Security model parity between web and mobile
When I log in to Proton Mail on my mobile I'm logged in only in Proton Mail app. When I log in to Proton Drive app — same story. I can be logged in to one, the orther or both, but even then have secured Drive app additionally with PIN/biometrics. This is awesome, because if my unlocked device falls into the wrong hands somehow then the person wouldn't have access to all my files I store in Proton Drive as it would be either locked or logged out. This is important to me personally because I have a chronic illness and I need to have my medical records on hand at all times. This is a secure cloud drive feature that is to be expected.
Sadly this is not the case on the web version of Proton apps. When I log in to Proton Mail then "account.proton.me" logs me automatically to Proton Drive as well whether I want it or not. This is pretty bad and a reason why I can't use Proton Mail as my day-to-day mail service. Someone could gain access to my logged browser session where I only use mail and snoop though my drive files as well.
The fix seems trivial - an opt-in user setting to store FQDN cookies instead of domain wide. This way when I put my email address into "account.proton.me" login field the server will check whether I wished to have my cookies separate between Proton services and serve me the desired one (for example only to mail.proton.me), but will require additional login for the other (drive.proton.me).
Other idea is just an inactivity lock of Proton Drive like in the mobile app. Maybe even a prompt to repeat the encryption key ("mailbox password") if user has them separated so the session will be authenticated, but not decrypted for Drive.
Either way a secure cloud drive SHOULD have some kind of an additional lockdown ability if the user whishes so as the way it works now is prone to a variety of social engineering and session cookie stealing vector attacks. It will not prevent them from happening, but it will limit the potential damage scope. You nailed it on mobile, please incorporate this feature to web version as well!
-
alexarafat commented
I totally agree; it would be great if Proton offered the same security options on the web as it does for mobile. The automatic login across services really limits the secure control we need, especially for sensitive files. Like you, I need to access specific accounts and sites even managing https://cookieclickerunblocked.us/ so having separate logins for Proton Mail and Proton Drive would be ideal. Adding features like inactivity locks or optional re-authentication would make a big difference—hopefully, Proton takes note!