I don't know OSX very well these days. Is that... is that actually installing a new global SSL trust root? Doesn't that mean ProtonMail now can seamlessly MitM all SSL connections on that machine?
Please tell me I'm reading that wrong, because I don't recall doing this for ProtonVPN on linux.
In the instructions they ask the user to "always trust" the cert for all use cases, including SSL. If you do that, any app that uses OS certs can be MITMed. It should be enough to trust the cert for IPSec only.
My knowledge is limited in crypto, but I'm pretty sure you should never trust a root cert (even for "IPSec only") unless it carries responsibility and public scrutiny equal to or greater than a standard CA. (Unless it's the owner of the device [including you] or a close associate you trust.)
Indeed, it is enough to trust the cert just for IPSec, and we have updated the article to reflect that. We also have native applications on macOS so the manual IKEv2 setup is not the recommend method of usage of ProtonVPN.
Please tell me I'm reading that wrong, because I don't recall doing this for ProtonVPN on linux.