Good security. https://proton.me/mail/security
Started a couple years back.
I kept a couple of Gmail accounts for junk stuff. All else has been migrated.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
ProtonMail Unifies Encrypted Mail, Calendar, VPN, and Storage Services Under New 'Proton' Brand
- Thread starter MacRumors
- Start date
- Sort by reaction score
Started a couple years back.
I kept a couple of Gmail accounts for junk stuff. All else has been migrated.
The new update and unified design is good. Their VPN also might be good.
I think that it’s important to keep everything in context.
For the most part, and for most people, encrypted email only serves the purpose of making you feel all Edward Snowdeny.
Very few people actually use PGP and it’s a 30 year old standard. It’s great at encryption but has never really caught on for person to person communications.
Proton makes sending PGP messages to others easier. But that’s only useful if you know people that use PGP. Most don’t.
Yes, they have the ability to send someone who doesn’t have PGP an encrypted message and then someone gets a notification that they have to go to a website and read it.
First off, that’s impractical for most people for more than one or two emails and second, there are already pastebin websites that allow you to do the same thing.
The other glaring problem with “encrypted email” is that a copy of it exists somewhere, probably unencrypted.
If you send an email from Proton to a Gmail user (Gmail has 43% of the email market so you probably will be sending emails to Gmail), the email is sitting in his Gmail account in plain text. Same in reverse. If someone sends you an email, the received copy may be in an encrypted inbox but there’s another copy unencrypted sitting in someone’s sent folder.
So basically, the police don’t have to go to Switzerland to get your emails. They simply subpoena the sender or recipient.
Additionally, because your inbox is encrypted, you can’t use third party email clients to access it without using their bridge software (which some users complain about being buggy).
And, because your mailbox is encrypted, it can’t be indexed for searching. So, it’s sort of a pain in the butt to find an old email.
Despite all of that, it’s not a bad idea to use alternatives to companies like Google and Microsoft and Apple for your email and companies like Proton, Tutanota, Mailbox dot org, etc offer a way to break away from the big companies.
But, companies like Proton and Tutanota sort of sell fantasy to people concerned about their privacy. They try to paint a picture that email can be secure because they encrypt your inbox or allow you to use PGP when, in reality, it’s not designed to be secure.
If you don’t have a lot of friends using PGP now, it’s not like you’re suddenly going to find new PGP friends to send emails to securely.
Pick a privacy friendly company and worry less about all the encryption bells and whistles. Use messaging apps that are truly end to end encrypted and allow you to expire messages if you want actual privacy.
And, BTW, it’s funny that some people are mentioning the one or two cases where Proton turned over data about a user under a court order.
Unless your email provider is basically a rogue actor they have to turn over the data. The fact that Proton has only had to do it twice while the big email providers are so willing to hand over your data that Apple was handing over data based on fake court orders, is a plus.
There is no email provider on the planet outside of self hosting that is going to defy a court over a $3 a month customer. The police will just go to the data center and seize all of the hardware and then they’re out of business.
In motorcycling there’s a saying that there are only two types of riders, those that have dropped a bike and those who will. The same applies here. There are only two types of email providers, those that have turned over data under court order and those that will.
Personally, I don’t use Proton as my main email. I have an account on a privacy-centric email provider based in Germany.
Up until this announcement they had better pricing and I want to use my Mac Mail app on my desktop (without the bridge because the bridge is only for paid Proton subscribers) and iOS Mail on my phone and you can’t do that with Proton.
But I do have a free account with Proton and I have what I consider to be “sensitive” emails (correspondence with my attorney, my accountant, crypto exchanges, brokerage accounts, etc) sent to Proton.
And I didn’t pick Proton because of the inbox encryption. I picked them because they have a free plan for people with modest emails needs which fit the bill for the previously mentioned way I use it.
For the most part, and for most people, encrypted email only serves the purpose of making you feel all Edward Snowdeny.
Very few people actually use PGP and it’s a 30 year old standard. It’s great at encryption but has never really caught on for person to person communications.
Proton makes sending PGP messages to others easier. But that’s only useful if you know people that use PGP. Most don’t.
Yes, they have the ability to send someone who doesn’t have PGP an encrypted message and then someone gets a notification that they have to go to a website and read it.
First off, that’s impractical for most people for more than one or two emails and second, there are already pastebin websites that allow you to do the same thing.
The other glaring problem with “encrypted email” is that a copy of it exists somewhere, probably unencrypted.
If you send an email from Proton to a Gmail user (Gmail has 43% of the email market so you probably will be sending emails to Gmail), the email is sitting in his Gmail account in plain text. Same in reverse. If someone sends you an email, the received copy may be in an encrypted inbox but there’s another copy unencrypted sitting in someone’s sent folder.
So basically, the police don’t have to go to Switzerland to get your emails. They simply subpoena the sender or recipient.
Additionally, because your inbox is encrypted, you can’t use third party email clients to access it without using their bridge software (which some users complain about being buggy).
And, because your mailbox is encrypted, it can’t be indexed for searching. So, it’s sort of a pain in the butt to find an old email.
Despite all of that, it’s not a bad idea to use alternatives to companies like Google and Microsoft and Apple for your email and companies like Proton, Tutanota, Mailbox dot org, etc offer a way to break away from the big companies.
But, companies like Proton and Tutanota sort of sell fantasy to people concerned about their privacy. They try to paint a picture that email can be secure because they encrypt your inbox or allow you to use PGP when, in reality, it’s not designed to be secure.
If you don’t have a lot of friends using PGP now, it’s not like you’re suddenly going to find new PGP friends to send emails to securely.
Pick a privacy friendly company and worry less about all the encryption bells and whistles. Use messaging apps that are truly end to end encrypted and allow you to expire messages if you want actual privacy.
And, BTW, it’s funny that some people are mentioning the one or two cases where Proton turned over data about a user under a court order.
Unless your email provider is basically a rogue actor they have to turn over the data. The fact that Proton has only had to do it twice while the big email providers are so willing to hand over your data that Apple was handing over data based on fake court orders, is a plus.
There is no email provider on the planet outside of self hosting that is going to defy a court over a $3 a month customer. The police will just go to the data center and seize all of the hardware and then they’re out of business.
In motorcycling there’s a saying that there are only two types of riders, those that have dropped a bike and those who will. The same applies here. There are only two types of email providers, those that have turned over data under court order and those that will.
Personally, I don’t use Proton as my main email. I have an account on a privacy-centric email provider based in Germany.
Up until this announcement they had better pricing and I want to use my Mac Mail app on my desktop (without the bridge because the bridge is only for paid Proton subscribers) and iOS Mail on my phone and you can’t do that with Proton.
But I do have a free account with Proton and I have what I consider to be “sensitive” emails (correspondence with my attorney, my accountant, crypto exchanges, brokerage accounts, etc) sent to Proton.
And I didn’t pick Proton because of the inbox encryption. I picked them because they have a free plan for people with modest emails needs which fit the bill for the previously mentioned way I use it.
I think you're talking about Valve Proton. I really would appreciate a reference if you believe your comment applies to the Proton company discussed in this thread.
ProtonMail Compares Apple to Mafia, Says App Was Forced Into In-App Purchases in 2018
Apple's dispute with "HEY" wasn't the first time the Cupertino company tried to force an email app into adding in-app purchases,...
www.macrumors.com
Why we support app store antitrust investigations | Proton
Proton has joined the Coalition for App Fairness to support regulatory efforts that favor an open, free, and private internet for all.
proton.me
Members - Coalition for App Fairness
The Coalition represents all innovators — from startups to small developers and indie studios to popular apps— all over the world. Have your voice heard and join the fight today!
appfairness.org
This was front-page news here at MacRumors when it happened; it didn't put me off of Proton then and it still doesn't, but Engie absolutely is correct. If you don't trust my links, run "proton coalition app fairness" through your favorite search engine.
I use GMX email for all my commercial email (buying stuff off the web, newsletters, subscriptions, etc.). I don't care whether that stuff is safe from a subpoena or not. "Oh, look, he ordered a ream of paper from Staples!!" Hell, The Man would find that in my credit card records anyway lol.
Among my close friends, we all have protonmail addresses. Who knows what kind of skullduggery could come up in those discussions haha.
Family and friends in general have my mac.com email addy.
So my Proton address doesn't get massive traffic, and for that, the web interface works fine.
Among my close friends, we all have protonmail addresses. Who knows what kind of skullduggery could come up in those discussions haha.
Family and friends in general have my mac.com email addy.
So my Proton address doesn't get massive traffic, and for that, the web interface works fine.
Those emails are not interesting to law enforcement, but they are highly sought after by big tech to profile your interests and habits.
Personally I'm not concerned about subpoenas, but more about what Shoshana Zuboff called "surveillance capitalism". That alone is worth migrating from data collectors like Google to a more privacy-oriented email provider.
Nonetheless an zero-knowledge encrypted mailbox also protects against data breaches, insider risks, and abuse of your data by the email provider, e.g. after an acquisition by some billionaire in his midlife crisis. Today I read an article where someone said "Elon Musk now owns my Twitter DMs".
It used to be in the early days, but works pretty reliably these days. I use it with Thunderbird and you don't really notice it's there.
They support full-text search now by creating the index on the client side. If you use a mail client via the bridge it isn't a problem anyway.
Well, Protonmail itself (which is effectively user-friendly packaging of PGP) has increased the number of PGP users by orders of magnitude. Reportedly they now have around 70 million users ...
I see that you touched on data breaches in your next comment, but I think it's really worth emphasizing: systems are compromised every single day. Your data may be encrypted at rest, but it's only as secure as the key that encrypts it. An insider attack or a data breach could still result in your entire inbox getting sold on the dark web. Even if you trust your email provider to not sell your data or read your emails, can you trust that they will always be able to protect them?
There are several email providers that will store your email with zero-knowledge encryption as soon as it arrives; Proton and Tutanota do this automatically as soon as it arrives, and other providers - Posteo, Mailbox.org, StartMail, and Fastmail (I think - I have never used the latter two) allow you to upload your own public key which will be used to encrypt all incoming email as it hits your inbox.
A lot of folks have said, and will continue to say, some variant of "I don't care if the government knows that I bought flowers for my wife" and that's fair, but do you want your entire inbox in a pastebin some day? There's a non-zero chance that it will happen with Gmail, Yahoo, Outlook.com, etc. It's inexpensive - often "free" - to protect yourself.
How so? The provider doesn't have access to the key in the case of Protonmail. So even if their infrastructure is breached, the content of your emails remains secure.
Right (although I don't believe Fastmail has zero-knowledge encryption). But with providers other than Proton and Tutanota, you can't access your encrypted mail in the web interface without giving your private key to their server (thus making it no longer zero-knowledge), since they don't have web clients that can handle the encryption on the client side. You have to use email clients and configure PGP on them, and particularly on mobile there aren't many good clients with PGP support.
Indeed.
Exactly, it's not Proton, it's the Swiss law. What is stupid is that the activist didn't use a VPN, where Proton as a 0 log policy (laws are strange sometimes).
Important clarifications regarding arrest of climate activist | Proton
We would like to provide important clarifications regarding the case of the climate activist who was arrested by French police.protonmail.com
Yea as far as I remember they gave out his IP's - he was not using VPN at all. I would be more worried if they would have to provide VPN logs.
You and I are in agreement, I was just expanding a bit on what you'd written. I want other readers to understand that ProtonMail, Tutanota, and any other provider that encrypts with your public key but doesn't have your private key is reasonably safe from insider attacks, and that this is a good way to keep your inbox out of a pastebin. Google, Yahoo, and most other providers do encrypt data at rest, but it's still readable to privileged users (administrators or those that have assumed their permissions).
That is very true and worth emphasizing. On PC (macOS/Windows/Linux), Thunderbird has come a long way and their baked-in PGP support is pretty solid now. I use Thunderbird every day, both with ProtonMail and with my other accounts. For mobile, I like CanaryMail on iOS and iPadOS and K9Mail on Android - neither are perfect, but CanaryMail is pretty dang solid. But outside of ProtonMail, Tutanota, and maybe a couple others: if you want a zero-knowledge encrypted inbox, you will need to use email client software.
Canary makes me nervous because of this (from their privacy policy):
"The only scenario in which we will temporarily store this data is if users of Canary Mail for iOS or Android choose to enable Push notifications when they receive email. In that case, Canary will temporarily store your email address, credentials, sender, subject line, and first line of the message on our server."
Uploading credentials (password or OAuth token) for my mailbox to their server is a blinking red light as far as I'm concerned. I wish there was a good open source client with PGP support like K9 for iOS ...
I'm one of the sickos that just checks email manually and doesn't get push notifications, but good of you to point that out - I had forgotten about it. That was one of the reasons I was uncomfortable with Spark and I think it's reasonable to be wary. I check manually every hour or two but for those that need instant notifications and still want privacy, a service that rolls their own app - ProtonMail or Tutanota, for example - is probably most appropriate.