[deleted] It's important to note that Proton is only "zero-access" or "zero-knowledge" so long as they want to be. It's technically possible for them to change their client code (the code loaded into your browser or app and used to decrypt your private key using your password) at any time to make it exfiltrate your key, and then use your stolen key to decrypt any messages in your mailbox which have been encrypted with the corresponding public key. In a typical setup where the user has only generated and used one key pair, this probably means all of them.

An attack like this was recently used on a Tutanota user, where law enforcement compelled Tutanota to modify the client code served to a particular user suspected of being involved in criminal activity, and they were able to retrieve the key and subsequently access the user's messages. Proton claims this type of attack is not permitted under Swiss law, but if you're an at-risk person trying to use strong encryption, you probably shouldn't rely on one company's interpretation of the law to keep you safe.

Proton is not a magical vault for your email like their marketing might suggest; they use PGP under the hood and their implementation suffers from all of the same security drawbacks as using PGP in an ordinary mail client: Subject lines, attachment names, sender, receiver and date metadata are not encrypted, there's no forward secrecy (stolen key = access to all messages), and worse, you can't store and manage the keys offline on a trusted machine. You have to trust the JS code loaded from a Proton server each time you want to access your mailbox.

Posteo does server-side encryption of individual mailboxes, which means the key can be more easily stolen while you're logged in, but data is still protected from passive attack while you're logged out.

Overall, both companies likely do more harm than good: They promote the idea that email can be made secure and private by bolting bad cryptography and cruft onto an ancient system, and this hinders our ability to move away from said system.

    final Sorry, but this is misinformation. Proton uses only PGP to encrypt your messages at rest, there is no additional "standard encryption" other than the same volume encryption used by other mail services. When you create your account you generate a public/private key pair client-side, your password is used to encrypt the private key, and both are stored on a Proton server. Incoming messages are encrypted with the public key and stored on a Proton server in a similar structure to PGP email in a local client. When you log in, your password is used to decrypt the private key so you can access your mail, and the confidentiality of the key depends on the trustworthiness of the decryption code they serve to your browser or app. This means that they can't steal your password and decrypt the contents of your mailbox only if they don't want to or haven't been compelled to.

    End-to-end encryption within ProtonMail also depends on the same trust in their JS code which can be surreptitiously changed by them. In all cases, Proton or an attacker can at any time access various unencrypted data and metadata such as subject lines, sender, receiver and date headers, and attachment names. Only the message body and any attached files are encrypted.

    The fact that so many people hold these misconceptions is evidence that their marketing is working well and giving users a false sense of security, and they should be condemned for that IMO.

      418357 Can't edit the above post anymore, but there is some ambiguity I'd like to correct. Where it reads "When you create your account you generate a public/private key pair client-side, your password is used to encrypt the private key, and both are stored on a Proton server." it should read "When you create your account you generate a public/private key pair client-side, your password is used to encrypt the private key, and both the public key and encrypted private key are stored on a Proton server.". My previous post may suggest to readers that the password is stored on a Proton server, but this is not the case. The password is intended to be known only by you, and used for client-side encryption and decryption, never being transmitted to Proton severs.

        418357 Sorry, but this is misinformation. Proton uses only PGP to encrypt your messages at rest, there is no additional "standard encryption" other than the same volume encryption used by other mail services

        Was aware of Proton using an encryption for the mailbox, I was aware of PGP being used for messaging between other Proton users but also did not know that the mailbox was encrypted with the same way, since Proton's website is mainly advertising and less technical details its hard for me to discern - big thanks for this, was not an intentional error by any means.

        418357 In all cases, Proton or an attacker can at any time access various unencrypted data and metadata such as subject lines, sender, receiver and date headers, and attachment names. Only the message body and any attached files are encrypted.

        I mentioned this in a reply about privacy policies (post #12) although with how Proton phrases and advertises their product, it gives some people the foolish impression that everything isn't accessible when that isn't sadly the case and you have to read the privacy policy just to get the bigger picture.

        As for the previous post 418357 (too long, wont quote) - sadly this just shows true but also sad examples that if you are using something tied to an online service, there will always be a chance you will be given up. When it comes to threat models where you are at risk of any service giving you in like this, IMO the best bet would just be to avoid everything capable of collecting identifiable information, or use something where your information wouldn't be at risk and with preparation to cover up if that service ever became hostile.

        Same also can apply to app developers as for the case in the second paragraph of that post, one bad update or exploitation of the Proton app and you're toast...

        As for the last parts of the last message, it's agreeable. I've constantly mentioned even in this thread that email is a completely flawed system. It would need to either be redone or replaced with something else entirely. For the most of us, these services are more or less just harm reductive alternatives rather than secure alternatives. I would still rather choose Proton over a standard Email provider and do so in about 95% of my emails. While it is condemnable it's also backed partially by the excuse of the terrible design Email is built onto. Business is business and their advertising is likely what made them successful and able to stay afloat in the first place.

        418357 Edit was seen only after I posted, thanks and noted

        a year later

        For what is worth, I love Posteo, having tried over 20 other providers. IMAP compatibility is a must for me, which automatically excluded Proton and Tuta. I guess different people value different things in an email provider, Posteo's privacy policy, reliability and feature set work perfectly for my needs.

          AlanZ
          I've also used Posteo in the past. Since I don't need IMAP, I've started using Proton Mail instead.

          Have you tried ForwardEmail?

            wuseman
            No, I am going to stick with Posteo. The list of my past email providers:

            1. Yahoo (Yikes!)
            2. Gmail
            3. Hotmail
            4. Fastmail
            5. Runbox
            6. KolabNow
            7. Novo-ordo (another yikes)
            8. Mailbox.org
            9. Neomailbox
            10. Disroot
            11. Countermail (still using occasionally)
            12. RiseUp (still using, good, not great)
            13. Proton
            14. Tuta
            15. Autistici
            16. YANDEX
            17. Abv.bg (Christ!)
            18. Ctemplar (for about a week)
            19. Comcast (yeah, I know)
            20. Danwin1210
            21. iCloud

            So I am all but exhausted of switching : )

              What about Mailbox.org? They have an option to automatically decrypt the mailbox (including all incoming emails and the sent folder) with your public PGP key, which essentially is the same thing thing that Protonmail does.

              Protonmail requires you to use their apps on mobile, and their "bridge" on desktop to use it with a normal email client. And their web client uses Javascript to decrypt the emails in the browser.

              Mailbox.org on the other hand allows you to use any email client that supports PGP (e.g. K-9 Mail + OpenKeychain on Android, Thunderbird or KMail on Desktop) to download the encrypted emails and locally decrypt them on your device, and for the web client they are compatible with the Mailvelope extension to decrypt your emails in the browser.

              I kind of prefer Mailbox.org's approach as it is more "open" with no requirement to use their app. Protonmail on the other hand is all set up out of the box with no thinking and tinkering needed. I think if Proton would offer their bridge for Android, I would prefer them but until then I'm leaning towards Mailbox.org because of their openness.

              AlanZ

              What made you switch away from Mailbox.org, Proton and Tuta?

                Viewpoint0232

                Actually, I kind of liked both Proton and Tuta, but no real IMAP killed them for me. Mailbox.org has no more privacy than Fastmail, meaning pretty much none at all. They have extensive list of "DON'Ts" and are very cozy with the feds. They don't really take any meaningful steps to minimize data retention. In my opinion Mailbox.org doesn't bring anything to the table.

                  AlanZ They have extensive list of "DON'Ts" and are very cozy with the feds.

                  Can you elaborate on that please?

                    AlanZ
                    I have used deep breath:

                    1. Autistici
                    2. Ctemplar
                    3. Criptext (Shut down quite recently without a word)
                    4. Cyberfear (Abandonware)
                    5. Disroot (Still using this one for some websites)
                    6. Gmail
                    7. Hotmail/Outlook (Still using this one for work)
                    8. ISP email
                    9. Icloud
                    10. Murena
                    11. my.com
                    12. Opera Mail
                    13. Posteo
                    14. Privacy Harbor
                    15. Proton Mail (My primary email atm)
                    16. Riseup
                    17. Skiff (I hate this service with a passion)
                    18. Telios (I hate this one too, they went dark for months and then broke the news that they were shutting down... on Discord)
                    19. Tuta
                    20. Yandex

                    I see little to no reason to choose anything but Proton atm.

                      AlanZ RiseUp (still using, good, not great)
                      wuseman Riseup

                      Sorry for being a bit off topic, but would anyone of you share an invitation for RiseUp?

                        sanskk
                        They disabled invites for the moment, when they reenable them I will be sure to send you one.

                        sanskk Why would you want Riseup instead of Disroot or any other email service?

                          wuseman
                          I do use a plethora of mail providers for different purposes, but I'd like to use RiseUp because of their reputation. Especially the things posted here and in the respective link made me wanting to use them:
                          zzz

                          Viewpoint0232

                          From Mailbox.org's T&C:

                          "When you register on our internet pages, the IP address assigned by your internet service provider (ISP) as well as the date and time of the registration are stored. This data is stored because this is the only way to prevent misuse of our services and, if necessary, to enable us to investigate criminal offences committed. [...] This data will fundamentally not be shared with third parties unless required by law or for the purpose of criminal prosecution."

                          "...or present a judicial warrant that asks for the release of mailbox contents and data logs, or order the surveillance of the user's telecommunications data."

                          the storage or the dispatch of pornographic material as defined in Sections 184-184c of the German Criminal Code (StGB) or of media listed in Section 24 Paragraph 1 of the Youth Protection Act (JuSchG) as being harmful to minors.
                          the storage or the dispatch of image, video, audio, text or other files in contravention of copyrights, trademark rights, name rights, competition rights or personal rights or of files which contain prohibited propaganda material or designators of unconstitutional organisations (Sections 86 and 86a of the German Criminal Code [StGB]).

                            AlanZ the storage or the dispatch of pornographic material as defined in Sections 184-184c of the German Criminal Code (StGB) or of media listed in Section 24 Paragraph 1 of the Youth Protection Act (JuSchG) as being harmful to minors.
                            the storage or the dispatch of image, video, audio, text or other files in contravention of copyrights, trademark rights, name rights, competition rights or personal rights or of files which contain prohibited propaganda material or designators of unconstitutional organisations (Sections 86 and 86a of the German Criminal Code [StGB]).

                            Wow, so they do read your mails in other words.

                            Just be happy that they didn't mention par. 188 StGB yet (Criticism of politicians is verboten, and yes they actually send the police to your house for calling MPs "dumb" or "fat")