Proton exposing email with Simplelogin if attach public key enabled

iron_angel:

Frustrating that this is the case though and I didn’t know about the API either, thanks for that. So in that case even if you were just signing the email vs attaching the key it can be matched via that API if you had some emails to try? A lower attack surface but wild to me that this is a public API

Yes, if I have some emails to try I can just look up your public key. I believe this is referred to as “Web Key Directory” and is a standard means of looking up public keys by email address. I don’t find it particularly surprising that it is a public API; public keys are meant to be public, and if you don’t want someone to know your public key, presumably you just won’t give them your email (and hope that no one else shares it with them - the key or the email).