to fulfil 4 more conditions within 15 days, that wasn't obvious on the sign up website and anywhere. Without that I only have half of it.
Oh man, so you're complaining about a company that you didn't pay any money to for not giving you everything you wanted?
@@AllThingsSecured no, misleading advertising. Cheaky. I didn't ask fot it. They offered it. That is different. Hope you aren't doing a law degree.
If you check the conditions of the free plan it clearly states “Up to 1 GB Mail storage, start with 500 MB and unlock more storage on the way”.
@@AdemNecmi yes, I saw that. Not sufficient to inform a potential user what conditions they have to meet to get the promised 1GB 'on the way'.
so how do you prove the open source code is the code that is actually being implemented
Most simple way is just by comparing the checksum & signatures from the repository with the actual program. And if its legit then the source code and program should have the same the exact same checksum. If it doesn't, then there might be something going on
@@vikkran401but how would i do that for protons web page not the desktop app, its not like i can just download the html and checksum that lmfao
It amazes me how many ‘experts’ jump on the lack of metadata encryption when using Proton Mail….email simply doesn’t exist without it.
If privacy is that important to you, why are you using a method of communication that is - by design - not private?
Do you have GAPPS or anything FB on your phone with Signal? Then no app is secure.
Open source won't help for the masses in this case as you can't check if the app from the store is running that code or a slightly modified version. Unless you compile it yourself of course.
In this case. If the user always used a VPN when signing into Proton and created an account with no identifying "records", as recovery email and name etc. The Proton email account name would exist but if you call it "Gibberish@ proton.. Then nothing would come of it. The IP would just lead to some VPN server. The data is encrypted and Proton say they cannot decrypt it. So it would be Gibberish. This coupled with Proton only as to abide by Swiss government that has good privacy laws. Then there is not much to worry about.
One thing to consider, hide in the crowd approach :)
The biggest problem with Signal is that you need a real phone number to register. A phone number is registered to a person.
Use Session. This gets around this problem.
Yea, I get that. But now I have to get all my friends and family to use Session too. Not going to happen.
@@AllThingsSecured Yes, it is a problem. But the point I was trying to make is that Using Signal instead of ProtonMail gains nothing with respect to hiding a person's identity from government.
@@hypothebai4634 : Why compare Signal and Proton? Proton doesn’t offer a standalone messaging app.
Convincing regular people to use some obscure solution, no matter how secure it is, is absolutely unrealistic. And there's another viewpoint to this: The fact that you are one of potentially very few people who use said obscure solution makes you and those people an easier approachable target, as you stand out from the countless numbers of people using some other, widely more popular solution.
@@stephanhuebner4931 My starting point is that all new solutions initially come from the pool of obscure solutions. And initially convincing regular people to use Solution A rather than solution B is just as hard as convincing them to use solution C rather than solution B.
I agree that using, for instance, Session over Signal does not allow a user to hide in the long grass. But the thing about systems such as Session is that it is very hard to determine that anybody is using it at all. And Session leaks so little info that who cares if somebody is watching.
Stories like these just let me know what I should avoid, and help me keep in the loop. It also lets me know the lengths authorities have to go if they need your recovery address and and a 3rd party to help them get your data. If anything that's ensuring, and just lets me know that recovery email is flawed to begin with, just like email is flawed and I should use E2EE messaging apps instead of email for sensitive data.
Proton & Signal. So what email to use?
I use Proton.
get two proton emails that recover to each other?
At least one would have to be set up before you could create the other.
This is something so basic that so many fail to understand. Some deliberately so.
agreed
I suggest that the next episode be about the best artificial intelligence services (such as GPT chat and...) that respect user privacy (alternatives to Google Bard)
Proton was forced to disclose what their recovery email was. Why would anyone that uses Proton Mail provide a recovery email. Had the person never set up a recovery email address then Proton would have no data to give.
It amuses me how people seem to be worried that Proton provided an email address in response to a court order and yet didn't seem to care about the subsequent apprehension of a terrorist 🤔 I also saw a UA-camr recently bemoaning the fact that Proton do NOT mine and analyse your emails so that they can serve targetted ads 🤦🏻♂ Thank you Josh for being a voice of reason in an increasingly crazy world!
Thanks 🙏
So Proton only provides email addresses of terrorists & draws the line on “for targeted ads” scanning. Folks pay for some of their products, which helps everyone bypass ads.
Also, for a good percentage of users are “free” which tends to mean they, their data, is still the product.
So, your phrasing leaves a lot to the imagination, providing email addressees, merely addresses? Sure seems pointless.
If they are scanning, but NOT for ad placement, why? To find email addresses of terrorists? Lol wat?
Confusing comment. Please stay on one topic for goodness sake.
What makes you say that Proton is scanning? Where are you getting this?
@AllThingsSecured read his comment again more carefully. You're misinterpreting what he said about scanning. He's not claiming that proton scans emails. He was referring to how crazy it was... that he saw somebody complaining about Proton not scanning emails.
One groups “terrorist” is another groups freedom fighter. So yeah, privacy is privacy…….
If you know you are going into nefarious activities, you must already understand your communications pathways are already compromised to various degrees thus you have to practice opsec, comsec and offline encryption one time pads. Nature of the old school operative game, tradecraft.
👍🏻👍🏻
Thanx for the Video, I'm fine with Proton but after what happened with Tucker Carlson i just can't trust Signal anymore...🤷♂
To each their own 👍🏻
i use those not because i need to be absolutely anonymous from the gov, but because i dont want to deal and be spied on by the big tech
also privacy and security isnt supposed to shield you for doing illegal stuff
yea, none this effects the platforms for me. all I care about is my messages being read by companies workers/ad targeting, my IP is public, and ect. all this hysteria over nothing.
Yup! 👍🏻
Naomi Wu did a very good breakdown of why Signal isn't a secure app, before she got vanned by the Chinese government for talking too much. In fact it was probably her discovering and making public those vulnerabilities that led directly to her vanning.
thanks for clarifying that, good point.