418357 Can't edit the above post anymore, but there is some ambiguity I'd like to correct. Where it reads "When you create your account you generate a public/private key pair client-side, your password is used to encrypt the private key, and both are stored on a Proton server." it should read "When you create your account you generate a public/private key pair client-side, your password is used to encrypt the private key, and both the public key and encrypted private key are stored on a Proton server.". My previous post may suggest to readers that the password is stored on a Proton server, but this is not the case. The password is intended to be known only by you, and used for client-side encryption and decryption, never being transmitted to Proton severs.

    418357 Sorry, but this is misinformation. Proton uses only PGP to encrypt your messages at rest, there is no additional "standard encryption" other than the same volume encryption used by other mail services

    Was aware of Proton using an encryption for the mailbox, I was aware of PGP being used for messaging between other Proton users but also did not know that the mailbox was encrypted with the same way, since Proton's website is mainly advertising and less technical details its hard for me to discern - big thanks for this, was not an intentional error by any means.

    418357 In all cases, Proton or an attacker can at any time access various unencrypted data and metadata such as subject lines, sender, receiver and date headers, and attachment names. Only the message body and any attached files are encrypted.

    I mentioned this in a reply about privacy policies (post #12) although with how Proton phrases and advertises their product, it gives some people the foolish impression that everything isn't accessible when that isn't sadly the case and you have to read the privacy policy just to get the bigger picture.

    As for the previous post 418357 (too long, wont quote) - sadly this just shows true but also sad examples that if you are using something tied to an online service, there will always be a chance you will be given up. When it comes to threat models where you are at risk of any service giving you in like this, IMO the best bet would just be to avoid everything capable of collecting identifiable information, or use something where your information wouldn't be at risk and with preparation to cover up if that service ever became hostile.

    Same also can apply to app developers as for the case in the second paragraph of that post, one bad update or exploitation of the Proton app and you're toast...

    As for the last parts of the last message, it's agreeable. I've constantly mentioned even in this thread that email is a completely flawed system. It would need to either be redone or replaced with something else entirely. For the most of us, these services are more or less just harm reductive alternatives rather than secure alternatives. I would still rather choose Proton over a standard Email provider and do so in about 95% of my emails. While it is condemnable it's also backed partially by the excuse of the terrible design Email is built onto. Business is business and their advertising is likely what made them successful and able to stay afloat in the first place.

    418357 Edit was seen only after I posted, thanks and noted

    a year later

    For what is worth, I love Posteo, having tried over 20 other providers. IMAP compatibility is a must for me, which automatically excluded Proton and Tuta. I guess different people value different things in an email provider, Posteo's privacy policy, reliability and feature set work perfectly for my needs.

      AlanZ
      I've also used Posteo in the past. Since I don't need IMAP, I've started using Proton Mail instead.

      Have you tried ForwardEmail?

        wuseman
        No, I am going to stick with Posteo. The list of my past email providers:

        1. Yahoo (Yikes!)
        2. Gmail
        3. Hotmail
        4. Fastmail
        5. Runbox
        6. KolabNow
        7. Novo-ordo (another yikes)
        8. Mailbox.org
        9. Neomailbox
        10. Disroot
        11. Countermail (still using occasionally)
        12. RiseUp (still using, good, not great)
        13. Proton
        14. Tuta
        15. Autistici
        16. YANDEX
        17. Abv.bg (Christ!)
        18. Ctemplar (for about a week)
        19. Comcast (yeah, I know)
        20. Danwin1210
        21. iCloud

        So I am all but exhausted of switching : )

          What about Mailbox.org? They have an option to automatically decrypt the mailbox (including all incoming emails and the sent folder) with your public PGP key, which essentially is the same thing thing that Protonmail does.

          Protonmail requires you to use their apps on mobile, and their "bridge" on desktop to use it with a normal email client. And their web client uses Javascript to decrypt the emails in the browser.

          Mailbox.org on the other hand allows you to use any email client that supports PGP (e.g. K-9 Mail + OpenKeychain on Android, Thunderbird or KMail on Desktop) to download the encrypted emails and locally decrypt them on your device, and for the web client they are compatible with the Mailvelope extension to decrypt your emails in the browser.

          I kind of prefer Mailbox.org's approach as it is more "open" with no requirement to use their app. Protonmail on the other hand is all set up out of the box with no thinking and tinkering needed. I think if Proton would offer their bridge for Android, I would prefer them but until then I'm leaning towards Mailbox.org because of their openness.

          AlanZ

          What made you switch away from Mailbox.org, Proton and Tuta?

            Viewpoint0232

            Actually, I kind of liked both Proton and Tuta, but no real IMAP killed them for me. Mailbox.org has no more privacy than Fastmail, meaning pretty much none at all. They have extensive list of "DON'Ts" and are very cozy with the feds. They don't really take any meaningful steps to minimize data retention. In my opinion Mailbox.org doesn't bring anything to the table.

              AlanZ They have extensive list of "DON'Ts" and are very cozy with the feds.

              Can you elaborate on that please?

                AlanZ
                I have used deep breath:

                1. Autistici
                2. Ctemplar
                3. Criptext (Shut down quite recently without a word)
                4. Cyberfear (Abandonware)
                5. Disroot (Still using this one for some websites)
                6. Gmail
                7. Hotmail/Outlook (Still using this one for work)
                8. ISP email
                9. Icloud
                10. Murena
                11. my.com
                12. Opera Mail
                13. Posteo
                14. Privacy Harbor
                15. Proton Mail (My primary email atm)
                16. Riseup
                17. Skiff (I hate this service with a passion)
                18. Telios (I hate this one too, they went dark for months and then broke the news that they were shutting down... on Discord)
                19. Tuta
                20. Yandex

                I see little to no reason to choose anything but Proton atm.

                  AlanZ RiseUp (still using, good, not great)
                  wuseman Riseup

                  Sorry for being a bit off topic, but would anyone of you share an invitation for RiseUp?

                    sanskk
                    They disabled invites for the moment, when they reenable them I will be sure to send you one.

                    sanskk Why would you want Riseup instead of Disroot or any other email service?

                      wuseman
                      I do use a plethora of mail providers for different purposes, but I'd like to use RiseUp because of their reputation. Especially the things posted here and in the respective link made me wanting to use them:
                      zzz

                      Viewpoint0232

                      From Mailbox.org's T&C:

                      "When you register on our internet pages, the IP address assigned by your internet service provider (ISP) as well as the date and time of the registration are stored. This data is stored because this is the only way to prevent misuse of our services and, if necessary, to enable us to investigate criminal offences committed. [...] This data will fundamentally not be shared with third parties unless required by law or for the purpose of criminal prosecution."

                      "...or present a judicial warrant that asks for the release of mailbox contents and data logs, or order the surveillance of the user's telecommunications data."

                      the storage or the dispatch of pornographic material as defined in Sections 184-184c of the German Criminal Code (StGB) or of media listed in Section 24 Paragraph 1 of the Youth Protection Act (JuSchG) as being harmful to minors.
                      the storage or the dispatch of image, video, audio, text or other files in contravention of copyrights, trademark rights, name rights, competition rights or personal rights or of files which contain prohibited propaganda material or designators of unconstitutional organisations (Sections 86 and 86a of the German Criminal Code [StGB]).

                        AlanZ the storage or the dispatch of pornographic material as defined in Sections 184-184c of the German Criminal Code (StGB) or of media listed in Section 24 Paragraph 1 of the Youth Protection Act (JuSchG) as being harmful to minors.
                        the storage or the dispatch of image, video, audio, text or other files in contravention of copyrights, trademark rights, name rights, competition rights or personal rights or of files which contain prohibited propaganda material or designators of unconstitutional organisations (Sections 86 and 86a of the German Criminal Code [StGB]).

                        Wow, so they do read your mails in other words.

                        Just be happy that they didn't mention par. 188 StGB yet (Criticism of politicians is verboten, and yes they actually send the police to your house for calling MPs "dumb" or "fat")