• [deleted]

final They are able to access it in real time only if iI access it via a third party client like K9 with IMAP ?

    [deleted] They are able to access it in real time only if iI access it via a third party client like K9 with IMAP ?

    Can be seen in all cases including their webmail, as the decryption for the emails is done on their side rather than on yours. The reason they need to see in real time is because they can only decrypt with a key protected by the user's password, which Posteo do not know. So if an account for whatever reason was being monitored and the user who owned the account logged in, that would be the only way to access the mailbox contents. Posteo can only see such information if they were planned to be monitored beforehand.

    • [deleted]

    I thought this was more secure... The only reason why Proton can not do this is because they use their own app ?
    Why the fuck dooes posteo do not do an app...

      • [deleted]

      I do not understand well. I find this complicated.
      But posteo has been clear and transparent about all this and they did not lie right ?

        • [deleted]

        • Edited

        It is crazy that there is so few trustworthy secure email providers... Knowing this we only have Protonmail and Tutanota (maybe Startmail/mailbox)...

          [deleted]
          Further context:
          Posteo don't log IP address or user information, but can have their mailbox accessible dependent on settings and if there was a law enforcement order demanding that the mailbox be intercepted to receive this info.

          Posteo during 2022
          User info: 0
          IP addresses: 0
          Mailbox contents: 4
          https://posteo.de/en/site/transparency_report

          According to privacy ProtonMail can see IP temporarily but will have discretion in choosing to log for law enforcement or to combat abuse from the platform caused by the user's email.

          They mention the limitations of Email protocols and information they can see from it: which is the same I have mentioned before (incoming messages and metadata):

          2.2.2 Account Activity: Due to limitations of the SMTP protocol, we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, attachment name, message subject, and message sent and received times. We do NOT have access to encrypted message content, but unencrypted messages sent from external providers to your Account, or from Proton Mail to external unencrypted email services, are scanned for spam and viruses to pursue the legitimate interest of protecting the integrity of our Services and users. Such inbound messages are scanned for spam in memory, and then encrypted and written to disk. We do not possess the technical ability to scan the content of the messages after they have been encrypted. We also have access to the following records of Account activity: number of messages sent, amount of storage space used, total number of messages, last login time. User data is never used for advertising purposes.

          As for the spam and virus protection, Posteo do it too: https://posteo.de/en/site/privacy_policy
          https://proton.me/mail/privacy-policy

          ProtonMail during 2022

          • Number of legal orders: 6,995
          • Contested orders: 1,038
          • Orders complied with: 5,957
            • [deleted]

            After reading your first message carefully I understand better. Thank you so much

            • [deleted]

            final "Orders complied with: 5,957"
            What was this ? Essentially IP addresses right ?

              [deleted] I thought this was more secure... The only reason why Proton can not do this is because they use their own app ?
              Why the fuck dooes posteo do not do an app...

              Email as a whole isn't a secure protocol, the only real solutions are to bake other software or features into it, like what Proton and Posteo do, it isn't fully possible to have a perfect email service.

              [deleted] I do not understand well. I find this complicated.
              But posteo has been clear and transparent about all this and they did not lie right ?

              Posteo have never lied about their service, in fact I think their service is good, it's just that Proton do some parts better. If Proton had a service that logged less of the other information like Posteo not logging IP address at all, then it would be perfect.

              [deleted] It is crazy that there is so few trustworthy secure email providers... Knowing this we only have Protonmail and Tutanota (maybe Startmail/mailbox)...

              Tutanota is pretty good, Posteo is good but has serious limitations, Proton is but can be costly. It's a matter of whats better or worse, I use Proton primarily because it supports DMARC and custom domain names, but Posteo's strong privacy policy can be advantageous in some positions.

              [deleted] "Orders complied with: 5,957"
              What was this ? Essentially IP addresses right ?

              They do not specify. Likely they provided all information they had stored in their systems at the time, which is all the information in their privacy policy. Information that is 'encrypted' would not be accessible.

              They specify more information on one case on where they had to surrender user info here: https://proton.me/blog/climate-activist-arrest - this case in particular was important as it reached press attention, but they had no choice in providing this info since it was requested by Swiss courts.

              • zzz replied to this.
              • zzz likes this.

                final
                My favorite quote from that blog post:

                No matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law. The Swiss legal system, while not perfect, does provide a number of checks and balances, and it’s worth noting that even in this case, approval from 3 authorities in 2 countries was required, and that’s a fairly high bar which prevents most (but obviously not all) abuse of the system. Under Swiss law, it is also obligatory for the suspect to be notified that their data was requested, which is not the case in most countries.

                Out of curiosity, does Posteo specify which country's jurisdiction they operate under?

                  zzz
                  Yes, it is Germany (hence the .de in Posteo's domain)

                  • zzz likes this.
                  • [deleted]

                  • Edited

                  How does Proton to be zero-access, unlike Posteo ? How do they manage to not be able to read the incoming messages in real-time ? Why doesn't Posteo upgrade to be zero-access ?
                  Proton decrypt the emails client-side, unlike Posteo ?
                  You said

                  Posteo isn't transmitting the encrypted mailbox to you, why do you think using any email client Bworks?
                  So this is not the case with Proton ?
                  (Sorry @final I asked too much questions because I did not understand well becauae I was tired but your answers are insanely great. Thx.)

                    • [deleted]

                    It is because Proton's encryption works like Posteo's encryption on entry with PGP ? Activate it for Posteo provides the same level of privacy/security as Proton right ?

                      [deleted] Why the fuck dooes posteo do not do an app...

                      Because it's a cheap service.
                      The saying "you get what you pay for" isn't always the case, but when it comes to Posteo vs. Protonmail, in my opinion, it is. Posteo will cost you a lot less money, but will provide you with a clunky third-party web interface that is rarely updated, and no end-to-end encryption. Last time I checked, and correct me if I'm wrong and if this has been improved, you can also buypass Posteo's 2fa simply by connecting it to a third-party client over IMAP.

                      What I don't like about Protonmail is that it requires you to upgrade to the most expensive plan to get more than one custom domain. The Unlimited plan is expensive if you simply want their mail service, and not their VPN etc. in addition.

                      (Apparently I don't have permission to edit my own posts).
                      Edit: If you do go with Posteo, I recommend using it with a third-party app with good spam filtering. This is because their own filter is complete and utter crap: if one of your email addresses gets leaked in a beach or something, expect spam to appear regularly in your inbox. Posteo does not even provide you with a spam folder, so if you suspect a legitimate email has been stopped by their filter, you have to contact customer support to get them to check.

                      I realize this is a lot of ranting about Posteo's negatives. But I do believe that for their price they offer an OK experience. It just doesn't cut it for me personality.

                        • [deleted]

                        Thanks. I never had any problem with spam with Posteo. I just had to to block one email address in 2years

                          [deleted] How does Proton to be zero-access, unlike Posteo ? How do they manage to not be able to read the incoming messages in real-time ? Why doesn't Posteo upgrade to be zero-access ?
                          Proton decrypt the emails client-side, unlike Posteo ?
                          You said

                          Posteo decrypts the mailbox on their servers when they are used and accessed by an authenticated user. When you use ProtonMail the mailbox is sent to you as encrypted and then decrypted on your machine, this means that Proton cannot see the contents of your mailbox at all even when you are authenticated

                          This is also why ProtonMail and Tutanota which do zero-access require it's own special apps and cannot use a normal mail app. They need their own app to allow support decrypting the mailbox after downloading it. If you are wondering how it would work for Webmail, ProtonMail decrypts the mailbox via JavaScript run on your browser to my knowledge.

                          Relaks I realize this is a lot of ranting about Posteo's negatives. But I do believe that for their price they offer an OK experience. It just doesn't cut it for me personality.

                          I would love Posteo more if they provided DMARC policy, considering the only limits on Posteo otherwise would be the interception issue, but that is outside of even my own threat model. To fix it they'd have to cut support for third-party clients, which can be useful to some. Their price is very good and the privacy policy is extremely solid (payment information is handled way better than Proton is, imo) but that's what drops it down for me. I find Posteo to work a lot better for a Tor network user not involved in suspicious activities or who wanted an email to register accounts but not communicate through it... but thats about all I can think with it.

                          I mainly use Proton for the custom domain support, better email policies and because I use their VPN.

                          [deleted] It is because Proton's encryption works like Posteo's encryption on entry with PGP ? Activate it for Posteo provides the same level of privacy/security as Proton right ?

                          ProtonMail stores the mailbox with standard encryption (AES??) set-up so that Proton cannot let the contents be decrypted on their systems, nor would they ever know the keys to decrypt said mailbox. Posteo also store the mailbox this way, but decrypt the contents on their systems when accessed by the user (this is the flaw).

                          The PGP in Posteo and ProtonMail is used for end-to-end encryption between emailing one user to another. Using PGP or another end to end encryption method for emails will make Posteo unable to read the contents during an interception, and would make Proton unable to see incoming emails from services that aren't Proton's. Posteo makes you do it manually in all cases, while ProtonMail automates the PGP encryption for you on their service, this is why emailing another ProtonMail user is automatically end-to-end encrypted.

                          Big issue with PGP is it isn't well designed, you have to manually do the key transfers between others before communicating on the Email platform. PGP encryption has to be done with consent of both parties, which is practically impossible for emails from a company, and is less possible since most people just won't spend their time learning how to make a key and do it themselves. This is again going back to where there is a big flaw with email not being end to end encrypted.

                          While ProtonMail mitigates this by automating the PGP encryption/decryption process, it is only just a small patch fix for a variety of issues email has entirely, since not everybody uses ProtonMail or PGP