Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Proton Drive Encrypted Cloud Storage App Now Available for Mac
- Thread starter MacRumors
- Start date
- Sort by reaction score
You're really overdoing the dumbness here. You do (I really hope so) understand why there's a bridge app, don't you?Nope, you have to run some kind of system where it forwards the emails to a program on your computer and then that program sends the emails to your desired email app.
Proton Mail Bridge Apple Mail setup guide | Proton
How to configure Apple Mail for macOS to use Proton Mail Bridgeproton.me
Proton is all about securing all possible links of the chain. IMAP isn't secure, so if the user wanted to use a heavy desktop client (outlook, mail, thunderbird...) they could either have built a new secure mail protocol from scratch and then waited about a millenia for it to become and RFC and desktop clients to catch up maybe implementing it, or the smarter way, secure the link between the local machine and their servers, and have a local IMAP server running locally to enable compatibility with mail clients. Thus: proton bridge. And to do so, they actually recreated from the ground an ultra optimised IMAP implementation (and opensourced it ifaik)
Read and learn: https://proton.me/blog/bridge-security-model
Why do I have to pay them a monthly subscription for the privilege of having to run a server on my own hardware?
man come on...
It's rather: you pay a subscription to access to the proton service. The protonbridge is a neat addition to allow you the convenience of using a a third party desktop mail client.
Last edited:
I like Proton a lot. But, the prices keep moving higher and higher. I’m already paying for iCloud + and Proton seems to duplicate most of what I get from iCloud and Mullvad VPN. If my main concern is privacy, is Proton offering any advantage over moving my custom domain to iCloud?
Email, contacts and calendar are exactly the iCloud services that are not end-to-end encrypted with "advanced data protection", so if you value that Proton is actually a good complement. If not, iCloud is a better deal for Apple users.
Protonmail is arguably also a more capable email service (e.g. iCloud email allows only 3 addresses under your custom domain while Proton Plus allows up to 10). OTOH, with iCloud+ you can share a custom domain with other iCloud+ subscribers or via family sharing, and iCloud contacts and calendar are far superior to Proton's equivalents at this stage.
Last edited:
Think of how much external storage you could buy over the years for the price of a cloud service subscription.
And I do not like the idea that the end-to-end encryption is done by the same company that manages the servers. Couldn't they build in a back door if they wanted? So I use a third party encryption software that encrypts my most important files and then those files get uploaded to Sync regularly.
My most important files usually are emails, text files and Excel files. Those add up to less than 100 MB. I do not need a paid service for that. And uploading photos to a cloud is just to expensive. You need terabytes of storage for photos and even more for videos. That will costs you hundreds or even thousands of dollars per year.
If you are afraid that your house will burn down, there is a solution: Put a network storage in a friends house and your friend put one in your house. So those files will be safe unless both houses will burn down. And let's be honest: If your house burns down, your photos are your smallest problem.
And I do not like the idea that the end-to-end encryption is done by the same company that manages the servers. Couldn't they build in a back door if they wanted? So I use a third party encryption software that encrypts my most important files and then those files get uploaded to Sync regularly.
My most important files usually are emails, text files and Excel files. Those add up to less than 100 MB. I do not need a paid service for that. And uploading photos to a cloud is just to expensive. You need terabytes of storage for photos and even more for videos. That will costs you hundreds or even thousands of dollars per year.
If you are afraid that your house will burn down, there is a solution: Put a network storage in a friends house and your friend put one in your house. So those files will be safe unless both houses will burn down. And let's be honest: If your house burns down, your photos are your smallest problem.
Yes, any code can be broken if you have enough time. Strong keys take a LONG time to break like billions of years. OK in a few decades, computers will be faster and it will only take millions of years. But then they simply make even longer keys.
Don't think that technology will advance at a constant rate. Technolgy is always limited by physics. we will never invent technology that does physically impossible things. All we can do is approach the limits of what is possible.
Also, if yu are willing to give up the convenience of public key cryptography then we can have absolutely unbreakable codes. (But then we'd all need to become experts is operational security and physical key distribution.)
Running your own email server is a big pain in the a**, since you have to deal with things like your mail server reputation. You also have to spend significant time to stay on top of security updates etc. if you don't want your server to be breached or abused by spammers.
Even if I didn’t enable end-to-end encryption in iCloud, I trust Apple over these other companies. They have much more to lose. Companies get bought out, terms change, systems get hacked. Pick one and live with it.
So, if a US government agency got hold of your data, what could they do with it to harm you?
How likely is this scenario?
Somehow the link isn't working for me. It takes me to this page which says secure connection failed.
Edit, same with the read and learn more link. it takes first takes me to this address: https://go.skimresources.com/?id=73...94a9b2ea&cci=5f7fc780f5712be54e6e7bcb7fe3bc84 and then https://go.getproton.me/aff_c?offer...=https://proton.me/blog/bridge-security-model which takes me to a secure connection failed page.
Same thing happens with the first link in the article with the link to drive, I'm unable to view the announcement and get a secure connection failed page.
Attachments
You've made a good point. Looks like a doomsday scenario where these supercomputers battle each other to create and break each other's encryption algorithms. Probably billions of times per second. You'll have to keep secret data in air-gapped Faraday cages, powered only by onsite batteries. And only view it onsite.
Last edited:
Well, given that none of the major email protocols (SMTP, POP, IMAP) supports 2FA that sort of makes sense. Like I said, they're trying to turn an insecure protocol into a secure one which means all sorts of band-aids and duct tape to make it work.
But. you are correct, different strokes for different folks because I just do filtering on my email client and I own/manage 20+ domains and usually just need a hello@ or admin@ address for each domain. In Proton that would be prohibitively expensive.
Probably 60% of my complains about Proton boil down to this. They're such skeazy business people.
What cracks me up is that prior to their big rebranding, people used to complain how difficult it was to purchase ala carte upgrades.
So Proton made it it even worse and created bundles. LOL.
Proton strikes me as a company that realizes they were never going to make it long-term as an email provider and has since turned their focus on to how to squeeze every last penny out of their customers.
Most of the industries where bundling products happen, like cable TV, only do so because they know you won't ever choose to pay for those services. But they can launch a password manager and give it to you for free and then claim you're getting a $100 a year value for free.
But if I don't want the password manager and would never pay for their password manager (a very happy Bitwarden customer of many years) it's $0 in value.
For most free accounts, I doubt this would be significant.
Plus their free accounts are actually destabilizing the platform but it's the only way they know how to get privacy nerds into the sales funnel.
By that I mean that Proton giving out free email accounts means Proton is a spammer favorite. That means Proton's domains and servers end up on spam block lists from time to time which disrupts delivery.
Likewise, if you watch the Proton subs/forums, more and more websites/companies are beginning to refuse Proton domains as valid email addresses which forces people to use custom domains.
I know where it's stored, I mean that the storage limits include cloud drive storage. Most people have no use for 20GB of email storage. I have an old Gmail account that I was using back since the mid-2000s and I think I'm at 3GB of used storage.
I would much rather not pay for their cloud storage, be offered 5GB of email storage, and if I want more than 5GB I want the option to buy in 1GB - 10GB chunks depending on my needs.
Again, this how they bundle things to make you think you're receiving value when you're actually not getting anything. The vast, vast majority of their users will not hit their limits, even the limits they had pre-Proton Drive, only with email.
They same thing we do with every other technology that no longer serves its intended purpose, replace it.
Email was one of the first internet protocols developed and at the time nobody was thinking about security, spamming, etc.
I agree, it's not an easy problem but you could build an entirely new messaging backbone that allows some backward compatibility to the current email protocols.
There are tons of proposals out there by people who are on the front lines of dealing with running large email infrastructures. We just need to bite the bullet and decide on one.
That said, until then, here's what I do:
I use Signal, WhatsApp, SMS, or LINE for most 1-on-1 communications. I know LINE and WhatsApp are crap but I live overseas and that's what everyone uses.
I rarely correspond with anyone via email anymore. The only purpose email serves for at the moment is it's required to create an account on many websites and people like to broadcast messages to my email accounts.
It's funny you mention banks since most banks don't actually send you messages, they send you a message to tell you they sent you a secure message that you have to login to their website/app to go read.
That's what email is for me nowadays.
Also, I would add, as someone that lives overseas, nobody where I live (Thailand) uses email. It's all messaging apps. Hell, even when I go to immigration to renew my visa, the IO (immigration officer) will usually ask me for my LINE account and they'll send me updates to my LINE account.
Sure, email exists here but if you look at most businesses or government agencies here, you would have difficulty finding an email address for most of them. And forget about asking someone for their email, they would just stare at you.
You email is mostly only used to create an account. Even then, many businesses and government agencies just ask you for your LINE account.
In fact, I own a business and all of our loyalty programs and marketing is done via LINE or SMS. I've never sent an email to a customer.
It's possible to break one's dependence on email as a primary communication platform. In many ways, the US is way behind the rest of the world.
Actually, that's not entirely true.
Emails pass through Proton's servers unencrypted and can be read in transit. It's only when they reach your inbox that they become unreadable. Again, this is why email is an inherently insecure communications protocol.
But messages that pass between two Proton users would be encrypted so Proton is really only secure when it uses its own backend on both sides, which is sort of like Signal and other messaging platforms that don't have to ever deal with processing email protocols. So why not just use Signal in the first place?
Here's an interesting case where Proton competitor Tutanota was forced to turn over unencrypted customer communications.
You've sort of comingled a bunch of issues.
Proton does little to protect you from a data breach as most data breaches are a third-party being compromised and they dump all of the user data to the world.
Unfortunately, many people use the same password on all sites and then the info from the data breach is used to escalate to access to your email account.
So, any email provider that offers 2FA provides the same protection to gaining access to your emails because if an attacker has your proton email address and you used the same password on Proton, someone can log into your Proton account.
Surveillance capitalism is an umbrella term for a lot of things, some of which Proton offers zero protection from. Likewise, many people eventually discover that protecting yourself from surveillance capitalism is a lot of work and costs a lot of money and they usually get lax which is the most likely attack vector.
Almost every major issue you see in the privacy groups starts off with, "I know I should know better but . . . "
This is why I said that privacy and security are not products you buy. They're mindsets.
And if you have the privacy/security mindset, you tend to make much better decisions about what's worth your time protecting and what isn't.
Letting people think they can purchase privacy is worse than than what Gmail does, IMHO. At least with Gmail, I know the game we're playing. With Proton, you think your email is secure while between being readable in transit and the fact that an unencrypted copy of every email exists on the other party's server/computers, it's not secure.
Actually, that's one of the other things that cracks me up with all of the privacy geeks, most of them won't touch Gmail or Facebook or ?? because those companies are evil and try to collect data. But they don't even understand what is collected, how it's collected, and what can be done with it.
I use a Gmail account as a catchall for accounts I don't care about like when I have to create an account to read a news article. I just use my Gmail and I could care less if Google knows I subscribed to a news site that 10 million ohter people are subscribed to. Because, what can they do with that data? Show me more ads? Oh no. They're gonna serve me ads anyway. And I have an ad blocker. I take enough other precautions that Google getting this info is of little concern to me.
In fact, I think I gain security/privacy via this setup.
First off, the news site has no idea I have a Proton (or other secure) account. Any data breach would only expose my Gmail address which I don't care about anyway.
In fact, I keep separate email addresses even on my custom domains specifically to compartmentalize the amount of damage that can be done if I was subjected to a data breach.
For instance, I keep all the crap on Gmail, personal correspondance is on a domain name that is my name (ie me@bobjones.com) so people know they're dealing with me, and for financial institutions I use a completely different domain.
If my bank experiences a data breach, it's compartmentalized to just that email address but even if the entire domain was somehow comprimized, I have options. The nuclear option being that I burn that domain entirely, buy a new one, and switch all of my financial emails over to the new domain and update my account settings on all my financial accounts. I even keep a watch list of vetted domains that I can buy and switch to immediately.
I generally ditch services every few years anyway. For instance, I'll just abandon the Gmail account. I'll create a new one, re-sign up with my new email on the sites I still use, and let the old Gmail just collect dust.
I do the same with a lot of social media accounts. I'll just quit using the platform with one account, create a new one, and now it's that much more difficult to ever tie those two accounts together.
We leak so much data that we are the biggest threat to our own privacy.
Most people gain very little from services like Proton because they're too busy spewing identifiable data on social media.
Do a search for "Proton bridge problems"
It's hardly seamless. It is meant to be, but it's buggy and problematic. But that's to be expected given that IMAP and SMTP were never meant to do the job they're being asked to do.
That's the thing, most people will never be in this scenario.
I often tell people that privacy is a phase young people often go through as part of puberty.
They suddenly wake up one day and discover that Google or Facebook can access their data and they go ballistic and sign up for a bunch of privacy groups and start buying Proton and a ton of "privacy" services they think will make them private.
Eventually, they grow up, need to apply for loans, pass a background check for a job, etc and realize that total privacy isn't attainable by most people without going completely off the grid and living in the mountains.
Almost all privacy (and security) involves inconvenience. Proton would be laughable as a competitor to Gmail if it wasn't for the encrypted inbox. They provide a much worse user experience than Gmail, they're less reliable, you have to use their app (on mobile) which is crap, etc.
Eventually, most people just get to a point in their lives where they're like, "I don't want to take care of my technology like I have a child. I just want it to work" and then they go with iCloud Mail or some other service that is somewhere between not caring about privacy at all (ie Gmail) and ultra-paranoid conspiracy theorist that thinks the government wants to read their emails to their Nana asking for $100 to pay rent this month.
If you are targeted by law enforcement or a nation-state level actor, you would need to become an expert on privacy and security to prevent them from getting your data. They just have too many resources compared to what you can buy to thwart them.
I mean, the Saudis "reportedly" were able to plant spyware on Jeff Bezos' phone. He surely has security experts who monitor his devices to prevent exactly this kind of thing from happening. If they can compromise Bezos' phone, do you really think a Proton Plus subscription is going to keep you safe? LOL
Good to know what you’re getting into:
www.trendmicro.com
www.hackread.com
Lesson Learned from ProtonMail Incident: Do Not Pay Cybercriminals - Wiadomości bezpieczeństwa | Trend Micro (PL)
End-to-end encryption email service ProtonMail learned a costly lesson about cyber ransom tactics: just because hackers demanded a ransom, it doesn’t mean the attacks are going to stop once you pay up.
ProtonMail Code Vulnerabilities Leaked Emails
Twitter @Hackread - Facebook @ /Hackread
www.hackread.com
No idea what this skimresources thing is. Just open a blank browser tab, go and either type in the url to the proton blog article, or go to the proton site and browser until you find it. How spoonfed do you need to be ffs.
so a 1 time mistake 9 years ago, and a vulnerability acknoledged and corrected quickly. Now let's see all the list of Apple, Google and Microsoft vulnerabilities and their level in transparency and reactivity when it comes to dealing with them... (as in: deflect, ignore, attack the messenger, wait another 6 months to correct at best, and maybe now and then aknowledge).Good to know what you’re getting into:
Lesson Learned from ProtonMail Incident: Do Not Pay Cybercriminals - Wiadomości bezpieczeństwa | Trend Micro (PL)
End-to-end encryption email service ProtonMail learned a costly lesson about cyber ransom tactics: just because hackers demanded a ransom, it doesn’t mean the attacks are going to stop once you pay up.
ProtonMail Code Vulnerabilities Leaked Emails
Twitter @Hackread - Facebook @ /Hackread
I would strongly suggest reading up on the benefits of being/hosting in Switzerland rather just guessing top of your mind.
We get it. You don’t like proton. no need to rant the same rant over and over again.
I have and since I actually understand data privacy and security, I find it of questionable value.
I'll even respond to Proton's own explanation:
Why Switzerland? An analysis of Swiss privacy laws | Proton
Switzerland has a strong reputation for privacy, dating back over 100 years, but is this reputation actually backed up by strong laws?
proton.me
So, for normal users, not relevant. If I have DOJ or the EU coming after me, the least of my worries is whether or not they can compel Proton to give them access to my email.
If you are involved in anything that would spark the interest of the US DOJ or any EU law enforcement, I would just assume that my email is compromised. If you don't think the NSA hasn't parked a data funnel in front of Proton's servers and is reading plain text emails going in and out of Proton, you're seriously not understanding the scale of data surveillance.
And, like I said several times before, don't use email for secure communications. It's not secure. No amount of band-aids can make it secure. If it ever travels across a public network unencrypted, it's not secure.
In fact, Proton grabs (and stores) the meta data and the sender and subject line from your emails in order to make them easier to search without heaving to download the entire message from their servers.
Here's a quote from their privacy policy
Privacy Policy - Proton Mail | Proton
Proton Mail is designed to protect people's privacy. Read this privacy policy to learn how it handles your data.
proton.me
Glad they're in Switzerland. LOL.
And let's not forget the whole incident a few years back where they handed over data about a French climate activist.
They literally said that they didn't collect IP addresses and this incident forced them to admit that they did.
Being in Switzerland doesn't make you honest.
Here in a different blog post they respond to the backlash after having given over the data on the French climate activist (bolding is their bolding).
Here's more from the blog post about giving over data to the French gov.
Wait, didn't they say in the reasons they're located in Switzerland that the person has to be notified and can appeal? Oh, that's not true in all cases. Proton selectively quoted Swiss law as a marketing gimmick. Hmmm.