• [deleted]

I am a posteo cliente currently. It pisses me of that the service is not as good as protonmail

  • [deleted]

final you said "The service posteo provides isn't secured by zero-knowledge/zero-access methodologies."
Even with the crypto storage activated (no pgp) ???

    [deleted] If crypto storage is activated, they cannot see the mailbox. However they would be able to intercept the connection of the mailbox and grab the contents of the mailbox in real-time as they are being accessed to see them. This is unlikely and they said in transparency this would only matter in a Law Enforcement situation, and they would have to be actively intercepting the user waiting for evidence continuously.

    ProtonMail provides no access to the inbox at all, but may be able to reveal other data such as the user's IP address, which can be changed by a VPN or other solution.

    Both email services (email as a whole) have the issue of being able to see emails that come in from other email servers, because email is not end-to-end encrypted. If an email is encrypted with PGP or other end-to-end encryption solution this would not matter, but there is still metadata that transits through emails anyway.

      • [deleted]

      final They are able to access it in real time only if iI access it via a third party client like K9 with IMAP ?

        [deleted] They are able to access it in real time only if iI access it via a third party client like K9 with IMAP ?

        Can be seen in all cases including their webmail, as the decryption for the emails is done on their side rather than on yours. The reason they need to see in real time is because they can only decrypt with a key protected by the user's password, which Posteo do not know. So if an account for whatever reason was being monitored and the user who owned the account logged in, that would be the only way to access the mailbox contents. Posteo can only see such information if they were planned to be monitored beforehand.

        • [deleted]

        I thought this was more secure... The only reason why Proton can not do this is because they use their own app ?
        Why the fuck dooes posteo do not do an app...

          • [deleted]

          I do not understand well. I find this complicated.
          But posteo has been clear and transparent about all this and they did not lie right ?

            • [deleted]

            • Edited

            It is crazy that there is so few trustworthy secure email providers... Knowing this we only have Protonmail and Tutanota (maybe Startmail/mailbox)...

              [deleted]
              Further context:
              Posteo don't log IP address or user information, but can have their mailbox accessible dependent on settings and if there was a law enforcement order demanding that the mailbox be intercepted to receive this info.

              Posteo during 2022
              User info: 0
              IP addresses: 0
              Mailbox contents: 4
              https://posteo.de/en/site/transparency_report

              According to privacy ProtonMail can see IP temporarily but will have discretion in choosing to log for law enforcement or to combat abuse from the platform caused by the user's email.

              They mention the limitations of Email protocols and information they can see from it: which is the same I have mentioned before (incoming messages and metadata):

              2.2.2 Account Activity: Due to limitations of the SMTP protocol, we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, attachment name, message subject, and message sent and received times. We do NOT have access to encrypted message content, but unencrypted messages sent from external providers to your Account, or from Proton Mail to external unencrypted email services, are scanned for spam and viruses to pursue the legitimate interest of protecting the integrity of our Services and users. Such inbound messages are scanned for spam in memory, and then encrypted and written to disk. We do not possess the technical ability to scan the content of the messages after they have been encrypted. We also have access to the following records of Account activity: number of messages sent, amount of storage space used, total number of messages, last login time. User data is never used for advertising purposes.

              As for the spam and virus protection, Posteo do it too: https://posteo.de/en/site/privacy_policy
              https://proton.me/mail/privacy-policy

              ProtonMail during 2022

              • Number of legal orders: 6,995
              • Contested orders: 1,038
              • Orders complied with: 5,957
                • [deleted]

                After reading your first message carefully I understand better. Thank you so much

                • [deleted]

                final "Orders complied with: 5,957"
                What was this ? Essentially IP addresses right ?

                  [deleted] I thought this was more secure... The only reason why Proton can not do this is because they use their own app ?
                  Why the fuck dooes posteo do not do an app...

                  Email as a whole isn't a secure protocol, the only real solutions are to bake other software or features into it, like what Proton and Posteo do, it isn't fully possible to have a perfect email service.

                  [deleted] I do not understand well. I find this complicated.
                  But posteo has been clear and transparent about all this and they did not lie right ?

                  Posteo have never lied about their service, in fact I think their service is good, it's just that Proton do some parts better. If Proton had a service that logged less of the other information like Posteo not logging IP address at all, then it would be perfect.

                  [deleted] It is crazy that there is so few trustworthy secure email providers... Knowing this we only have Protonmail and Tutanota (maybe Startmail/mailbox)...

                  Tutanota is pretty good, Posteo is good but has serious limitations, Proton is but can be costly. It's a matter of whats better or worse, I use Proton primarily because it supports DMARC and custom domain names, but Posteo's strong privacy policy can be advantageous in some positions.

                  [deleted] "Orders complied with: 5,957"
                  What was this ? Essentially IP addresses right ?

                  They do not specify. Likely they provided all information they had stored in their systems at the time, which is all the information in their privacy policy. Information that is 'encrypted' would not be accessible.

                  They specify more information on one case on where they had to surrender user info here: https://proton.me/blog/climate-activist-arrest - this case in particular was important as it reached press attention, but they had no choice in providing this info since it was requested by Swiss courts.

                  • zzz replied to this.
                  • zzz likes this.

                    final
                    My favorite quote from that blog post:

                    No matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law. The Swiss legal system, while not perfect, does provide a number of checks and balances, and it’s worth noting that even in this case, approval from 3 authorities in 2 countries was required, and that’s a fairly high bar which prevents most (but obviously not all) abuse of the system. Under Swiss law, it is also obligatory for the suspect to be notified that their data was requested, which is not the case in most countries.

                    Out of curiosity, does Posteo specify which country's jurisdiction they operate under?

                      zzz
                      Yes, it is Germany (hence the .de in Posteo's domain)

                      • zzz likes this.
                      • [deleted]

                      • Edited

                      How does Proton to be zero-access, unlike Posteo ? How do they manage to not be able to read the incoming messages in real-time ? Why doesn't Posteo upgrade to be zero-access ?
                      Proton decrypt the emails client-side, unlike Posteo ?
                      You said

                      Posteo isn't transmitting the encrypted mailbox to you, why do you think using any email client Bworks?
                      So this is not the case with Proton ?
                      (Sorry @final I asked too much questions because I did not understand well becauae I was tired but your answers are insanely great. Thx.)

                        • [deleted]

                        It is because Proton's encryption works like Posteo's encryption on entry with PGP ? Activate it for Posteo provides the same level of privacy/security as Proton right ?

                          [deleted] Why the fuck dooes posteo do not do an app...

                          Because it's a cheap service.
                          The saying "you get what you pay for" isn't always the case, but when it comes to Posteo vs. Protonmail, in my opinion, it is. Posteo will cost you a lot less money, but will provide you with a clunky third-party web interface that is rarely updated, and no end-to-end encryption. Last time I checked, and correct me if I'm wrong and if this has been improved, you can also buypass Posteo's 2fa simply by connecting it to a third-party client over IMAP.

                          What I don't like about Protonmail is that it requires you to upgrade to the most expensive plan to get more than one custom domain. The Unlimited plan is expensive if you simply want their mail service, and not their VPN etc. in addition.

                          (Apparently I don't have permission to edit my own posts).
                          Edit: If you do go with Posteo, I recommend using it with a third-party app with good spam filtering. This is because their own filter is complete and utter crap: if one of your email addresses gets leaked in a beach or something, expect spam to appear regularly in your inbox. Posteo does not even provide you with a spam folder, so if you suspect a legitimate email has been stopped by their filter, you have to contact customer support to get them to check.

                          I realize this is a lot of ranting about Posteo's negatives. But I do believe that for their price they offer an OK experience. It just doesn't cut it for me personality.

                            • [deleted]

                            Thanks. I never had any problem with spam with Posteo. I just had to to block one email address in 2years