Vendor ask me to use "protonmail's encryption"

I've DDed with this vendor one time so far and everything went super smooth. Got my product quick and had great stealth. We used PGP back and forth to set up the first DD in every bit of communication we had. Now I emailed again about a week later to get another DD going "using PGP" and I get this reply. "Hmm are you okay with using protonmail's encryption? I just send you an email that's password protected. Once you click it, all further correspondences in that thread are encrypted." I'm not really sure what to think about this or even how safe it is. Any suggestions guys?


Comments


[9 Points] throwahooawayyfoe:

Never trust on-site auto-encrypt features or any other 3rd party encryption service to keep you safe. If they are compromised or a honeypot, there is nothing stopping them from saving everything you type in cleartext before it gets encrypted and sent. Always do your own encryption using software running on your own local machine - this is the only way to guarantee the security and integrity of a message.


[5 Points] stabBarbie:

If protonmail was malicious and wanted too they could steal your messages by logging it as you type before it becomes encrypted, no reason to believe they are but encrypting it with pgp prevents that


[3 Points] Gimmethatcandy:

I’m the vendor he is referring to. I use PGP daily, as I actively vend on other, “less bright”markets hehe. The amount of people on Reddit who use, or even understand PGP is insanely low. Same goes for VPN unfortunately. -has become a large issue for this line of work due to insecurely checking tracking information as previous vendor/customer busts have shown.

The reason I sent him the follow up email in clear text (which was already assumed by another user) is that I get, and I’m just estimating here, at least 150-200 emails a day. It’s normally around 250 and up.

Keep in mind that I’m a very small time vendor. Half of the time, I’m discussing things that are already laid out on my pastebin such as pricing, products offered, how to contact (yeah...) etc.

Of course I don’t mind answering questions, and I actually enjoy it at times, but the hours in each day are finite, so this takes a lot of time out from working on the product, obtaining supplies, ensuring customer details are correct and in order, ensuring the product is dosed properly and stealth/OPSEC is maintained throughout all of this without exception.

SO, I don’t disagree with you guys, and I assure you that everything on my end is very secure, but if you can make something, you can also take it apart I suppose ;-).

To the OP, if you want to continue on using PGP only, I have no problem at all complying with that. I’m used to it. I just have been getting MANY complaints about me being slow to complete orders and this is sort of an attempt to put out some fires.....but it seems that now I’ve made another one with this.

I don’t take any of this lightly I promise. I might say “haha” a lot or use too many smileys, but I’m still aware that you are trusting a random stranger with your personal information and I respect that fully my friend.

      -TT =)


[2 Points] Whiteoak789:

Don't do it I like Protonmail but not for stuff like this. If you do it use PGP and send that in the encrypted Protonmail email lol. But I doubt that is what he is wanting. Just tell the vendor you don't feel comfortable doing that and would prefer to use PGP any legit vendor that has half a brain should know if you want to sell on the DNM learn PGP it's that simple really.


[2 Points] MDMangle:

Don't make illegal transactions without PGP or OTR. That's just dumb. You shouldn't need to trust protonmail, which your vendor is apparently asking you to do. I'd refuse that offer 100%.


[1 Points] fourace:

if a vendor asks you to do something stupid, don't do it.


[1 Points] murderfluffybunnies:

I like protonmail. But don't trust anyone but yourself and your own pgp keys to encrypt anything to anyone for any reason.


[1 Points] None:

What reason did the vendor give for not using PGP encryption?? Is he claiming its a PITA or something? First thing that crossed my mind is vendor compromised and doesn't have access to the private key. Don't know any vendor who would discourage PGP encryption on any platform except for scammers and LE. Exception is of course not encrypting non-sensitive things. But anything sensitive must be encrypted. Of course, this protects the buyer more than the vendor in many cases, so its up to you to be proactive about your own security lest your asshole get mangled and chewed up.


[1 Points] Bocajj19:

Was this humboldt?


[1 Points] HempLover420:

Was he even able to decrypt and read your encrypted message ? Maybe it even isn't him anymore..


[1 Points] Gimmethatcandy:

ProtonMail offers full end-to-end email encryption, from start to destination. The encryption happens at the user’s level, making it impossible for ProtonMail to have ever seen the original content.

The email is already encrypted when it reaches their Switzerland servers and the recipient’s email password is the only key to that email.

ProtonMail does not have the keys to decrypt any of the emails sent across their network, unlike services like Gmail, who do have the power to decrypt email messages. If authorities would request keys, they would not even have that possibility, only retaining encrypted data on the servers.

Strategically based in Switzerland, ProtonMail will decline any third party requests from overseas organizations or governments. Local government values privacy and has a very low wiretapping and data seizure track record, used explicitly to prevent crime.

Protons Security details


[0 Points] None:

A mangled asshole is one that relies on third parties for encryption. With that said, I have seen proton mail talk about end to end encryption. How does it work? Doesn’t that mean that the email service has to have the keys to decrypt since you don’t need to do anything to decrypt it? Is it just encrypted with your password somehow? I can’t see how you can rely on proton mail for encryption without trusting the service itself. I have no clue how proton mail encryption works though.


[0 Points] throwawayagainbiatch:

Protonmail works well and is easy and proton cannot decryot your messages. I would send him a message with pgp first and let him respond why he wants to use proton. If it makes sense it is easier especially with DD to use proton. I use proton but also pgp in proton.