For some reason I have it in the back of my mind that they were at one point accused of being a honeypot for US intelligence because of their association with MIT. Probably complete BS, but maybe not. Are they as open source as they claim to be? Looks like they’re on github. F-Droid seems to think they have some Google libraries or whatever that they use.
ProtonMail users, how do you like/dislike it?
You must log in or register to comment.
On the open/closed source issue: how do they stack up against things like Tuta and Signal? The latter I heard was not actually completely open source.
If you want open source encrypted messaging, try delta chat. It’s an email client that’s styled like a messaging app, and it works with most email providers.
Edit: a word
AFAIK Signal are pretty much FLOSS, they’re just keeping their cards extremely close, to the point of turning into a data silo.
- Moxie Marlinspike famously nixed the LibreSignal app and demanded they stop using Signal servers.
- And last I heard Signal can but refuses to federate with other servers, so their available server code might as well be closed source. That is, you can setup your own Signal server but you can’t connect to the network that others use…
Federation no longer works, no. They did have it at first but Moxie hated it because it was harder to push new features.
But you can use other clients. It’s not expressly allowed and LibreSignal stopped their development, but they’ve never actually banned anyone for doing it. I use the Matrix bridge to Signal and I’ve never seen issues with it.
Also, Moxie doesn’t work there anymore so their attitude might be changing. I hope so, as having an official option to use third-party clients and bots (for the latter see Telegram where they add a LOT of value to group chats like live transcription or translation) would really make the platform a lot more viable for me. As it is now I hardly use it and I never recommend it because I don’t see the point of replacing one walled garden with a slightly nicer looking one that is still nonetheless a walled garden.
I realy like Matrix but normies tend not to grok it because they need a username and password. Weird, because Discord and other services do too and they manage to use them fine. But whatever. I’ll just bridge all their shit.
It’s been a while since I looked at Signal but I was aware that Marlinspike stepped down. that can only be an improvement after he effectively shut down LibreSignal. I guess projects like the Matrix bridge have somehow been more acceptable?
Only thing would be the closed source server and no third party apps. They do have an API, but I haven’t found anything written on top of that.
I’m not entirely sure why expected a user-owned private key 🤔 How do they ensure zero knowledge if you send them the username and password?
My experience has been fine. If you go into Proton Mail with the understanding that you’re doing it to stop Google from data mining your email, and not for the sake of truly private/anonymous email, you’ll have a good time. The aliasing feature is super nice as well.
My only major complaint is their free-tier is a bit lacking compared to what Skiff had (or I guess has, but not for much longer.) I think their platform is great, and definitely worth paying for, but given I’m a broke college student that’s not much of an option. Also their support for third party clients (or lack thereof) isn’t great, though I don’t use those as much. Otherwise I like it quite a bit!
Proton fell into the black hole when they pitched to replace Gmail on Huawei phones. Being eager to do business with the CCP was a dealbreaker.
That said, I have a Tuta account. I don’t use it for everything, but I have no complaints.
I’m on the edge of quitting protonmail. The issues:
- #CAPTCHA hell. At least for Tor users.
- no app in f-droid
- API shenanigans and/or CAPTCHA breaks hydroxide (the foss bridge)
- protonvpn: you can no longer fetch all the configs in one download. You have to click “download” >120 times now to get all the configs
- account locks if you do not login frequently enough (i think every 6 months)
- if you supply your login creds but get a CAPTCHA and say fuck this, and walk, it does not count as a full login needed to reset the expiration clock
- the CAPTCHAs are graphical which forces you to enable images in your browser; but when you do that you get images that junk up your screen and waste bandwidth
- no public keyring. Hushmail was better in this regard. An advanced user could upload their PGP public key to Hushtools and then encryption just worked for hushmail users contacting that person. After Hushmail started charging, I would tell the normies who need comms w/me to get a gratis Protonmail account. But then I have to send them my public key and they have to figure out how to attach it to my profile in their phonebook. It’s a show-stopper in many situations.
For what it’s worth, I think if you add the izzysoft repo to F-Droid (https://apt.izzysoft.de/fdroid/repo) then you’ll get the ProtonMail App; I think regular F-Droid has only the VPN.
Protonmail failed to satisfy F-Droid’s inclusion criteria because it requires gms (playstore framework) and because it uses Firebase messaging.
Since I’ve disabled gms in my device I’m not sure how Protonmail would work for me. Someone tells me I might simply lose push notifications capability. But I am confused because Snikket pushes notifications just fine on my device.
If you’re looking exclusively for reasons not to use them:
- They advertise to pro users
- They complied with a Swiss warrant to give the IP of a climate activist (but probably anyone would)
- Their customer service is atrocious but so is everyone else’s
- They don’t pay attention to their own service for feature requests
- Lots of fragmentation of features on different platforms
- Linux is a bit of a second class citizen
But overall they’re pretty great.
@helenslunch@feddit.nl, sounds like you’re a Linux user; does any paid version of the desktop client have dark mode . . . ?
Everything has dark mode
As far as I can tell, the Linux desktop client doesn’t have it yet, but has been promised.
EDIT: Ok, duh, on Linux Mint under System Settings>Themes>Settings>Miscellaneous Options, Dark Mode I selected “Prefer Dark” and voila: Dark. Proton’s the only app I have that that setting seems to have any effect on . . .
I use it every day and I can tell you with great certainty that it does
Could you tell me where the setting is? I haven’t been able to find it.
It seems to be missing from the official app. But I believe it is an account-wide setting. So log into your web interface and change it from there and it should reflect on the app.
General rule of thumb:
- Web: can change at any moment, can serve a highly secure mail web app… except to those it might decide to target, giving them zero notice, leaving close to zero trace.
- Electron based “app”: if it can run random JS from the web, see first point.
- Compiled app: to change its way of working, the user needs to update/download a different version. An explicit user action is required, people can notice malicious changes and warn others about them.
- Compiled open source app: same as a compiled app, except people can also notice malicious changes before running the code, fork it to remove them, compile it themselves, and warn others.
ProtoMail, touts itself as a “secure web app”, which is a contradiction.
If you use an open source app to access ProtonMail’s service, the security lies in whatever app you use. At that point, might as well send E2E encrypted mail via GMail.
TL;DR: the way most people use it, is just security theatre.
At that point, might as well send E2E encrypted mail via GMail.
From a security stand-point: Yes. From a privacy standpoint: Absolutely not.
Both privacy and security are the same in either case:
- Both servers know who’s connecting
- Both servers see the connecting IP
- Both servers know the source and target mail addresses
- Neither server knows the message’s content
- Neither server controls the client’s app
The moment you go off-VPN, or use a webapp, security goes out the window.
Privacy, as in social network/contacts, goes out the window the moment you use a fixed email address; more so if it’s associated to your IRL identity.
There’s a large difference between surrendering massive amounts of highly critical metadata aswell as some data* to a known abuser vs. an entity that prides itself in not abusing your data and which even takes specific technological measures to make it as hard for them as possible (zero access encryption at rest, automatic key discovery).
(* Partial social graph, interaction timestamps, political interests, health, hobby interests and much of that usually even in plain text data form when receiving email; stored in in plain text forever.)
known abuser vs. an entity that prides itself in not abusing your data
Right, “don’t be evil” 🙄. Corporations are corporations.
zero access encryption at rest, automatic key discovery
Also called “encryption”. Just so we’re on the same page:
Enigmail for Thunderbird supports both since 2018. The mail service, be it ProtonMail, GMail, Outlook, etc., is irrelevant regarding security or privacy.
FYI Thunderbird now natively supports PGP (and possibly WKD?) without the need for Enigmail.
deleted by creator
no one can ignore a court order.
They don’t have to ignore it, just go to court to fight it. Apple has done this. To be clear I have no idea if they did or did not do that or what their chances of winning would be.
deleted by creator
They only logged the IP. That’s metadata. IIRC Apple refused backdooring its phone encryption. That’s a lot more invasive.
Doesn’t Proton specifically provide instructions for how to use proton mail via proton vpn (and/or tor, discussed in the article) to provide extra privacy against IP-demanding court orders?
Doesn’t Proton specifically provide instructions for how to use proton mail via proton vpn (and/or tor, discussed in the article) to provide extra privacy against IP-demanding court orders?
That would be rather short-sighted or disingenuous as they would then simply be forced to log their proxy too.
Not according to the article at the top of this thread:
Proton does also offer a VPN service of its own — and Yen has claimed that Swiss law does not allow it to log its VPN users’ IP addresses. So it’s interesting to speculate whether the activists might have been able to evade the IP logging if they had been using both Proton’s end-to-end encrypted email and its VPN service.
“If they were using Tor or ProtonVPN, we would have been able to provide an IP, but it would be the IP of the VPN server, or the IP of the Tor exit node,” Yen told TechCrunch when we asked about this.
