ProtonMail: someone use it?

AGX

macrumors regular
Original poster
Oct 12, 2014
180
3
Hi!

Some one use this new email service with iCloud?

Your review and experience?
 

iRock1

macrumors 6502a
Apr 23, 2011
987
88
Hi!

Some one use this new email service with iCloud?

Your review and experience?
Hi,

I'm all in for anything that helps me to improve my privacy, which is why I created a ProtonMail account as soon as I learned about the project in a TED talk.

However, I don't get your question. What do you mean by using ProtonMail with iCloud?
 

maxsix

Suspended
Jun 28, 2015
3,102
3,683
Western Hemisphere
Hi,

I'm all in for anything that helps me to improve my privacy, which is why I created a ProtonMail account as soon as I learned about the project in a TED talk.

However, I don't get your question. What do you mean by using ProtonMail with iCloud?
How long have you been using it?

Do you use the iOS mobile app on your iPhone?

Thanks in advance:D
 

iRock1

macrumors 6502a
Apr 23, 2011
987
88
How long have you been using it?

Do you use the iOS mobile app on your iPhone?

Thanks in advance:D
I created it like a couple of months ago may be. However, I have to be honest and recognize that I've never used it in a real-case scenario, lol. I played a little with the web interface and that's it.
 

aajeevlin

macrumors 6502a
Mar 25, 2010
913
346
I created it like a couple of months ago may be. However, I have to be honest and recognize that I've never used it in a real-case scenario, lol. I played a little with the web interface and that's it.
Can you point me to the TED talk? This look interesting, but I'm not sure what their business model is like.

Secure is good, but free? I don't know.
 

Rigby

macrumors 601
Aug 5, 2008
4,741
3,689
San Jose, CA
Can you point me to the TED talk? This look interesting, but I'm not sure what their business model is like.

Secure is good, but free? I don't know.
They are planning to introduce paid premium tiers in addition to the free basic accounts in the future.
 

Ulenspiegel

macrumors 68040
Nov 8, 2014
3,070
2,268
Land of Flanders and Elsewhere
I have been using ProtonMail for months with poisitive experience. Nevertheless, I prefer Tutanota to ProtonMail. Reasons: ProtonMail is on invitation basis, so the circle of users is limited, the iOS and Android applications are available only if you donate a certain amount of money.
Last but not least, the ProtonMail servers are in Switzerland, but the inventors and owners work in the US on permanent basis at the moment.
Tutanota servers are in Germany as well as the inventors and owners. The software is available for all, can be upgraded to premium version. The iOS and Android applications are free to download. Both apps work flawlessly on mobiles.
 
  • Like
Reactions: iRock1

Rigby

macrumors 601
Aug 5, 2008
4,741
3,689
San Jose, CA
It may sound trivial, but Tutanota should have chosen an easier to remember domain name. Most people don't speak Latin and will have trouble remembering and spelling tutanota.com addresses. How do native english speakers even pronounce that?
 
  • Like
Reactions: a7thton

KALLT

macrumors 601
Sep 23, 2008
4,922
3,004
I have been using ProtonMail for months with poisitive experience. Nevertheless, I prefer Tutanota to ProtonMail. Reasons: ProtonMail is on invitation basis, so the circle of users is limited, the iOS and Android applications are available only if you donate a certain amount of money.
Last but not least, the ProtonMail servers are in Switzerland, but the inventors and owners work in the US on permanent basis at the moment.
Tutanota servers are in Germany as well as the inventors and owners. The software is available for all, can be upgraded to premium version. The iOS and Android applications are free to download. Both apps work flawlessly on mobiles.
I use ProtonMail for about 8 months now and I turned it into my primary Apple ID which I use for iCloud (just without mail). I have to point out several things in response: (1) ProtonMail is still in beta, which explains the lack of invites, features and apps. (2) You will get an invite within a few days now. I know this from friends and family members who signed up recently. (3) The apps are in closed beta and you can’t get them at the moment, unless you donate some money. The apps will be free once they are released before the end of the year.

I don’t think it matters all that much where the developers are located, as long as the software is solid, open-sourced and susceptible to public scrutiny. The servers are still located in Switzerland, which is where the security needs to be put into place. Tutanota has its servers in Germany and I personally cannot really understand why this is held out as a plus these days. Germany is still subject to supranational laws with all its flaws and caveats like elsewhere in the EU. Coincidentally, the German parliament has passed a new federal data retention law this month, even though the EU data retention directive was quashed by the European Court of Justice last year. Germany is thus doing this on their own volition. Admittedly, the Swiss parliament has passed a similar law, but is currently awaiting a potential referendum if 50,000 signatures can be collected before the end of the year.

There are some things that ProtonMail is arguably better at:
  1. They use PGP, whereas Tutanota uses what seems to be their own encryption method (although they claim to use standardised encryption algorithms). This means that it probably hasn’t undergone a lot of scrutiny yet and in practice it means that non-Tutanota users cannot send you encrypted emails as long as this is not supported, making the service unnecessarily complicated. In addition, PGP makes it at least conceivable that ProtonMail can be used with other email clients that support PGP (there is a plugin for OS X Mail for instance). I personally don’t want to be dependent upon client-based encryption with Javascript for too long (which has lots of security problems still).
  2. They use two separate passwords, one for the account, the other for the private key. Tutanota uses one password that unlocks both. Neither have two-factor authentication, which makes Tutanota’s choice a bit odd.
  3. They have a neater and more powerful web client. From what I’ve seen of the iOS and Android apps, they look impressive too. Although Tutanota has apps already, at least the iOS app is a wrapped web-app and it looks and works a bit shabby. I suspect that it uses the same Javascript client-side code.
In addition, after Lavabit and more recently Lavaboom, I want something dependable and serious and I feel that ProtonMail has the better prospects at this point. That they have some institutional backing and ties to CERN is definitely increasing my confidence. There are too many weird choices with Tutanota at the moment.
 
Last edited:
  • Like
Reactions: AlexH and a7thton

Superhai

macrumors 6502
Apr 21, 2010
422
330
I have a protonmail account, but as said it is still by invitation, so the user base is slowly expanding. I use paid services for my day-to-day emails from Neomailbox using S/MIME for encryption. It works quite well, but their customer service is insanely slow. I also have a countermail account, while based in Sweden claims to toss away all logs and have automatic (delayed) pgp encryption for ordinary email, and claim to not keep the private keys if you decide to delete them from their servers.
 

KALLT

macrumors 601
Sep 23, 2008
4,922
3,004
I have a protonmail account, but as said it is still by invitation, so the user base is slowly expanding. I use paid services for my day-to-day emails from Neomailbox using S/MIME for encryption. It works quite well, but their customer service is insanely slow. I also have a countermail account, while based in Sweden claims to toss away all logs and have automatic (delayed) pgp encryption for ordinary email, and claim to not keep the private keys if you decide to delete them from their servers.
I used mailbox.org before and also tried posteo.de. Tutanota and ProtonMail aren’t conceptually new, but what really breaks the viability of many of these services, for me at least, is a lack of integration into other platforms beyond web-based clients. It just doesn’t work. What sets these two apart is that they provide their own applications and plugins.
 

Rigby

macrumors 601
Aug 5, 2008
4,741
3,689
San Jose, CA
I don’t think it matters all that much where the developers are located, as long as the software is solid, open-sourced and susceptible to public scrutiny. The servers are still located in Switzerland, which is where the security needs to be put into place.
The theory is that companies that have a presence in the US may be pressured under patriot-act provisions even if the affected operation is outside the country. For example, Microsoft is currently fighting US government requests to hand over information that is stored in their European data centers.
Tutanota has its servers in Germany and I personally cannot really understand why this is held out as a plus these days. Germany is still subject to supranational laws with all its flaws and caveats like elsewhere in the EU. Coincidentally, the German parliament has passed a new federal data retention law this month, even though the EU data retention directive was quashed by the European Court of Justice last year. Germany is thus doing this on their own volition.
Yes, sad. At least email is excluded though, and the retention period (10 weeks) is relatively short compared to other countries that have data retention laws (or no restrictions at all, like the US).
There are some things that ProtonMail is arguably better at:
1. They use PGP, whereas Tutanota uses what seems to be their own encryption method (although they claim to use standardised encryption algorithms). This means that it probably hasn’t undergone a lot of scrutiny yet
On the other hand, Protonmail is only partly open source and the closed part cannot be independently scrutinized at all.
and in practice it means that non-Tutanota users cannot send you encrypted emails as long as this is not supported, making the service unnecessarily complicated.
They have a plugin for Outlook though, which is far easier to use than PGP and apparently makes the service quite popular among lawyers. It also encrypts the subject line (while it is sent in the clear with PGP).
They use two separate passwords, one for the account, the other for the private key. Tutanota uses one password that unlocks both. Neither have two-factor authentication, which makes Tutanota’s choice a bit odd.
Tutanota have announced 2-factor authentication for early 2016.
They have a neater and more powerful web client. From what I’ve seen of the iOS and Android apps, they look impressive too. Although Tutanota has apps already, at least the iOS app is a wrapped web-app and it looks and works a bit shabby. I suspect that it uses the same Javascript client-side code.
I haven't used the mobile client a lot, but it didn't seem "shabby" to me.
 
  • Like
Reactions: Ulenspiegel

KALLT

macrumors 601
Sep 23, 2008
4,922
3,004
The theory is that companies that have a presence in the US may be pressured under patriot-act provisions even if the affected operation is outside the country. For example, Microsoft is currently fighting US government requests to hand over information that is stored in their European data centers.
But it remains at heart a conflict of laws and the data still remains on Swiss soil. To my knowledge, ProtonMail has no (official) presence in the US beyond the domicile of some of the developers and that gives already little leverage to US authorities to enforce compliance.

Yes, sad. At least email is excluded though, and the retention period (10 weeks) is relatively short compared to other countries that have data retention laws (or no restrictions at all, like the US).
What worries me about this is that people hold German privacy law in high regard. This is something that really annoyed me about mailbox.org and posteo.de as well; they take it as self-evident. As someone who is frequently in Germany, I don't want to use a German provider for that exact reason.

On the other hand, Protonmail is only partly open source and the closed part cannot be independently scrutinised at all.
As of yet, but they are planning to do this once the web client is out of beta. I treat ProtonMail as an unfinished product presently and I give them the benefit of the doubt. I think it will be good to compare both services again at the beginning of next year.

They have a plugin for Outlook though, which is far easier to use than PGP and apparently makes the service quite popular among lawyers. It also encrypts the subject line (while it is sent in the clear with PGP).
Popular among lawyers? You must be joking. I can't imagine any lawyers who would ever use such newer services without respectable security credentials. Encryption or not, but all of these services are not airtight yet (example: https://twitter.com/sweis/status/595051847934672898). The Outlook plugin is the only strong advantage it currently has, but it is a proprietary implementation of their own encryption method and it is quite expensive too (€10 a month for a single account and you don't even get more space or aliases). It's more suitable for teams and companies, I suppose. I also don't see how it is easier than PGP. Within the service, whether you use Tutanota or ProtonMail, the correspondence is seamless. The benefit is that it allows you to access the inbox within Outlook. As soon as it involves another provider though, PGP will have the advantage. The encrypted subject line will only be supported within the service, nowhere else.

Tutanota have announced 2-factor authentication for early 2016.
I read that they are also planning to come up with a scheme to get some PGP support. We'll have to see.

I haven't used the mobile client a lot, but it didn't seem "shabby" to me.
Well, agree to disagree, but I find it bad. I hate wrapped web-apps with a passion. The web client itself uses these awful and slow animations which have tricked me more than once into swiping the whole page away. It also has no multi-select, no search, no draft support, no mark-as-unread option. ProtonMail has all of this in their web app and from what I've seen the mobile apps too.

Considering all this, I personally just find ProtonMail the better horse to bet on and I'm still happy with my choice even though I keep an eye on how the other services are coming along.
 
Last edited:

Rigby

macrumors 601
Aug 5, 2008
4,741
3,689
San Jose, CA
But it remains at heart a conflict of laws and the data still remains on Swiss soil. To my knowledge, ProtonMail has no (official) presence in the US beyond the domicile of some of the developers and that gives already little leverage to US authorities to enforce compliance.
They have a branch in San Francisco.
What worries me about this is that people hold German privacy law in high regard. This is something that really annoyed me about mailbox.org and posteo.de as well; they take it as self-evident. As someone who is frequently in Germany, I don't want to use a German provider for that exact reason.
Well, most of them primarily compare themselves to the situation in the US, and compared to that Germany does have relatively strong protections. There is also a lot more resistance against the surveillance state in the general population, probably in part because many still remember the GDR. Just the politicians don't seem to be listening.
Popular among lawyers? You must be joking. I can't imagine any lawyers who would ever use such newer services without respectable security credentials.
Not joking, just repeating what I read in a law magazine a while ago.
The Outlook plugin is the only strong advantage it currently has, but it is a proprietary implementation of their own encryption method and it is quite expensive too (€10 a month for a single account and you don't even get more space or aliases). It's more suitable for teams and companies, I suppose.
It's how they plan to fund the company. 10 Euros is very cheap for businesses.
I also don't see how it is easier than PGP. Within the service, whether you use Tutanota or ProtonMail, the correspondence is seamless. The benefit is that it allows you to access the inbox within Outlook. As soon as it involves another provider though, PGP will have the advantage. The encrypted subject line will only be supported within the service, nowhere else.
The problem with PGP is that the key exchange is a mess. Most of the existing mail wrappers are also not exactly user friendly.
Well, agree to disagree, but I find it bad. I hate wrapped web-apps with a passion. The web client itself uses these awful and slow animations which have tricked me more than once into swiping the whole page away. It also has no multi-select, no search, no draft support, no mark-as-unread option. ProtonMail has all of this in their web app and from what I've seen the mobile apps too.

Considering all this, I personally just find ProtonMail the better horse to bet on and I'm still happy with my choice even though I keep an eye on how the other services are coming along.
Protonmail has its own issues (e.g. they currently don't even have PFS in their SSL implementation, not to mention DANE). They are both not quite ready for primetime IMO.
 

iRock1

macrumors 6502a
Apr 23, 2011
987
88
Bottom line? None of the two services seem to be ready to be used as a primary account yet.
 

aajeevlin

macrumors 6502a
Mar 25, 2010
913
346
Interesting read, I'm not familiar with the topic at all (interested but never had the chance to look into it). Doesn't Google Gmail and such come under attack as well? Or are they simply bigger to take down? If it's a matter of size, when they said "unprecedented", I suppose that's a rather relative term based on their own size?
 

Rigby

macrumors 601
Aug 5, 2008
4,741
3,689
San Jose, CA
Interesting read, I'm not familiar with the topic at all (interested but never had the chance to look into it). Doesn't Google Gmail and such come under attack as well? Or are they simply bigger to take down? If it's a matter of size, when they said "unprecedented", I suppose that's a rather relative term based on their own size?
Companies like Google can afford advanced DDOS mitigations, either on their own or by buying the service from specialized providers or ISPs. Essentially this involves operating a distributed infrastructure of DDOS filtering devices at multiple locations in the Internet and blocking DDOS traffic before it reaches the premises where the actual servers are located.

The most interesting question in this case is IMO: Who could possibly have an interest in attacking a small company like ProtonMail? If you're only after money, there are much juicier targets out there.
 
  • Like
Reactions: Ulenspiegel

aajeevlin

macrumors 6502a
Mar 25, 2010
913
346
Companies like Google can afford advanced DDOS mitigations, either on their own or by buying the service from specialized providers or ISPs. Essentially this involves operating a distributed infrastructure of DDOS filtering devices at multiple locations in the Internet and blocking DDOS traffic before it reaches the premises where the actual servers are located.

The most interesting question in this case is IMO: Who could possibly have an interest in attacking a small company like ProtonMail? If you're only after money, there are much juicier targets out there.
Well as you have stated bigger could probably be harder? Or even if not harder, simply more resource (police influence, lawyer, or even hiring their own hacker to do a counter attack or find who did it).
 
Last edited:

Rigby

macrumors 601
Aug 5, 2008
4,741
3,689
San Jose, CA
Well as you have stated bigger could probably be harder? Or even if not harder, simply more resource (police influence, lawyer, or even hiring their own hacker to do a counter attack or find who did it).
I was more thinking of medium sized enterprises that often don't have a large IT budget and shy away from contacting the authorities because they don't like publicity for incidents like this. ProtonMail is a small startup that hasn't even achieved break-even AFAIK, so they can't pay big ransoms.