Your just focusing on strict technical definitions and completely ignoring the context of things. I described before how TLS is useful in the context of some SMTP e2e encrypted solution.
Yes, mentioning things that have not to do with e2ee.
Anything that is encrypted with TLS is not e2ee in the context of emails. You talked about metadata, but the server has access to those because it terminates the connection, therefore, they are not e2ee. It’s a protection against leakage between you and the server (and between server and other server, and between server and the destination of your email), not between you and the destination, hence, irrelevant in the context of e2ee. Metadata such as destination can obviously never be e2ee, otherwise the server wouldn’t know where to send the email, and since it needs access to it, it’s not e2ee, whether you use TLS or not.
TLS in this context doesn’t contribute at all to end to end encryption.
Your definition is wrong, e2ee is a technical definition, is not an abstract thing: e2ee means that only the two ends of a conversation have access to the data encrypted. TLS is by definition between you and your mail server, hence it doesn’t provide any benefit in the context of e2ee. It is useful, but for other reasons that have nothing to do with e2ee.
never questioned that. With SMTP you can do true e2ee using PGP and friends
Exactly, and this is what Proton does. You simply don’t accept that Proton decided to write another client that is tightly coupled with their mail service, which is absolutely nothing malicious or vendor-locky, compared to using an already made client. Proton is simply PGP + SMTP.
with CalDAV/WebDAV you’ll need to have some kind of middle man doing the encryption and decryption - it’s a fair trade off for a specific problem.
Yes, and this middle-man is proton client, which sits on the client’s side. I am glad you understood how the only way to have e2ee with *DAV automatically technically impedes you to use “whatever server”. If anybody else but the client does the encryption/decryption, you lost the end-to-end part. I am not saying e2ee in this context is absolutely necessary, you might not care and value more the possibility to plug other *DAV servers, good. Proton is not for you in that case.
but about SMTP where you can have true e2ee
Yes, you can using a PGP client, like OpenPGP of Proton webmail, or Proton bridge. You need stuff on top of SMTP.
Your previous comment of “SMTP requires server to access the data” is simply wrong.
Nope, you are simply misinterpreting it. In SMTP the server requires access to the data because it’s the one delivering it. PGP is built so that the data it’s a ciphertext and not plaintext, so that the server can’t see the actual content of the mail, but it needs to have the data and ship it, in contrast for example to a p2p protocol. PGP is however on top of SMTP and requires a client doing it for you. OpenPGP or Proton do exactly this. There is no way to support SMTP “natively” and offer e2ee. You would like Proton not to do e2ee and leave the responsibility of the client to do the PGP part, with the freedom of picking whatever client you want? Well, that’s exactly the opposite of their business model, since what they aimed is to make PGP de-facto transparent to the users so that it’s available even to people who are not advanced users.
Do you have any proof that they use CalDAV/CardDAV?
I sent you already a GIthub search of their clients for SMTP, look for yourself in the code. Do you think that makes any sense at all for them to reinvent the wheel and come up with ad-hoc protocols when all they need is a client?
You can also have a look at the job offers they post: https://boards.eu.greenhouse.io/proton/jobs/4294852101
You can see SMTP mentioned and experience with Postfix in production. It’s very likely that they are running that in the background.
Get over yourself and your purist approaches, when a company provides a service that is standardized in a specific set of protocols and they decide to go ahead and implement their own stuff it is, at least, a subtle, form of vendor lock-in. End of story.
No it’s not. Vendor lock means:
In economics, vendor lock-in, also known as proprietary lock-in or customer lock-in, makes a customer dependent on a vendor for products, unable to use another vendor without substantial switching costs.
Proton uses open standards, and just builds clients that wrap them. This means, emails are in a format that can easily be imported elsewhere, same for Calendar and Contacts.
You are now watering down the definition of vendor lock to try to make your claim less wrong, but it is wrong. I repeat, and you are welcome to prove me wrong:
There is no substantial cost in any form to migrate from Proton to an equivalent service elsewhere:
You can migrate email simply, by changing domain DNS records and exporting/importing the data.
You can export your Calendar in a standard format
You can export your Contacts in a standard format
This means that I can change vendor easily without significant cost, hence I am not locked-in.
What you actually mean is that while using Proton you can’t interoperate easily with other tools, and this is a by-design compromise to have e2ee done in the way they wanted to make it, which is available to mainstream population. You disagree with their approach? Absolutely legitimate, you prefer to use OpenPGP, handle keys and everything yourself? Then for sure, Proton is not worth for you as you can choose the tools you want if that’s important for you.
But there is no vendor-lock, they simply bundled together the email client with the PGP client, so that you don’t have the full flexibility of separating the two.
You disagree with this definition of vendor lock? Awesome, give me your definition and link some source that use that definition. Because if you keep moving the goalpost and redefine what vendor lock means, there is no point to discuss.
Yes, mentioning things that have not to do with e2ee. Anything that is encrypted with TLS is not e2ee in the context of emails. You talked about metadata, but the server has access to those because it terminates the connection, therefore, they are not e2ee. It’s a protection against leakage between you and the server (and between server and other server, and between server and the destination of your email), not between you and the destination, hence, irrelevant in the context of e2ee. Metadata such as destination can obviously never be e2ee, otherwise the server wouldn’t know where to send the email, and since it needs access to it, it’s not e2ee, whether you use TLS or not. TLS in this context doesn’t contribute at all to end to end encryption. Your definition is wrong, e2ee is a technical definition, is not an abstract thing: e2ee means that only the two ends of a conversation have access to the data encrypted. TLS is by definition between you and your mail server, hence it doesn’t provide any benefit in the context of e2ee. It is useful, but for other reasons that have nothing to do with e2ee.
Exactly, and this is what Proton does. You simply don’t accept that Proton decided to write another client that is tightly coupled with their mail service, which is absolutely nothing malicious or vendor-locky, compared to using an already made client. Proton is simply PGP + SMTP.
Yes, and this middle-man is proton client, which sits on the client’s side. I am glad you understood how the only way to have e2ee with *DAV automatically technically impedes you to use “whatever server”. If anybody else but the client does the encryption/decryption, you lost the end-to-end part. I am not saying e2ee in this context is absolutely necessary, you might not care and value more the possibility to plug other *DAV servers, good. Proton is not for you in that case.
Yes, you can using a PGP client, like OpenPGP of Proton webmail, or Proton bridge. You need stuff on top of SMTP.
Nope, you are simply misinterpreting it. In SMTP the server requires access to the data because it’s the one delivering it. PGP is built so that the data it’s a ciphertext and not plaintext, so that the server can’t see the actual content of the mail, but it needs to have the data and ship it, in contrast for example to a p2p protocol. PGP is however on top of SMTP and requires a client doing it for you. OpenPGP or Proton do exactly this. There is no way to support SMTP “natively” and offer e2ee. You would like Proton not to do e2ee and leave the responsibility of the client to do the PGP part, with the freedom of picking whatever client you want? Well, that’s exactly the opposite of their business model, since what they aimed is to make PGP de-facto transparent to the users so that it’s available even to people who are not advanced users.
https://github.com/search?q=org%3AProtonMail+CalDAV&type=code you can dig yourself into the code if you are curious to understand.
I sent you already a GIthub search of their clients for SMTP, look for yourself in the code. Do you think that makes any sense at all for them to reinvent the wheel and come up with ad-hoc protocols when all they need is a client? You can also have a look at the job offers they post: https://boards.eu.greenhouse.io/proton/jobs/4294852101 You can see SMTP mentioned and experience with Postfix in production. It’s very likely that they are running that in the background.
No it’s not. Vendor lock means:
Proton uses open standards, and just builds clients that wrap them. This means, emails are in a format that can easily be imported elsewhere, same for Calendar and Contacts. You are now watering down the definition of vendor lock to try to make your claim less wrong, but it is wrong. I repeat, and you are welcome to prove me wrong:
This means that I can change vendor easily without significant cost, hence I am not locked-in.
What you actually mean is that while using Proton you can’t interoperate easily with other tools, and this is a by-design compromise to have e2ee done in the way they wanted to make it, which is available to mainstream population. You disagree with their approach? Absolutely legitimate, you prefer to use OpenPGP, handle keys and everything yourself? Then for sure, Proton is not worth for you as you can choose the tools you want if that’s important for you. But there is no vendor-lock, they simply bundled together the email client with the PGP client, so that you don’t have the full flexibility of separating the two.
You disagree with this definition of vendor lock? Awesome, give me your definition and link some source that use that definition. Because if you keep moving the goalpost and redefine what vendor lock means, there is no point to discuss.