ProtonMail Bridge on Sailfish

As you all know, we can only access the excellent ProtonMail through the browser at present. However, there’s a native way too using their bridge which has been open sourced for quite some time now. I’ve checked that it uses Qt/QML which means it could be built for Sailfish and work there (unless the deprecated Qt poses an obstacle). This way we’d have support for ProtonMail through the built-in application. Please share your thoughts.

P.S.: I know about the approach with the alternative bridge of hydroxide and I’ve tried it. It was so unreliable connecting to ProtonMail and obtaining and loading my e-mail that I even reported a bug. Unless somebody’s faced and fixed this, I see no point in discussing it on this thread.

3 Likes

I’m a bit thick perhaps, but can’t protonmail be used like a ‘normal’ smtp/imap/pop service? An email account? If it’s about sync, then there are many ways to securely sync imap / pop mail stores.

No. Their approach is different because of security: for example, users can specify 2 passwords for their e-mail. The original bridge I’m talking about porting is their own development; they wouldn’t’ve bothered if they could directly support standard protocols.

Mail servers speak with other mail servers to exchange mail. There is no authentication involved in this. So the only security that you may be interested in is encryption. And that is not somthing unique to proton mail.

2FA is nice for ‘apps’ but has nothing to do with the security of your mail once it actually leaves your machine. My ‘single factor’ auth mail to MY mail server with encrypted headers and gpg content is about as secure as it gets. But even that is only as secure as the crypto you get with gnupg.

If you can only use the service with a special app and still send mail to ‘the rest of us’ you are being had.

If the encryption is not based on public key crypto, then how do others read your mail? Well, of course, they can’t. So, proton is saying they’re doing ‘better’ transport encryption on they way to ‘them’. Well, that’s ‘useless’ ™.

Now I’m only saying that as someone who has managed mail for many tens of thousands of users. I didn’t do it as well as proton, probably :slight_smile:

As to the bridge itself and QT. It seems to be written in GO. This, in it self is ‘a good thing’ ™. I like go. But compliling this in the sailfish context is going to be ‘non-trivial’.

The whisper fish rust project is a demonstration of just how difficult this is. I haven’t gotten around to that in a really serious way, but that’s also supposed to be a security ‘thing’. However, it’s a massively bloated project which is very probably very insecure. Just look at this:

8.0K /usr/bin/harbour-2048
244.0K /usr/bin/harbour-advanced-camera
8.0K /usr/bin/harbour-audiocut
8.0K /usr/bin/harbour-defender
808.0K /usr/bin/harbour-fahrplan2
336.0K /usr/bin/harbour-file-browser
80.0K /usr/bin/harbour-fishtheke
8.0K /usr/bin/harbour-gameoflife
224.0K /usr/bin/harbour-hafenschau
8.0K /usr/bin/harbour-newsapi
212.0K /usr/bin/harbour-pure-maps
8.0K /usr/bin/harbour-quantofa
24.0K /usr/bin/harbour-sailfishreboot
80.0K /usr/bin/harbour-sailhn
32.0K /usr/bin/harbour-screenshot
8.0K /usr/bin/harbour-scribble
8.0K /usr/bin/harbour-simplecrop
8.0K /usr/bin/harbour-simplemahjong
348.0K /usr/bin/harbour-storeman
544.0K /usr/bin/harbour-taot
244.0K /usr/bin/harbour-tidings
152.0K /usr/bin/harbour-videoPlayer
18.4M /usr/bin/harbour-whisperfish
21.7M total

I won’t delve into the internals of mailing services. You asked why ProtonMail can’t just use IMAP/POP3 and I’ve answered. They don’t know what to do with 2 passwords while ProtonMail doesn’t open with just one: there’s just one example of the bridge.
Now, the remark about Go is worth thinking about. I had assumed C++ because I didn’t bother to check all code thinking the Qt version would be enough of a problem (and it is, they use Qt 5.13). The 18 MB-s you’ve shown are indeed atrocious, I do hope Go fares much better. But I’m not even sure it works on Sailfish. I guess it’s one item I can check tomorrow as it’s very late here.

It’s certainly worth looking at supporting GO and nothing against custom clients for mail services.

I just read: https://protonmail.com/support/knowledge-base/the-difference-between-the-mailbox-password-and-login-password/

They make it clear it’s not 2FA but is actually what I describe. 1 mailbox password and 1 password for gnupg.

I’ll have a look at the bridge implementation when I have a moment.