Thoughts on Protonmail?

[Other James]

Hey all!

 

I was hoping to get some feedback from all of you regarding Protonmail. They're an end to end encrypted email service. Just wanted to gather opinions from our community, see if anyone has used it, and do a general temperature check: https://proton.me/mail

 

I know a few years ago there was some questions regarding the encryption, or how much Proton was sharing with authorities. And that's why I come to all of you, to see the overall sentiment.

As always, I appreciate the help.

[YellowJersey]

I use it. I like it.

[Tan3l6]

Strange, I replied to the topic that it's safe but only 500MB for free account.  But the post got lost?

[Radium_Angel]

11 minutes ago, Tan3l6 said:

Strange, I replied to the topic that it's safe but only 500MB for free account.  But the post got lost?

In one of the other threads about a no-name monitor brand

[Tan3l6]

31 minutes ago, Radium_Angel said:

In one of the other threads about a no-name monitor brand

Yes, thanks! I could have sworn I posted the message in question in this topic.

 

Bit off topic, but for some reason in YT some videos show in the description of an older video description that I watched earlier. I was going to make a topic about it, but can't replicate the result for some reason. 

 

 

[flowalex]

I'm a paid visionary user, I don't plan on switching to anything else (I've actually been working on moving away from other email providers) also with the unlimited plan you do get simple login premium

[sodapone]

I use it with a Plus plan. It's nice; this is actually my first time being able to consolidate multiple email addresses under a single account.

 

That aside, it's a solid email client--a good alternative to Gmail if you don't like the idea of Google looking at your inbox. Sometimes I do wish I could access it through other clients, but that would kinda defeat the point of its existence anyhow.

 

I haven't looked too much into how good they are at keeping their word or how much information they give out to authorities, though.

[Crunchy Dragon]

Been using it for a couple years now, I'm quite a fan. It's a very good alternative to Gmail, Yahoo, Outlook, all the other Big Tech email providers.

18 hours ago, sodapone said:

I haven't looked too much into how good they are at keeping their word or how much information they give out to authorities, though.

I just did some digging into this myself since I had heard they bent the knee to subpoenas, but that appears to not have been the case(second link is a bit clickbait):

However, they do now partake in some IP tracking and fingerprinting:
https://arstechnica.com/information-technology/2021/09/privacy-focused-protonmail-provided-a-users-ip-address-to-authorities/

 

ProtonVPN is also quite nice from my experience as well. I've used a few others in the past and Proton is the only one I've actually stuck with longer than a couple months.

[manikyath]

IMO (as a Gmail user..) it's not different to a VPN or similar "hide your data" applications.

 

as long as the ad is uprfont about what it is and isnt.. there is nothing to dislike abut it.

[Quackers101]

if they are transparent on things and you dont make claims it doesnt do? would be fine with it.

just I would dislike sponsoring nord VPN and claiming all the BS, instead of focusing on what it does and what it doesnt.
So long its transparent enough and that the service "works"? I wouldn't have issues with it? but then again never know what could happen.

Edited July 1, 2023 by Quackers101

[Crunchy Dragon]

9 hours ago, Quackers101 said:

if they are transparent on things and you dont make claims it doesnt do? would be fine with it.

just I would dislike sponsoring nord VPN and claiming all the BS, instead of focusing on what it does and what it doesnt.
So long its transparent enough and that the service "works"? I wouldn't have issues with it? but then again never know what could happen.

Do you mean transparent in regards to the sponsor segment, or the company itself?

Proton is probably the most transparent tech company I've ever encountered.

[owwnoooo]

On 6/29/2023 at 10:38 PM, Tan3l6 said:

Strange, I replied to the topic that it's safe but only 500MB for free account.  But the post got lost?

They've changed it . It is 1GB now.

[gjsman]

Works nice, looks nice, but if you think it's safe because it's from Switzerland, look no further than the story of Crypto AG. 

[Polderviking]

I've been using them for years.

 

I don't even REALLY care all that much about things like mailbox encryption as most mail traffic I generate still inevitably traverses the big giant's mail servers and can therefore be perused.
I just like their services generally and their privacy first angle.

They also cater to power users, my data is in Europe and they are a nice full package experience alternative to the big name providers at a reasonable price. Especially with with the recently introduced password manager it's become great value. 

[CWALD]

Love it. I use a paid account with a personal domain. If your looking for alternatives I also use Tutanota and MySudo accounts for things that I want to keep separate but for the regular stuff Proton is the way to go.

[mcsqueazy]

I use proton, p much no downsides of using it (proton mail bridge works on some obscurish mail clients I use for Linux), meaning it works on desktop mail clients, it has a mobile app, no adds, personal domains. Proton from my understanding has been pretty faithful in its privacy first attitude, which isn't something that all these VPN type companies really adhere too (ALA express vpn).

If you are willing to pay, I haven't had a single moment where I really needed my google account so far after a couple of months of use. Id recommend it.

[AAVVIronAlex]

I like it, but I do not really use it.

[SolarNova]

I don't use it personally, but with more and more apps/services like email etc requiring things like your phone number or some other form of effective ID ..and thus info they can share/leak, Proton Mail seems like a solid choice for privacy as they dont require those things for signup.

 

IIRC i have used them in the past to make a temporary email ..for what i cant recall think maybe it was for an alt account in a game ..was a few years back. but i do remember finding them precisely because the usual go to places for an email address changed to requiring some form of ID like another email address and/or phone number.

[wanderingfool2]

There are parts of proton mail that I like, I end up using it a few times a year at least.

 

As a service, I do think I'd trust proton mail over the likes of say Google and wouldn't have too much of an issue with ads on it...at least they are a bit more open than others, still don't like the advertisements of e2ee; while they have created a site that explains what they mean by e2ee I find the general talk of e2ee gives people the wrong impression. [ https://proton.me/support/proton-mail-encryption-explained ]

 

 

A very classical example, sending email to a party which just implements SMTP without having built a TLS connection (they exist).  So the original email submitted to proton would be encrypted, but after that point it's traveling over the internet where it's susceptible via MITM attack.

 

The most common scenario though, sending via SMTP with TLS.  At that stage if authorities wanted to, they could still request the email coming through of an user from Proton (and the emails being received).  The only portion that the e2ee protects is prior emails.

 

The biggest issue I have though is the claim of E2EE with proton to proton users, and they don't really mention mitigating a MITM.  While I no doubt believe they stand by it, and that things are E2EE...my question would be could they still perform a MITM attack if they so chose to.  I haven't really researched into what Proton uses, but a lot of E2EEs are vulnerable to MITM if the user is forced to use Proton servers and Proton servers also act as the CA.

 

Not saying that this is the case, the a classical example of the aforementioned would be the following case

Parties, Alice, Bob, Server

Standard E2EE

Alice - asks Server for Bob's public key (PK) to encrypt

Server - responds with the PK

Alice - encrypts locally with the PK and sends data to Server

Bob - downloads data and decrypts locally with private key

 

Standard E2EE with MITM

Alice - asks Server for Bob's PK to encrypt

Server - responds with fake PK that the server knows the private keys to

Alice - encrypts locally with the fake PK and sends data to the Server

Server - decrypts message with the private keys, re-encrypts with Bob's real PK

Bob - downloads data and decrypts locally with private key

 

For Alice and Bob in both cases they don't know that there has been a MITM attack.  There are of course ways to mitigate it, but Proton from at least what I have seen hasn't mentioned ways they try mitigating it.  They just toss around the term E2EE.

 

To put it in perspective, Eufy's cameras were E2EE...and yet they had a glitch on the server that let others see other people's cameras.  Too many companies I have found just jumped on E2EE as though it means you have additional privacy when in reality it all depends on the implementation.

[Nuzicx]

On 7/6/2023 at 6:33 AM, mcsqueazy said:

proton mail bridge

Absolutely hate it with its constant update notifications, as if it can't be automatically done without requiring user input. FML.

I left protonmail after the data leak to authorities, switched to mailbox.org but considering icloud, both offer catchall and custom domains, icloud seems cheaper.

 

Don't get me wrong protonmail had a wonderful phone app and decent web mailbox.

 

I've found mailbox.org to be very slow on web mailbox however I rarely use

[MG2R]

On 7/8/2023 at 7:57 AM, Nuzicx said:

 

I left protonmail after the data leak to authorities

What story did I miss?

 

Proton is the one provider that convinced me to switch from self-hosting my e-mail. That was a total pain in the ass but the only way I saw to keep my data private, until proton showed up. 
 

been a paying customer for years now, so far no regrets. Only downside is the bridge you need if you want regular imap and smtp. But that shows the encryption is real. 

[Polderviking]

4 hours ago, MG2R said:

What story did I miss?

 

Proton is the one provider that convinced me to switch from self-hosting my e-mail. That was a total pain in the ass but the only way I saw to keep my data private, until proton showed up. 
 

been a paying customer for years now, so far no regrets. Only downside is the bridge you need if you want regular imap and smtp. But that shows the encryption is real. 

Probably referring to this.

I don't think that can be called a leak. Even in Switzerland there are rules they need to follow.
And they've been reasonably transparant about this.

 

Some people have the wrong idea and turned it into a whole thing.
They can't just go ahead and ignore law like some disguntled anachist. That would be how you get your infrastructure confiscated.

[MG2R]

Thanks! I do remember those privacy policy changes around that time. I must’ve missed the commotion surrounding them. 
 

their yearly transparency report is all I need. Reading that they received X requests for some data but were unable to hand it over because they literally did not have it is superb 

[Nuzicx]

6 hours ago, Polderviking said:

Probably referring to this.

I don't think that can be called a leak. Even in Switzerland there are rules they need to follow.
And they've been reasonably transparant about this.

 

Some people have the wrong idea and turned it into a whole thing.
They can't just go ahead and ignore law like some disguntled anachist. That would be how you get your infrastructure confiscated.

Not this, there was a rumour created in 2018 that the FBI had a backdoor that protonmail gave them, which was a false claim. FBI seized the decryption keys and passwords when they took Cohen in custody, poor OPSEC by that man.

 

https://www.nytimes.com/2018/04/09/us/politics/fbi-raids-office-of-trumps-longtime-lawyer-michael-cohen.html

https://twitter.com/HotepSun/status/1040220549782351872

 

[Polderviking]

23 minutes ago, Nuzicx said:

Not this, there was a rumour created in 2018 that the FBI had a backdoor that protonmail gave them, which was a false claim. FBI seized the decryption keys and passwords when they took Cohen in custody, poor OPSEC by that man.

 

https://www.nytimes.com/2018/04/09/us/politics/fbi-raids-office-of-trumps-longtime-lawyer-michael-cohen.html

https://twitter.com/HotepSun/status/1040220549782351872

 

Okay.

So there was no leak, you could've clarified that in the post we are responding to. 

Why did it make you leave?
I remember this, and it was pretty obvious to me this guy on Twitter was blowing hot air, right out of the gate.

Or is it also unrelated to you leaving?