But, where did you get that public key that you're using to verify the signatures? Personally, I got that public key because it was included in an ISO image that I downloaded over TLS from website. So, if that TLS session was compromised, a fake public key could have been inserted in the ISO. Or, the copy of GnuPG in that ISO could have been modified not to complain when the signature of certain pieces of code did not validate.
Ideally, you should be able to use the WoT (Web of Trust) to validate the public key that comes with the ISO (validating that the copy of GnuPG, glibc, or the Kernel has not be modified to mess with the signature validation is much harde). But, have you ever looked at the signatures on the public keys that most distributions use to validate their software releases? There are usually no signatures at all. They keys have no WoT links at all. They don't even use it. One example of this is RedHat Linux.
> But, where did you get that public key that you're using to verify the signatures? Personally, I got that public key because it was included in an ISO image that I downloaded over TLS from website.
Which is why I said "There is of course the initial OS image that you need to find some other way to trust (but this is the same in your case)". I explicitely wrote my post to point out that ProtonMail has one additional, independent, vulnerability risk.
You were talking about the GnuPG or browser install, and I said that it would be wrong to claim that this is as vulnerable as getting the library from a web mail service if you're talking about decent OSes. This view is not invalidated by the risk of the initial OS install, since that's a different risk: you run the OS installation once every few years or so, but you check email every day. And if your OS is compromised, then you have lost in any case and could as well use Yahoo/Hotmail/Gmail/Facebook/postcards.
For the OS install you can also take precautions when getting the image (e.g. download or verify image over TOR, compare hash with results from search engines or other people), also in fact Debian does provide PGP signatures for their OS images[1].
> But, have you ever looked at the signatures on the public keys that most distributions use to validate their software releases?
Yes, I'm in fact always doing exactly that. Of course people who don't have a PGP implementation yet can't do it as easily. They can still take different precautions. Chicken and egg is not an absolute dilemma.
Also, Debian creates the above signature with a key that is signed by people I actually have a trust path to:
$ gpg SHA512SUMS.sign
gpg: Signature made Sun Jan 24 18:08:46 2016 GMT using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
$ gpg --list-sigs 6294BE9B | grep ^sig | cut -c14- | sort -u -k 2
C542CD59 2011-01-05 Adam D. Barratt <adam@adam-barratt.org.uk>
6294BE9B 2011-01-05 Debian CD signing key <debian-cd@lists.debian.org>
A40F862E 2011-01-05 Neil McGovern <neil@halon.org.uk>
63C7CC90 2011-01-05 Simon McVittie <smcv@pseudorandom.co.uk>
3442684E 2011-01-05 Steve McIntyre <steve@einval.com>
1B3045CE 2011-01-07 Colin Tuckley <colin@tuckley.org>
95861109 2011-01-23 Ben Hutchings (DOB: 1977-01-11)
30B94B5C 2011-02-08 [User ID not found]
9011A5AE 2011-05-02 [User ID not found]
53CD659C 2011-05-09 [User ID not found]
8143B682 2012-08-26 Neil Williams (Debian) <codehelp@debian.org>
0125D5C0 2012-08-31 Philip Hands <phil@hands.com>
046F070A 2013-04-22 [User ID not found]
5DF05C03 2013-06-11 [User ID not found]
C778A4AB 2013-07-06 [User ID not found]
10038D31 2013-07-23 [User ID not found]
Yes, I'm sure there will be users who won't know or care how to check this and I guess some will still benefit from using ProtonMail. I just don't want the existing difference be wiped under the table.
Your remaining advantage could be that the Swiss CA that you're using provides more security than the potentially non-Swiss CA used for the website a "normal" user (who doesn't do further checks) is downloading his OS image from. At that point a risk calculation using probabilities would need to be done to see which solution looks more secure.
Ideally, you should be able to use the WoT (Web of Trust) to validate the public key that comes with the ISO (validating that the copy of GnuPG, glibc, or the Kernel has not be modified to mess with the signature validation is much harde). But, have you ever looked at the signatures on the public keys that most distributions use to validate their software releases? There are usually no signatures at all. They keys have no WoT links at all. They don't even use it. One example of this is RedHat Linux.
I actually wrote a document that describes how to do Strong Software Distribution with PGP: https://cryptnet.net/fdp/crypto/strong_distro.html Unfortunately, no one really does it.