I recently migrated my email hosting away from proton. I paid for unlimited for almost a year, but I just couldn't take the missing features anymore. Maybe some of the missing features can be justified by security reasons, but some is just laughable.
If you want to use a proper email client, you need to host proton bridge in your local computer. You can only host imap and SMTP on localhost. Headless is not really supported, so good luck if you want your server to email you logs. Use VMs or docker containers? Fuck you.
On android, the only option is using their crappy mail client. For example, this client has not functionality to select all Mail from a folder if you want to archive it or mark as read. You have to select every single Mail one at a time.
Proton drive can only be used over the Webinterface or with some windows (gui) client. No automating your backups to be pushed there.
I switched to mailbox.org, which has weird 2fa but besides that makes my happy by just working with the damn standards. Not like email transfer is unencrypted when using STARTLS. Security is important, but for me personally, usuability has to be at least good enough.
Agreed. I switched to tuta, which doesn't depend on google play services on android, and is on fdroid.
I also switched cause protonvpn doesn't have ipv6, and on linux requires networkmanager (i use iwd), and you can't use wireguard without downloading files and configuring wireguard yourself. Mullvad has been much better
For cold storage it makes sense, but I always consider UX - there's not enough solutions that make private key encryption, especially remote, as easy as opening a link or mounting to a directory.
I've used s3ql before, and it's really nice for making the encryption transparent. Not something pre-encrypting before dropbox upload can provide.
More, you wanna share those files via dropbox native tools? The recipient better have your private key or you need to reencrypt specifically for them.
I don't understand why anyone is using gmail as their main mail account. I really don't like the interface and using it with 3rd party apps like thunderbird, K9 mail or any other client just sucks
How? I've never had any issues using gmail with Thunderbird on desktop or FairEmail on Android. By comparison, Proton mail I could get working in Thunderbird with Proton's mail bridge, but on Android I'd be stuck using their app.
Until the entire email protocol changes there are basically just no truly good options.
I just use posteo and that works with every client from everywhere. I was not saying "gmail sucks proton mail good". I don't use proton mail. But using gmail with their weird Folder structure I get notifications about new mail basically 3 times because it is in 3 folders at the same time... It works with their interface (and probably app) but with nothing else...
GPG has a chicken and egg problem. I have mine publicized on Ubuntu’s key server, which is likely one of the bigger ones (but iirc it is of little relevance as it syncs with other keyservers). Out of the emails I am sent only one of my contacts bothers with encryption. Which is sad, but what can you do? The web mail interfaces rarely if ever support GPG, and even if they do sharing your key with them defeats the purpose.
Well, there was a time somewhere in the early 10s when i was preaching to everyone who wanted to listen (and especially to those who doesn't) how important email encryption is. The result? At least half oft my contacts use encryption (but its a pretty nerdy and paranoid bunch anyways)
I think it is important to understand that email never will be very secure because the standard wasn't made with modern threat models in mind, if you want to communicate privately and anonymously, you need modern protocols like signal, i also use proton but only because I hate Google, i don't expect my emails are any more private than they have ever been. I use email only when it is required, I use signal for private communication, overlap is impossible
Your emails are.more private in the same sense that if you have a letter with something on it, turning it over means someone can't read it over your shoulder, but they could have read it before it got to you.
Google has access to the contents of your inbox, Proton mail does not. But the protocols are unchanged and unencrypted email is accessible in transit.
So moving to Proton is a definite improvement, particularly as email remains a basic means of communication. But as you say if you wand secure communication then it is very flawed.
But you can get secure email if you're the sender (you can choose to encrypt) or it's coming from someone else at Proton.
But yeah, there should be a secure alternative, perhaps an amendment to SMTP where only the "to" address is available. If I have the public key of the receiver (negotiation of that could be part of the protocol), I can encrypt everything else and my email could still be routed properly.
Yeah, this is one of the things that I quite like about Proton. It provides a migration path. You start sending and receiving plain-text mail (then encrypted before saving) but now you can use an open standard protocol to start communicating securely and Proton can slowly lose the ability to read much of your email.
IDK if the other "easy encrypted" providers just use standard PGP.
AFAIK, Proton's standard is PGP, they just manage the keys for you (I'm guessing keys are AES encrypted and decrypted on the client) (source):
Proton Mail’s end-to-end encryption is based on an open-source version of PGP.
Tuta doesn't use PGP, but it uses open encryption standards for it. So it's a wash IMO since both are only used for internal emails (within their respective platforms).
For messages to external email addresses, they use pretty much the same thing: password-protected access through their platform (i.e. you click a link to Proton or Tuta and enter the password to decrypt).
I don't know about other email services, but those two both seem pretty good, regardless of whether PGP or GPG is used internally. I haven't reviewed the source code of either, but both have open clients so maybe I'll get around to it at some point.
Yes, agreeing in general, just with some clarifications. I think clarifications are important when talking about a product focused on privacy and security.
I was responding to this part:
IDK if the other “easy encrypted” providers just use standard PGP.
All Proton Mail data at rest and in transit is encrypted. However, subject lines in Proton Mail are not end-to-end encrypted, which means if served with a valid Swiss court order, we do have the ability to turn over the subjects of your messages. Your message content and attachments are end-to-end encrypted.
Depending on your threat model, this may or may not be an issue.
At least one other provider (Tuta in my example) doesn't use PGP internally because using SMTP internally w/ PGP for the body leaks the subject line and other metadata. Neither have released the source to their backend, and I haven't read the client code, so I don't know if there are any other concerns.
That I think Proton is absolutely fantastic, and I used it for a few years with absolutely no issue. I do think it's important to be accurate, though, since others may not like the tradeoffs. Proton has a bunch of other benefits as well over alternatives, such as:
IMAP bridge - you can use whatever email client you want and back up emails yourself - this does decrypt your email though, so you'd need to account for that
automatic forwarding - seems to just work as expected
other bundled services - I've used their VPN, and they have a few other things other providers don't (e.g. encrypted storage)
Proton... standard protocol
Yeah, any email provider will use standard SMTP, otherwise it's not email. The differences are whatever happens after it reaches Proton's servers.
Id like to move to Proton, but goodness are there no good usernames left. I'd have to go the custom domain route which isn't awful but it's just more effort
Some services don't send verification letters to Proton and it's site banned by the address in fucked-up authoritarian countries, both for having less control over what it is and easy registration. I want them to explore some multi-site hydra approach so they can't get put out of the game that easily. Moving your emails here means you can't rely on a hope it would work tomorrow.
Without these records you're a lot more likely to go to spam, or get rejected outright. If you have questions about it, ask here or DM me and I'll be glad to help.
Recently I added a custom domain to my protonmail account and during the procedure it makes you do this steps (adding SPD, DKIM and DMARC) to pass all the steps. They tell you exactly what records you have to add, where to add them and what the content should be. These guys are great
Yep, setup mine about a year ago now, since I'm trying to get rid of Google completely, and it walks you through all of this. It was really well done setup.
Same with Tuta, which I did last weekend. Still evaluating the service for now before telling everyone to switch to my new custom domain (I'm forwarding everything from my old domain for now).
I tried Tuta when it was still called Tutanota, but it was rather cumbersome to use. The mobile and desktop app would work reasonably well, but searching through your emails was a pain.
It also wasn't possible to use any email client on the pc. Proton also doesn't offer IMAP access, but they do have a bridge you can install for that, enabling the use of almost any mail client.
Yeah, searching on Tuta sucks because it has to be done client-side since everything is encrypted on the server. With ProtonMail, the subject line is unencrypted, so it can search that without your key.
And I thought I'd care about email clients, but I honestly really don't. They're just so heavy and I don't use email enough to need power user features.
I used Proton for a couple years and it was good, but decided on Tuta because Proton raised their prices and I honestly don't need the rest of their stuff.
In that case it sounds like Tuta is the right choice for you. I just wanted to make sure you knew about the drawbacks. For me the search thing is what killed it, because I regularly search older emails.
All domains you purchase through cloudflare have a fancy button on the gui to add dmarc and dkim that just say “reject” so people can’t pretend to email from your domain, pretty neat feature imo. (Not actually useful if you are trying to use it as a custom email domain though, lol)
At the end of the day. The main thing people should be aware of is that Cloud Storage is basically you keeping your data on someone else's computer so you must assume as a rule of thumb that that data is vulnerable even if it is allegedly encrypted.
Now Proton has its own share of controversies which make its advertising of Privacy less trustworthy, at least in my eyes. I won't go into details so feel free to do your own research, it will only take a couple web searches.
I personally also use Proton Mail for work but I always try to never communicate anything through it that I feel is risky in the context of my critical personal info.
Self Hosting is not the best solution when it comes to Mail Servers because of the whole domain trust issue yada yada as far as I am aware. (I don't have the resources or the money to self host so I am going through someone else's shared experience.) But it's definitely the most concrete solution for privacy.
You can just use a custom domain at Tuta, Proton, or any of the other email providers until you decide to self-host. Honestly, I don't think self-hosting is worth it, I value the spam filtering and uptime that major providers offer.
The sending mail server will keep trying for a period of time. Eventually though it will give up and return the email to the sender with an error message.
