ProtonMail keeps the encrypted private keys of all their users on their servers. The mailbox password, which is known only to the user, decrypts the private key of that user.
Would it not actually be better if each user had control of their own private keys?
Important facts to consider:
Users are trusting ProtonMail to keep their encrypted private keys safe. In a pure form of public-key cryptography, this would not be the case. Each user would be responsible to keep their private key safe or secure (for example in an encrypted USB key).
In a traditional PKI infrastructure, there will never be a place where all private keys are stored in a single database (even if they were encrypted).
An offline dictionary attack can be launched against any encrypted private key, so a mailbox password = a private key. Keep in mind that most people do not choose strong passwords, therefore it creates a false sense of security for many.
User doesn’t have control over their private key: they cannot extract it, save it separately, nor can they decide to remove it from ProtonMail’s servers if they wish.
User can place their private key on an encrypted USB key, making it “something they have”. Passwords are something “they know”, and as such could result in weaker security.
How can having to enter two passwords in a row (login + mailbox password) be labeled or considered to represent a public key cryptography scheme? Would not protecting a PKI with a password be considered in a way to be counter-productive?
This question is not about AES encryption for a simple reason: The password is as strong as itself, not as strong as the encryption used behind it. The classic example of a password of 1234
is just as weak if AES256 was used or DES.