Proton Mail Finally Releases Desktop Apps With a Linux Beta Version

It's basically Chrome. It's not a real application, it's a website pretending to be one. It uses a metric fuckton of RAM and eats your battery faster than Prince Andrew a minor.

Each electron App is actually a full independent chromium browser install running a website. It's easy to code for and works cross platform as a result, but it's essentially just a website, although they can run offline depending on what's been built in to the local app.

Each electron app running on your system is a separate full chromium app running, with no sharing of resources between each instance. So they take up a lot of space each and duplicate all the resource usage, and potentially the security flaws.

It's just the webapp. If we want the webapp we use a browser.

It's what you deploy to your users if you want to work around ad blockers and browser extensions. It's a great tool to get operating system level access to exfiltrate information about your users and identify them uniquely, even if they would prefer that not to happen.

All that with the help of Google's telemetry engine aka Chrome, which further helps Alphabet to manifest their interpretation of web standards in the world.

We worked to move things onto the web. Now people bring the web back to your desktop with every application bringing it's own browser shell. We have come full circle and we're now using 10x the resources.

Electron is the prime example of everything that is wrong in IT.

There are other options like Tauri that do the same thing as electron, but instead of bundling chromium with the app, it relies on the OS provided web view. It’s also built with Rust, which tends to be faster.

As an example, Mac would use Safari, Windows would use Edge (chromium), and Linux would likely use WebKitGTK, which is what safari uses.

By using the default browser, developers save a ton of space—at the risk of compatibility issues, which are very very rare nowadays.

Everything

Electron runs a core Chromium Browser + NodeJS + a bit more.

Unlike Chromium itself it is not backwards compatible and removes a ton of things like its sandboxing capabilities.

I am not sure how it is less secure, but it may use more RAM (also not always but generally yes of course), doesnt allow hardening (unlike android WebView apps) and breaks LD_PRELOAD-ing another memory allocator.

This is only a big problem in special cases, in general it makes apps strictly dependend on GNU glibc and others, no idea how it works on Alpine or others (that actually try to make a secure system).

If somebody knows more about security concerns about Electron, please add.

No way.

Bridge

I am actually sort of worried that now that they put this out they will retire bridge. We will have to wait and see. Is having a browser tab open really that bad... ?? I suppose but I still like programs over web pages.

The GitHub repository for the project is here, and the tagline of the repository is:

Desktop application for Mail and Calendar, made with Electron

It says so in the repo

Are you kidding me? Doesn't bother me that much, as I use Thunderbird with Protonmail bridge. I'm still waiting on Proton Drive for linux. Well, I'm gonna end up self hosting at this point. :(

Tbh it should have simply been a flatpak

I prefer rpm over flatpak. at least I know any os dependency updates are happening regularly, flatpak may not get weekly dependency updates from proton

I had no idea the whole world was capitalist, but I guess I don't know everything. And there's the fact that I mentioned the world, not a form of political economy. But yeah, capitalism is weird.

I don't use either OS, but the apps are .DMG (Mac) and .exe (Windows), so I believe they are, yes.

Does it support offline access?

The only benefit i can see of web app is it is in a controlled browser environment...could be helpful with security?

To save myself the hassle of having to rebuild the electron app every once in a while? I'd rather not open my browser, go to their website and log in with 2fa every time I want to read an email.

The main benefit is since it is locally installed, it is harder for proton's server to access your encrypted data by serving you malicious JS. A malicious desktop app/update could be served too, but that may be trickier.

I believe I read somewhere they're focusing heavily on the mobile app at the moment (or rather turning K-9 into their mobile app). Once they get that out, we'll see where the desktop goes.

I've never found Thunderbird search bad compared to alternatives, as long as I'm not looking to find content inside attachments. Really fast and responsive and being a desktop client without paginated results makes moving and deleting in bulk so much easier. Would love it to be as powerful as Voidtools Everything to get a bit more granular sometimes but otherwise pretty happy with it.

I think they're talking Kmail from the KDE app suite. I thought they meant K-9 mail.
Btw If I remember correctly K-9 mail is or is becoming Thunderbird.

If K-9 isn't working well for you, try FairEmail. It's one of my favourite email clients.

K-9 has gotten a LOT better over the past few months though.

That’s not true, the latest release was two weeks ago.

You should do it. Easy to setup using either their official AIO image or the community-driven micro service one. I am using the latter and it's been amazing. It's completely replaced Google Drive, Calendar, and Contacts for me and with the DAVx5 Android App it feels like a drop-in replacement. I am also using the auto upload feature to back up my photos to it.

I would too, but after like a week I get bored of maintaining it myself when all the expenses summed together aren't much cheaper than Proton or likewise. This is what I was doing before submitting my independence to Proton.

Furthermore Nextcloud is just too damn sluggish. The web interface makes it seem like my server's idea of a CPU is a kid with a calculator and WebDAV isn't designed for cloud storage. I'll take new features being slow over my whole experience being even slower any day of the week.

That's what I've done, using rclone bisync and my crontab. Like I said it works well enough, but far from perfect. Using a beta backend with an experimental operation, according to the rclone website, puts me slightly on-edge.

I did try Celeste, but stopped using it for two reasons:

• I use Budgie, so Libadwaita apps look incredibly out-of-place. Inconsistency like that makes me physically uncomfortable.
• Didn't really work, just too slow.

Baby steps that take Proton from a great service to a toy for the masses in the effort to increase revenue. AI features are next

Is the bridge actually being discontinued?

No, but what from their moves it is very clear it won't live long.

they don’t support SMTP, but realistically they actually can’t unless they have the ability to read your emai

Technically they do use SMTP... and it's possible for a provider and provide submission and generic SMTP do clients without having to read the email content.

There are lots of ways to do e2e encryption on e-mail (no server access to the contents) over SMTP (OpenPGP, S/MIME etc.). There are also header minimization options to prevent metadata leakage. And Proton decided NOT to use any of those proven solutions (in a standard and open way at least) and go for some obscure implementation instead because it fits their business better and makes development faster.

They cannot decrypt your data while sitting, so IMAP cannot work.

You have to be a paying customer to use that app IIRC.

Proton's whole thing is it's meant to be secure, private, encrypted, etc. To achieve that, it requires the Proton app or website as an endpoint, so your email never leaves Proton's environment. As long as your reading your email in the Proton app/site, they can guarantee its privacy and security.

Once it sends your emails to Thunderbird or another client, it's leaving the Proton environment, and they can no longer control it. You're sacrificing the inherent privacy/security of Proton when you use Thunderbird (they claim).

All of that being said, it's an absolutely bullshit excuse. Tutanota does this same shit, only they don't even provide the bridge like Proton does.

It's true it's technically more secure for those emails to stay in the Proton environment, but they're still your god damn emails, and they should operate like every other email service by giving the user the option to export those emails in whatever way they damn well please, for free.

It's just more platform lock-in garbage. Your emails are trapped on their server, so they'll be no moving away to a different provider easily.

So the bridge now syncs your calendars, contacts, files & passwords? 😛 Their bridge still sucks like it always has.

Have to use a student account, gmail and my main protonmail account. Tying everything up in one window is just nice.

they don't support IMAP

They don't support IMAP because they want emails to remain end-to-end encrypted, and IMAP doesn't have any way of doing that. The gateway decrypts the emails locally, then serves them as plain text.

We need something better than IMAP, that's designed for modern use cases. Something that's not stateful... Maybe a web service or something like that. JMAP seems promising but barely any providers have implemented it.

On a lighter note, the protocol might be proprietary but the bridge still seems to be fully open source : https://github.com/ProtonMail/proton-bridge

I don't think think Proton shows bad will on this one. The only alternative I can think of (as a non expert) would be IMAP + GPG encrypted emails but very few desktop clients support GPG, which would make them less accessible 🤷‍♂️ Having their own protocol also probably makes it much much easier for them to iterate on it, opening up usually makes think much robust but also slower.

last time I checked, IMAP/SMTP required not only a paid account, but running Protonmail's proprietary bridge app

I think it’s allowed on paid business accounts

We need caldev through the bridge app for use in thunderbird and other apps.

If that's the case, then I might have to use distrobox for once.

Thank you for that.

The people behind Murena are also the devs of /e/OS, a de-Googled Android OS that they also sell phones they pre-load it on. My one critique of it so far, owning one of the phones, is that I wish they would work on making it compatible with more well-known phone models available outside Europe. They sold this model I'm using, the Murena One (some Chinese OEM they slapped their name on), here in the US through their website, but I had to run around for two days trying to find a carrier whose service would work on it (or who would even try - eventually T-Mobile worked, the European-based carrier, what a surprise...) and I can't get anyone to do repairs on it because it's not one of the well-known brands. The case they gave me for it is essentially purely cosmetic, and only a week or so into owning it, I dropped it at a restaurant and it got a huge area of dead pixels at the bottom of the screen that nobody will fix because they can't get a new screen for it. If I could install /e/OS myself on more than just the Google Pixel (paying Google to not have to use Android, fun...) that would be great and solve my problems.

So how would you sync your Proton Passwords with NextCloud, or with VaultWarden? Or actively sync them locally to be used with an open source app?

Oh, that's right.. you can't. Proton will say... "Just trust our payloads bro! There is no way we'd ever deliver a modified payload to get your password. Sorry you can't sync your calendar & contacts, just use our Windows apps."

FYI, you can enable a local index for message content searches:

https://proton.me/support/search-message-content#how-to-enable-search-message-content

for what claim do you want a source that isn't provided?

This is just patently false. GPG is not inconvenient & there are a plethora of apps that has made it much more user friendly. The fact that Proton has decided to take away freedom & tell you it is more secure is just bologna. There is no reason to trust Proton at all.