In technology there is no 100% secure system:
- It may be for the first weeks or months until there is somebody/something smart enough to break it, in the most complicated and smart way or the most stupid simple way that nobody ever think about it.
- Most of the patterns are, they are attacked continuously when they become popular and suddenly all the attacks stop and next is "business as usual", "bad guys" are in, and no matter how many fixes and changes or upgrades, they are well structured and organized to get their access back. Yes proton email is being attacked several times in the past and the successful ones probably are not the ones sitting in a basement or dormitories, they are well funded and organized and they are not into getting popular and being recognized by the world. For them there are many methods to attack infrastructure and sometimes they don't even need to target the end user front end service.
- Proton email and later vpn services have a lot of attention in the last years "for their good security"; good guys "fighting the system and trying to publish the true" are there, bad guys are there, others doing other things (bad or good) are also there, etc... information is power... do you have any data that needs to be kept with the highest security levels and only "you" should access? "welcome to proton email and vpn services " -> lets jump into conspiracy
- Millionaires psychopaths looking for more power, groups of people with money looking for power, governments looking for power and control, government organizations looking for power and control, trying to stay one step ahead, catching secrets... what will stop them to create an email service for anybody "very secure"?, reputation can be created in some way, just have patience in 2 or 3 years, maybe less or more.
- Want to make it more credible?, locate it in a country that is stable, has relatively good laws and outside of the "bad America", .... After all you are just creating a service where people place their information and where in the backend you have control of everything.
- Those kinds of organizations or people don't have any problems hiding behind institutions like CERN or MIT or others. Same approach as creating the correct organization or structure for your new company
- Auditors?, Laws?, PII Data?, Compliance?, Encryption in transit and at rest?, MFA?, you name it!, all these in your new service?, ha!, in IT and with automation you can setup pressing 1 button to enable compliance in all these, and also pressing another button to disable only the necessary and get access. Sometimes you don't even need to get access to all, you just code and setup analytics or ML/AI algorithms and the tools will tell you which accounts have "strange" uncommon things depending on what you are looking for (key words, patterns, strings, image recognition, algorithms for this, algorithms for that).
- They design it, they develop it and they implement it in production. They say a lot of things like maybe they use open source software (the community backs them), maybe they use a recognized enterprise software vendor, is anybody able to get access and prove it? is all just trust <- auditors?, will they review thousands lines of code?, yeah sure.... code quality and code security tools? <- they don't detect malicious application functionality, by the way who is going to find this and then judge that is malicious in your application logic "backend processes"?
- There are very high probabilities that it can be a honeypot trap and with the intention to use the information found in those accounts in benefit of different agendas, or just control, user profiling, secrets,...., and if there are actions to execute they are quietly and without attract too much attention in most cases, if not they will lose reputation and credibility in their precious honeypot trap, because people may realize this if is public.
- Just one more time, information is power -> secure email accounts have information, secure network traffic (vpn's) also have information. <- There is also classification of information, of course there is always somebody or some organization willing to pay for certain classified secret information found, personal or not, to monetize, to control, to get advantage, to track, to hide, to punish....
By the way I also have my email account in proton email to keep my false sense of security and be part of the nerd security cool vibe.
What are your thoughts on TOR?