What is Reddit's opinion of
ProtonMail?
From 3.5 billion Reddit comments
100 reviews of this app found across Reddit:
Switch to something like https://protonmail.com/, it's based in Switzerland, open source and with a focus on privacy/security. Plus it works very well. There are other good alternatives too.
For things like encrypted VOIP/chat software, file sync software, etc..., https://www.privacytools.io/ has a very good list.
This is a good question. Essentially, unless you are located on a ship 100 km offshore, you will have to fall under the jurisdiction of some country and must follow the laws of that country. Almost all countries require companies to assist in some manner in criminal investigations, and Switzerland is no exception.
This is the reason why the choice of Switzerland matters. In Switzerland, we have intentionally picked a jurisdiction where we believe there is a strong cultural and institutional respect for privacy, which extends both to the laws and the behavior of the courts and law enforcement. This means that in the example that you bring up with a journalists or activist, it is rather difficult to get a Swiss court to consider such a person to be a criminal.
In all cases, our legal team also reviews all requests and will also fight certain requests that we believe may be improper. In the event that a court order does get approved, we are also quite limited in what we can provide given our policy of collecting as little user information as possible, and using zero access encryption for all emails stored on our servers. Full details about what we can provide can be found in our privacy policy: https://protonmail.com/privacy-policy
Slightly misleading title. Not provided by CERN, ProtonMail was founded by a group of ex-CERN scientists, now running on their own money, an Indiegogo campaign plus venture capital from CRV and Fongit Seed Invest (a startup/innovation funding tank for the canton of Geneva). The MIT venture people advise them.
Source: https://protonmail.com/about
I'd like to take this chance to say fuck Protonmail. They claimed "we have been strong proponents of open source software" back in 2015. Their mobile app and bridge are still proprietary, so you can't actually check your protonmail account outside of a browser without proprietary tools. I suspect they always will be while Protonmail claims the code is moving too fast to open source. If Protonmail was honest, and simply said "Some of our shit is open, some is proprietary. We will make efforts to open more code in the future." I'd not have an issue with them. But, they outright claim to be an open source company when they're not - they're just vultures using our buzzwords as their dinner bell.
Actually, we have been exempted from the new law, you can find details here: https://protonmail.com/blog/swiss-surveillance-law/
To answer your question, let's say you live in the US. Our traffic would first pass through Swiss networks, then German networks, before going through US networks, and to your home. The German and US networks are being tapped and monitored by the NSA (which is why we encrypt everything before it hits the network). Now, Switzerland's tiny surveillance agency is possibly tapping the traffic between Switzerland and Germany. Is this concerning? Yes, definitely. But in the grand scheme of things, the NSA tapping is the more problematic one, which is why, from this perspective, we are not too concerned about what the Swiss government may be doing.
Google is definitely in bed with the U.S. government.
ProtonMail is an easy-to-use encrypted email service that the U.S. government couldn't hack into.
Read the story below of how ProtonMail was nearly put out of business when they suddenly dropped from Google's search results.
If you are inside Google, and you know of other shameful schemes, LEAK it! Your info. could go from the inside of Google to worldwide news in 24 HOURS!
SecureDrop, ProtonMail and Wikileaks are safe and easy to use.
ProtonMail is safe against the efail PGP vulnerability. The real vulnerability is implementation errors in various PGP clients. PGP (and OpenPGP) is fine. Any service that uses our @openpgpjs library is also safe as long the default settings aren't changed.
The correct response to the efail vulnerability is not to stop encrypting, but to use clients that are using secure implementations of PGP.
It is not correct to call Efail a new vulnerability in PGP and S/MIME. The root issue has been known since 2001. The real issue is that some clients that support PGP were not aware for 17 years and did not perform the appropriate mitigation.
Werner Koch (GNUPG author) has a good write up about the efail issue. https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html … We agree that the @EFF warning is overblown and disproportionate, and likely issued without fully understanding the issue. It was irresponsible for the researchers to not correct that.
Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to @EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched.
While we think that stories claiming "PGP is vulnerable" are inaccurate (since the issue was reported in 2001 and is a client side problem), we do take the Efail bug seriously. The researchers have said ProtonMail is not impacted. We are performing independent confirmation also.
Edit: Blog post with full technical explanation: https://protonmail.com/blog/pgp-vulnerability-efail/
This has been coming up more and more lately. For Facebook, too. But for some reason people dub these stories as "conspiracy theories."
Really? You don't think Google or Facebook would be capable of doing this without really telling us about it or disguising it as some "user experience" feature? The technology is certainly there already.
Anyways, op, I recommend you go to Google My Activity, then "Delete activity by", go back 10 years or so and delete everything Google has on you, until all it shows an empty page there. Then "pause" all of Google's tracking for various services. This is what you should have paused:
Web & App Activity
Voice & Audio Activity
Device Information
YouTube Watch History
YouTube Search History
I also recommend you stop signing in to Chrome. You can still install extensions from the store without being signed-in. For password syncing you can use LastPass (free on mobile, too, now), and maybe find an alternative for bookmark syncing, too, if you need it.
You can also use the "ublock origin" extension to block tracking such as Google Analytics or Facebook Like (on the web). If you want to move away from Gmail, too, ProtonMail is a great alternative, and much more secure/private.
We actually object pretty strongly to this characterization. Like all small companies, we have limited resources, and open sourcing code requires a lot of work, such as proper documentation, code organization, and making it ready to accept pull requests. This is not easy on a code base that is rapidly evolving and changing.
Where have our resources gone you might ask? Well, the answer is to other open source projects. For example, OpenPGPjs, the world's most widely used OpenPGP library which powers dozens of other projects: https://protonmail.com/blog/openpgpjs-3-release/
If this doesn't show a strong commitment to open source, we're not sure what does. As we have always said, building secure encryption libraries and protocols (for example, OpenPGPjs was one of the only PGP implementations not impacted by Efail and already with AEAD support) is extremely important for making privacy ubiquitous.
Our support of these initiatives comes at the cost of the resources we could have used otherwise to prepare some of our applications for open sourcing, but we prioritized in this way because developing secure, open source encryption libraries delivers more benefit to the world.
This does not mean that we are not going to open source our mobile apps or the ProtonMail Bridge, it is just going to take longer as it will have to wait until we shift our limited development resources from core crypto libraries back to clients.
We don't think this means we aren't committed to open source. Quite the contrary actually - we are so committed to open source that we've put community projects ahead of our own projects. And this commitment has allowed us to support a community of users that is well in excess of the millions of people who use ProtonMail and amplify our impact.
Microsoft Office 365 / Outlook email are actually getting really nice and competitively priced with GSuite for many more features. Sure the people that run the company are democrats, but they aren't blood thirsty and they do their best to keep quiet about it.
https://protonmail.com/ also has some pure email paid options that are very secure and high quality.
You should already have a couple of fake Twitter accounts for the upcoming Meme War 2018! Stop lagging behind pede!
Tools you’ll need (and should always use normally anyway):
> Please note that once your account is deleted, there is no way to recover or recreate it. We do not recycle usernames, which means the same username will be not available in the future.
Source: https://protonmail.com/support/knowledge-base/delete-account/
There are a couple things that we have heard people mention.
First, we're a bigger company, more reliable, more likely to be around long term.
Secondly, our webapp and mobile apps are more polished and much easier to use.
Third, we are standards compliant. For example, we are the core developers behind OpenPGPjs and play a big role in driving the future of the OpenPGP standard.
Fourth, Swiss jurisdiction is generally better for privacy
Fifth, we have a strong scientific/research background, and we focus a lot on research, which allows us to do security on the cutting edge. For example, our authentication system and how we improved upon SRP: https://protonmail.com/blog/encrypted_email_authentication/
FYI, ProtonMail is quite nifty for reasons I won't bore you with. Painless, feature-rich and privacy-centric.
What I've done is to create an account there, starting to use it with just close friends, then family, then looser friends, then colleagues, then work. Gradually transitioning isn't as painful or as much work.
You can always go back and see any stragglers of your old address, since they'll be the only ones showing up there.
I did this when I transitioned from Yahoo! mail to Google, then from Google to ProtonMail.
We have full support for the OpenPGP standard, so we are fully interoperable with any email service that supports PGP. We feel strongly that encryption shouldn't be a walled garden, but should instead be part of a federated system. You can actually read more about our thoughts on this here: https://protonmail.com/blog/address-verification-pgp-support/
That's false, their CEO is Andy Yen: https://protonmail.com/about. They're also not Lithuanian ("...registration data of Lithuania"), they're Swiss. They have an excellent reputation with ProtonMail.
New York City, Paterson NJ, and Chicago have large Jordanian communities. It might be worth looking for LGBT communities in these areas. Detroit has a large middle Eastern community as well but the area isn't as economically robust as NYC or Chicago.
Maybe this organization can help point you in the right direction. https://www.ilrc.org/lgbt-immigrant-rights
Lastly might I suggest an email account that's secure in case your parents get ahold of any of your mobile devices or computers. You wouldn't want them reading your emails. Proton mail is quite good because you can encrypt your mailbox. https://protonmail.com
Good luck
I was once a protonmail but they've recently turned to the cuck side of the force. blog posts like this and another on "hate speech" made me drop it. I don't want SJW's anywhere near any of the tools I use.
Or maybe you're not looking hard enough.
Google was quite anti-competitive with Google Shopping because it downgraded its competitors sites in the search results.
Or how about the time it downgraded ProtonMail's site for a year?
And I can give you some examples from the Android world, too. The fact that Google will kick-out OEMs if they dare to build devices with forked versions of Android.
Or how about the fact that Google doesn't allow ad-blockers in its Play Store? It's a conflict of interest because Google makes money from ads, so it uses its power over the Android platform to ban apps that would hurt its profits in any way.
Also Google killed Skyhook, a navigation competitor.
These are just examples that I remember right now, but I could probably give many more with a little bit of research.
The problem with PGP email is that it requires your recipient to have and use PGP software to decrypt the message. 99% of humanity doesn't want to learn how to use another layer of software.
There are "encrypted email" services out there, such as Hushmail. When one user sends email to another on the same service, the email can be encrypted and decrypted without any special action by either user. Sending mail to a recipient outside the service, say to Yahoo Mail, means the mail can not be encrypted by Hushmail.
Protonmail has a work around for this. When you send mail to someone outside Protonmail it is encrypted and stored in a web page. A one time only link is generated and mailed in plain text to the recipient. When the recipient clicks the link the page is delivered and decrypted in client side javascript.
tl;dr There is no universal solution to web based encrypted email. I'd be thrilled to learn that I'm wrong.
EDIT because my poorly composed comment is not very accurate:
Swiss-based Protonmail or German-based Tutanota. I'd recommend Protonmail but there's a plenty of alternatives.
Or how Google accidentally suppressed search results from a privacy-focused gmail competitor for a year
https://protonmail.com/blog/search-risk-google/
The parent comment in this chain says that Google obviously isn't doing anything funny with photo ads because there'd be a shitstorm about it, but Google has learned that they can survive "mistakes" like this pretty much unscathed.
Several. I think someone more crypto-elite will give a better answer, so I'll be brief and check back later:
Your email account is much more difficult for an outside agent to access. They're not going through your email (like Gmail is with keyword searches and hash comparisons), they're not responding to subpoenas (like Yahoo did when China wanted to read the accounts of dissidents), and they're not creating a profile of you based on other behavior and login habits (like everything Google, everything Facebook, and many other websites.
If they wanted to, they couldn't read the email in your account because it's encrypted and they don't have the key.
Despite this, they've got a warrant canary. https://protonmail.com/blog/transparency-report/
That's all pretty good by itself.
Also, if you know you're sending a specific contact using non-Protonmail an email you want specially encrypted, you have that option at the bottom of your screen. You'll just have to tell them the password somehow. If they have PGP capability, that makes it possible to do things remotely, but at this point we exceed my knowledge.
There are a couple other benefits.
First, your entire inbox is stored with end-to-end encryption, so even emails you get from non-ProtonMail contacts are encrypted before the are saved into our database, and we have no way to decrypt those messages.
Furthermore, since we are outside of the US and the EU, we aren't subject to mass surveillance programs like the NSA, GCHQ, etc. We don't have much we can turn over anyways, but we also avoid issues such as what happened with Yahoo: https://protonmail.com/blog/yahoo-us-intelligence/
This is a good question. We wrote up a not too complicated explanation of Gmail vs ProtonMail from a security and privacy standpoint. It also addresses the other benefits of ProtonMail even if you don't have end-to-end encryption with non-ProtonMail users.
If you are going to do this research, you should protect against your search history and email being reviewed by others. ProtonMail can provide encrypted email. A Tor Browser and a VPN can protect against your history being discovered.
It's offshore and encrypts the e-mail, so even if they were lawfully willed into giving up data, it'd just be encrypted blobs.
Edit, also check out Signal messaging app if you haven't already. Signal was founded by an outspoken anarchist, Moxie Marlinspike
Visionary member here: import/export feature was released to all visionary members for testing so I can confirm this feature is coming soon.
https://protonmail.com/support/knowledge-base/how-to-export-emails-from-your-protonmail-account/
No, they did reserve them the right to eventually do that, but they don't practice it right now.
So they may close free accounts if they are inactive. But currently they don't do that at all.
Here's the line from their ToS:
> Although it is not the current practice now, we reserve the right to suspend or delete accounts that are inactive for over three months. This does not apply to paid accounts. Paid accounts are never subject to deletion as long as their paid status is active.
Google doesnt do the "Zero Access to user data" AFAIK
EDIT: Another thing they advertise is the Legal environment is an advantage
I like this new trend. Hundreds also protested in Switzerland and now the Swiss are having a nationwide referendum. Photos of the Swiss protest here: https://protonmail.com/blog/swiss-surveillance-law-referendum/
> premium prices
This is why I'm considering possibly not renewing.
I really like ProtonMail, I've been a paying member for 3 years. I also donated bitcoin in the past.
But I'm paying $50 a year for a privacy-enhanced service where I still can't import PGP keys.
I feel like that should be a main priority.
Meanwhile the last big release focused on snooze notifications.
Like I'm sure it's nice to have snooze notifications, but why not focus on PGP first? The whole reason people use protonmail is for privacy.
I get that emails are encrypted at rest, and that's nice, but 90% of my outgoing mail is still in plaintext because I can't import anyone's PGP keys.
The only option is to send an encrypted link, which expires. Seriously, at least make it so that there's no message expiration until you have PGP fixed.
Sorry to rant, I really think they are doing great work, I'm very proud to have been a paying member, just a bit frustrated with the direction it's going.
> We're talking about a company that is not fully open source, logs your mail, and refuses to allow you to use Thunderbird
You can stop spreading fake news.
> The final nail in the coffin for me is this page right here: https://protonmail.com/blog/transparency-report/ Can I draw your attention to this sentence: "After reviewing the relevant evidence forwarded by US authorities, criminal intent was apparent, so Proton Technologies AG decided to comply with the data request"
WTF. Didn't they claim to be a service standing up for activists and journalists around the world? Do these imbeciles think trying to subvert state power is legal anywhere? Or that countries like Turkey or the US will actually tell the truth about a user when they requests that user's data? This is outrageous.
> The primary risk is domain name seizure which can occur if the US government bypasses the Swiss court system and directly seizes protonmail.com by serving a court order directly to VeriSign. In this case, ProtonMail could lose control of protonmail.com and the US could gain access to emails sent to protonmail.com after the seizure through directing all email sent to protonmail.com to a different server.
Even if I don’t expect this to happen, I prefer to use .ch
I recommend ProtonMail, I switched over 100% from Gmail to ProtonMail and I love it. Encrypted mailbox, end-to-end encryption to other ProtonMail users and encryption to non-PM users by setting a password (just tell them the password by some other means). It's based in Switzerland so it's secure against NSA requests and just about every other government. They comply with Swiss government orders but those are notoriously few and far in between. But just in case here's their transparency report about what they've received and complied with https://protonmail.com/blog/transparency-report/. IMAP support is in beta right now (ProtonBridge for anyone who hasn't heard) so you'll soon be able to use it with any client
The team also frequents /r/ProtonMail and they (and we) are really helpful there
https://protonmail.com (on mobile otherwise I'd link properly)
"Somewhere" seems to be a stupid place full of bs. Would love to see that source.
Protonmail is extremely well respected and on the forefront of the battle against spam, fraud, and other kinds of abuse. They are extremely cooperative towards law enforcement, even going so far as to help foreign law enforcement to use the right Swiss channels so that they can comply with the requests legally. Last year they received 338 requests from law enforcement, contested only 4, ultimately complying with 336 requests (from their transparency report
If anything criticism usually comes from the other side, that Protonmail is too friendly to law enforcement or that it's getting harder and harder to register anonymously due to their anti abuse measures.
When some sites block Protonmail it says more about the incompetence or laziness of those sites than about Protonmail, in my opinion.
This exact situation is what you, Proton warn users about. When digging into the backings of a VPN company, if the user find things that are "shadowy" and don't add up, then the user should not trust that VPN provider. https://protonmail.com/blog/trusted-vpn/
ALSO: In that exact same blog post, you (Proton) smear PIA by linking them in a blog posting by saying they go through great length to hide where they are located. They have never hidden the fact they are based in the US, and they have postings about them being in the US on their site. FURTHER more, on another blog posting, you say you have proof that some other VPN provider is working with an intelligence agency, but REFUSE to say who it is! On the onset that spread FUD about your competitors, and if you have proof and refuse to present it, you are willing and allowing users to be harmed. As a company that talks so much about privacy, I would think it would be your position to protect as many peoples' privacy as much as possible.
ProtonMail datacenters are entirely in Switzerland. If you do a traceroute, sometimes in the route you will find a IP belonging to Radware.
Radware is our DDoS protection provider, you can find more details here: https://protonmail.com/support/knowledge-base/protonmail-israel-radware/
DDoS protection is on now because we got hit hard this past weekend.
Don't use Gmail/Google Search. And if you need to use YouTube, do it without an account and regularly clear your youtube cookies!
For mail you could use https://protonmail.com/security-details For search, use duckduckgo.
No and Nothing. Because nothing resides on Apple's servers. They'd have to serve YOU the warrant and have YOU unlock the phone. In fact, it's safer to use the app than a browser.
Here's PM's description of their iOS security: https://protonmail.com/blog/ios-security-model/
Here you go mate:
> You further agree to not use ProtonMail to send Spam, junk mail, bulk emails or mailing list emails that contain persons that have not specifically agreed to be included on that list. Any account found to be sending the aforementioned type of emails will be immediately suspended.
Generally because of privacy. Privacy is extremely important for a functioning democracy. https://whyprivacymatters.org/
And here are also some reasons: https://protonmail.com/blog/protonmail-vs-gmail-security/
Proton mail ( https://protonmail.com/ ) does not require any personal information to create, and its storage is encrypted. You can create and access an account from tor too if you need to hide your ip.
Ok so Protonmail has a public keyserver you can see the release note here: https://protonmail.com/blog/address-verification-pgp-support/
Now if you query the server with this url: https://api.protonmail.ch/pks/lookup?op=get&search={username}@{domail}
Replace {username} with actual username and {domain} with the correct domain in your case:
The browser will not provide a renderable website it should only provide you with the public key file and a download prompt. To download the said public key named pubkey.asc open it in a text editor and compare it.
Click on the down arrow icon next to the email and click "Trust Public Key" you can download the public key the sender use their.
Yeah, they already say in their privacy policy that while they do not permanently store your IP address, they may temporarily store it to combat fraud and abuse, which is what you're trying to do. You should instead be asking them how long IP addresses are stored...
Yes.
The thrust of his argument is that a web app isn't tamper-evident enough. A compromised or coerced employee at ProtonMail could deliver malicious code to specific users, and no one would be the wiser.
Now there's ProtonMail Bridge, and ProtonMail apps.
ProtonMail Bridge ~~is~~ will be Open Source. It handles all the encryption completely on your desktop and creates a local IMAP server so your desktop mail client can connect. Since it's a regular desktop application, it would be more difficult for a coerced ProtonMail employee to deliver a compromised version to you.
ProtonMail's apps for iOS and Android are similar in that respect. They're distributed via iTunes and Google Play, so again, a compromised client would probably be noticed by someone, because everyone has the same client they download and install.
>In August 2017, we received a request for assistance from the government of Turkey that was passed to us through the Swiss Federal Police. We rejected the request on account of the Turkish government’s human rights record and will take the case to Swiss courts if the Turkish government files for an international proceeding.
So it seems you have done something their terms of service to the extent that law enforcement has been involved. Given all of these things are explicitly covered in their ToS, what is surprising to you?
ProtonMail has hourly and daily sending limits. These are intended to stop a new or compromised account from being used to spam. They're based on your account's normal use and subscription, so they vary, but the suggestion for a free account is 50 messages per hour and 150 messages per day. For this purpose one e-mail with 24 recipients is actually counted as 24 separate e-mails, but it sounds like it still shouldn't be a problem.
The Terms and Conditions note:
>Due to their nature, the paid Services provided by the Company are generally non-refundable and any refunds or credits given will be at the sole discretion of the Company.
​
Eh I guess you can reach out to the support team and ask for advice on your options.
So short version is:
If you are using the webmail client (not the mobile app or a mailclient like thunderbird) a secret key will be stored on the Protonmail server. Thus if the Protonmail servers are compromised and if you are using a weak password that can be realistically brute forced, a possible malicious actor that has access to the protonmail server can decrypt your communications.
The paper does not really say anything new though. that is exactly how it is described by Proton: https://protonmail.com/support/knowledge-base/how-is-the-private-key-stored/
I am no expect though..am I m missing something more important?
I pay for priority support as well. When I asked why I wasn't getting it, they told me I should file a support ticket on their website. https://protonmail.com/support-form
While I believe they should provide priority support via email as well, apparently they don't.
u/ProtonMail you need to make that more obvious.
According to WP29 guidelines, right to portability doesn’t give to the user a right to necessarily obtain all their data summarized in a single document for example.
Access with a sufficient way to copy and/or download data should be sufficient, as long as it is exhaustive on personal data.
https://protonmail.com/support/knowledge-base/export-import-emails/
Read "Effective Spam Filtering with Encrypted Email".
> There simply isn’t any foolproof method for defeating spam. Thus, if spammers don’t know how we are blocking their messages, it makes it much more difficult for them to find a workaround. This is why we cannot publish detailed specs of how our spam filters work. It also means we cannot open source our backend server configs which contain our spam filter settings.
Edit:
It should be noted that emails sent from PM to PM are encrypted and ProtonMail service can't analyze the content: plaintext, images and links. This can be a relevant issue, because the most powerful spam filters relies on that data to flag an email as spam or scam, where the last can be potentially more harmful than the first. Possibles workaround*:
1. count how many emails a PM account sent, and how many of his emails were flagged as spam by the PM accounts recipients. If the ratio hits a threshold, the account can be flagged as spammer.
2. by reporting as spam, the user could allow the email to be forwarded to PM database so they can read the content and analyze it. All at the discretion of the user.
Edit: suggestion: read Spam Nation by Brian Krebs.
* - My thoughts; so not saying it works this way.
I think it's in their privacy policy... The mail will be deleted immediately from production servers but it could be that it's still in backups for one or two weeks after that.
Edit:
> #Data Retention
> When a ProtonMail account is closed, data is immediately deleted from production servers. Active accounts will have data retained indefinitely. Deleted emails are also instantly deleted from production servers. Deleted data may be retained in our backups for up to 14 days.
its a service like gmail/yahoo/hotmail except encrypted end-to-end, and based out of switzerland
https://protonmail.com/
its the same type of service as edward snowden used to send the NSA dumps to wikileaks
Howdy. The concept of defense in depth is that to prevent any sort of attack you need layers of defense to thwart different types and degrees of attacks. Keep in mind that nothing will secure you completely. ANY security measure you take is only making it harder for someone to spy, crack, infiltrate, etc.
VPN among other uses is preventing someone from reading your traffic in flight, say, at your ISP. You are correct the VPN does nothing for traffic once it leaves the VPN. That doesn't mean a VPN is pointless, in fact the VPN did its job and protected traffic on the tunnel.
If you have sensitive Email you need to look into end-to-end encryption with Email clients. Then an E-mail provider with transport layer security and encrypted storage. Of course even with that you still have weak points.. for example you could have a keylogger on your system logging what you type when you are composing the E-mail on your system. That one weak point doesn't make the rest of the security pointless if those efforts are covering your primary threats.
The point is, determine where the threats are and if you need to address those threats then do what you can. Every bit helps. Think in degrees and stages of defense, not in a binary on/off way. Think CASTLE, with moat, outer wall, inner wall, guards patrolling, etc.
BTW Proton mail (https://protonmail.com/) is an interesting secure (more secure than many) Email provider. Research it and check it out.
I'm going to add one thing that I came up with as my business travel expanded - scan your passport's ID page, drivers license, possibly health records, insurance etc. etc. etc. and keep those scans/pix* in a secure account - Proton Email is still free, is encrypted (you have to enter an encryption key after the password) and based in Switzerland. You can just email this to yourself and let it sit there.
Why do this? If you're in real trouble and have to contact someone, find your way home or if some other calamity happens, you may need to contact a consulate and prove who you are. If your stuff has been stolen, this can get difficult, particularly in this security-conscious day and age.
Good luck - I did something like this one summer when I was 19. Really changes your view of the world and how little you really need to be a content person. It also highlights how changing your location won't change you unless you let it.
*If this information is kept as picture files without descriptive labels (or with misleading ones e.g. "Picture of mom"), it will be more likely to be ignored by hackers' bots looking for data strings with known patterns (social security numbers, credit cards etc) in the unlikely event that the accounts are compromised.
This question is so common it has its own article https://protonmail.com/support/knowledge-base/what-is-the-difference-between-protonmail-com-and-protonmail-ch/
Bookmark this link:
https://protonmail.com/download/current_version_linux.json
It'll have a link to whatever the latest is.
Of all the things people bitch about when it comes to ProtonMail - this is the one that grinds me the most.
It'd be so fucking simple to just make this publicly available or available to users who have a plan that supports Bridge. But they're petulant little dickheads over this issue. and every excuse they've given is shit. Honestly.
I can get onboard with the fact that calendar or drive is taking a long time, or that it took a while to get contacts right.
I can be patient as all hell while they open source aspects of their software piecemeal. Hell - as long as it's truly end-to-end encrypted, i can even be tolerant of them not open sourcing some things like maybe mobile clients or something, so they can maintain a model allowing them to sustain themselves.
But this.. this... just post the fucking URL you fucking dolts. JFC.
Using the @pm.me address is not a separate account, it's just a shortened email address for you account. (You must have a paid account to send using the @pm.me address.) https://protonmail.com/blog/pm-me-short-email-domain/
If Freda sends an email to you at and Ichirou sends one to you at , you'll see them both in your inbox.
There are no 2 accounts to "toggle" between.
I can understand the reasoning here, however this should be communicated much more clearly on the website
https://protonmail.com/blackfriday
there is no statement that this deal applies only to new customers. Then I log into my account and see a pop-up with the exact same layout/details, but the price changed, no explanation, so this was very confusing.
Can you try to do this in a browser without extensions (or use incognito/private browsing mode)? This may be a conflict caused by the plugins you are using.
​
If you continue to encounter this, we would be interested in digging more into this, so please let us know here: https://protonmail.com/support-form
I use ProtonMail. It sends and receives encrypted mail, blocks 3rd party content from loading in your emails unless you allow it. It's free, but there are tiers for extra storage, etc.
Plus it's open source and based out of Switzerland.
You can find details about this in our transparency report: https://protonmail.com/blog/transparency-report/
First, all emails are PGP encrypted, so we can't hand over decrypted emails.
Second, we will comply with Swiss court orders in criminal cases. Using ProtonMail for illegal purposes is against terms and conditions. However, the first point above holds in all cases.
well if you had implemented DEVNULL you wouldn't have to worry about diskspace any time soon. just about customers who send you angry support tickets. well i suppose you could just devnull those, too... endless possibilities :D
Came here to say that ProtonMail is working on something called Bridge to solve the IMAP/SMTP issue.
> The ProtonMail Bridge is an application that runs on your computer in the background and seamlessly encrypts and decrypts your mail as it enters and leaves your computer. It allows for full integration of your ProtonMail account with any program that supports IMAP and SMTP such as Microsoft Outlook, Mozilla Thunderbird and Apple Mail.
So ProtonMail's addressed this before, it's false. Here's an excerpt
>The statement that ProtonMail traffic is proxied through Israel is also false. When traffic is redirected during a DDoS attack, ProtonMail traffic goes through DE-CIX in Frankfurt, Germany. This can be seen by doing an IP lookup of the last hop of the traceroute. The IP address is at DE-CIX, so traffic passes through Frankfurt (subject to German data privacy laws) and NOT Israel. However, as discussed above, even IF the traffic did pass through Israel, the DDoS protection technology we have selected means there would be no compromise to ProtonMail email privacy.
https://protonmail.com/support/knowledge-base/protonmail-israel-radware/
That company only checks for compliance on a specific page and probably doesn't know much about ProtonMail to offer a better rating. See the ProtonMail GDPR Compliance information for how they achieve it.
Have you tried to contact directly to Protonmail's support?
You can reach to them via email () or according to the sidebar, via their contact form via twitter (@ProtonMailHelp / @ProtonMail).
Personally, I would try to contact them first via email if I'm having doubts about if the email is a legit one or a very convincing scam attempt.
They have a blog post about the introduction of it in case you haven't read it: https://protonmail.com/blog/elliptic-curve-cryptography/
The post includes a link to an explanation of how both RSA and ECC work, which you may find useful when deciding which to use. Neither RSA nor ECC is without any flaws, but ECC seems to be the better option for most users since it offers comparable or better security but takes less resources to use.
> Protonmail users can't easily read messages sent using actual standards like imap client + gpg encryption
Uhh, yes they can? Just export your public key and share it (possibly via a key server) and people can easily send you encrypted emails to your ProtonMail account, which you can read as usual.
https://protonmail.com/support/knowledge-base/how-to-use-pgp/
ProtonMail's claim is that they have developed a web site which can encrypt secrets in such a way that the site cannot access those secrets:
https://protonmail.com/blog/what-is-end-to-end-encryption/
> When you use E2EE to send an email or a message to someone, no one monitoring the network can see the content of your message — not hackers, not the government, and not even the company (e.g. ProtonMail) that facilitates your communication.
> It keeps your data safe from hacks. E2EE means fewer parties have access to your unencrypted data. Even if hackers compromise the servers where your data is stored (e.g. Yahoo mail hack), they cannot decrypt your data because the does not possess the decryption keys.
A web application cannot provide these properties, because these properties run contrary to the fundamental threat model of a browser.
This is not how web browsers work. Any scripts running on a particular origin have the full authority granted to them by the CSP of that origin.
ProtonMail always has the option of exfiltrating your plaintexts and/or cryptographic keys any time you load any page on the same origin where you read encrypted mail, using an attack which is extremely difficult to detect, can happen at a particular point in time leaving virtually no trace, and makes it very easy to target individual users without any potential for detection by anyone else.
The result is the very thing we don't want out of a secure messaging application: a system which appears secure on the surface, but with vast attack surface that allows for targeted, stealthy attacks on individual users which leave behind little evidence the attack ever occurred.
>Their encryption claims don't apply if you communicate with a non-protonmail address.
​
Although they still say it's much easier to use their encryption features if both users have protonmail accounts, you can now send PGP emails to non-protonmail accounts: https://protonmail.com/support/knowledge-base/how-to-use-pgp/
​
was just checking if the new law in switzerland since september would change any of that.
One of the providers worte: https://protonmail.com/blog/swiss-surveillance-law/
that they are exempt from that law. No idea if they are lying or are forced to lie but looks like switzerland is still safe.
Seriously time to start divesting from Google.
For mail, I'd recommend Proton Mail.
For YouTube, LBRY might be a good decentralized alternative.
There are tons of Blog services.
Depends on who you want to prevent from reading your e-mails.
There are some services which let you encrypt your e-mails with your own key. These are the more secure ones - at least a bit more trustworthy if audited correctly.
ProtonMail is one of the biggest services and worth a look.
Regarding labels and folders, we provide labels because they can do everything folders can do, and more. Labeling a message and archiving it at the same time achieves the same functionality as a folder, and you can even set ProtonMail to automatically archive messages that you label. Filters can also be used to automatically label+archive incoming messages. Labels are more powerful than folders because you can have more than one label on a message.
Regarding pricing, ProtonMail isn't designed to be the lowest cost email service, for that, there is Gmail. Our focus is security and privacy without compromises. Like most high-end Swiss products, ProtonMail paid plans will not be the cheapest option. Our pricing page describes why we tend to be more expensive: https://protonmail.com/pricing
That said, ProtonMail is not expensive, at $4/month. This allows us to deliver a higher quality service that includes key features for usability, security, and reliability:
Usability: Advanced search, conversation view, native/fast mobile apps
Security: Two factor authentication, OpenPGP standard (peer-reviewed), Swiss-based, SRP authentication (authentication, not crypto weaknesses, are the most common email compromise point)
Reliability: Staff of over 20 means all technical positions are redundant and we can operate a 24/7 network operations and emergency response team
Hmm that's not good indeed, thanks for noticing. Considering how important internet privacy is in the past few years, some of the points you mention are pretty shocking such as storing credentials or emails, there are certainly much better ways to handle things.
I'm staying with Airmail on both iOS and macOS for time being. It's not perfect but does the job and sync's using iCloud, which is secure, plus doesn't store messages on server.
For anyone really concerned with privacy, check out ProtonMail, which has data centres in Switzerland, operating under Swiss law, quite good alternative.
There are many many things factually incorrect in this post.
The information at cryptome is completely false, the full details regarding our DDoS protection can be found here: https://protonmail.com/support/knowledge-base/protonmail-israel-radware/
Furthermore, the law enforcement requests we do respond to, and what we provide, can be found in the transparency reports that we publish: https://protonmail.com/blog/transparency-report/
Check the team: https://protonmail.com/about
It's run by PhD's in Physics who worked at CERN and stuff.
Amazing how people from those backgrounds can come together to run a free public secure crypto email service.
I see a lot of mis-information here, with people seemingly not understanding how BGP redirection and GRE tunnels work. All traffic that passes through Radware is encrypted. Both encryption layers (SSL and ProtonMail's OpenPGPjs) are intact in this solution. That's why we picked BGP redirection instead of something like Cloudflare. So Radware has access to no new information that your ISP wouldn't already have since they just see the encrypted packets.
More details here: https://protonmail.com/support/knowledge-base/protonmail-israel-radware/
And soon, you will be able to privately save and share documents to the cloud with ProtonDrive. Our mission is to create an Internet that serves you and doesn’t require you to hand over your personal data to governments or corporations.
https://protonmail.com/blog/protoncalendar-beta-announcement/
https://protonmail.com/support/knowledge-base/delete-account/
> Please note that once your account is deleted, there is no way to recover or recreate it. We do not recycle usernames, which means the same username will not be available in the future.
There is actually a direct business support team and a way to contact them, but it is not publicly posted to avoid getting swamped. If you contact https://protonmail.com/support-form, you can receive the direct contact information, as it will get escalated to the business support team.
https://protonmail.com/blog/2018-recap-future-roadmap/
"For ProtonMail, our ambitious goal is to launch version 4.0 (with encrypted search), conversation view and multi-user support on mobile, and an encrypted calendar in 2019."
Contact them via the other way, let me google that.
https://protonmail.com/support-form
Time taken to Google: about 20 seconds, never used any proton product before. (But I am a programmer, my key function is to Google things until I get a program running and copy paste code)
Edit: also let them know the bug report itself is not working, they also want to know that, I'm sure. Perhaps they were praising themselves over doing a good job, due to so few bug reports. I can only imagine the sadness upon finding out that this was not the case, this sadness will grow more pressing every second this situation goes unreported.
Actually, using ProtonMail for White House work doesn't allow FOIA requests to be circumvented. We actually covered this in a blog post when the story first surfaced:
https://protonmail.com/blog/white-house-encryption-protonmail/
As to your other questions, it is of course possible for people to use ProtonMail for unlawful purposes. But in fact, a lot of things can be used for unlawful purposes (airplanes, Twitter, etc), and this does not mean that we should ban them all.
What is important is for society to balance the good versus potential negatives of any service. By providing better security and protecting freedom of speech, I believe that the good that ProtonMail provides does indeed outweigh some of the potential negatives, but things will never be fully black and white.
Unfortunately this is another one of the false conspiracy theories going around about ProtonMail. We have previously discussed this here: https://protonmail.com/support/knowledge-base/protonmail-israel-radware/
The short answer is that we encrypt everything before it hits the network so how our traffic is routed actually is irrelevant. Furthermore, our traffic transits through Frankfurt and not Israel (as some have falsely claimed).
Protonmail is awesome! I've had it for a while now, I highly recommend it to everyone.
Not only do Google and Yahoo etc. mine your email and sell info to marketers, they have backdoors giving access to the Gov't. Shit is no good for you.
What Yahoo’s NSA Surveillance Means for Email Privacy
Edit: ProtonMail is free, but I'd happily pay for it.
The main group that has been claiming responsibility for these attacks are called Apophis Squad, they are a disruptive group of script kidies who have been DDOSing seemingly random targets that they think they can impact.
ProtonMail made the mistake of engaging them on twitter after on the the major outings a little while back
this latest round seems to be directed at proton after one of the group's members got himself caught by authorities
​
edit: unfortunately defending against DDOS attacks launched from a botnet is extremely hard as the amount of data being tossed at the target is often more than even the largest of internet pipelines can handle, it does not help that PM's upstream mitigation provider has been getting hit extremely hard , and while they have been doing a relatively good job, it just is not enough
GDPR pertains to personal information. ProtonMail's policy on storing personal information:
https://protonmail.com/privacy-policy
"Through the Service, you can directly access, edit, delete or export personal data processed by the Company in your use of the Service.
If your account has been suspended for a breach of our terms and conditions, and you would like to exercise the rights related to your personal data, you can make a request to our support."
Since your emails are not personal information, they are not necessarily obligated to allow you to export it according to GDPR.
That was the intent of PGP, but as eFail more or less proves, when you work with a federated system you need to be worried about every single implementation.
Right now Tutanota is dragging their heels on a PGP implementation, and ProtonMail is beta-testing one but advising people to avoid using it. It's not hard to see why.
- No subject encryption, just email body
- No perfect forward secrecy
Being a non US company definitely makes it more secure. It's protected by Swiss data protection laws. Also the data is encrypted on the client side with a key they don't have access to. If you compare with Gmail, outlook etc I would choose Proton any day. Feel free to run your own mail server, but I would rather trust Proton than any other major mail provider. Also: https://protonmail.com/blog/protonmail-security-contributors/
protonmail user here as well. one of the best features they have are alias addresses, so you can have {primary,gamertag,junk}@protonmail.com and keep your life segmented; if your junk address gets pwn3d in any significant way, just delete it and create another one. all of them go to your account, so you can check all of those emails from one space with one login. beats the hell out of three different gmail accounts.
re: protonmail emails to gmail accounts, privacy is a chain and that's the weakest link. any unencrypted email you send from protonmail to a recipient at a gmail account will be scanned by google, for example.
however, there is a solution for this. protonmail introduced an end-to-end encryption option for use in just such a circumstance. the idea is that you share a decryption password with your target gmail recipient using a separate channel (im, text, phonecall, etc), write your message, then set that message's decryption password with whatever shared key you picked. the email is sent to the user and stored on that user's gmail server still encrypted. it's only decrypted locally, on that user's machine, with the password you set and both share. the target can reply, also encrypted, so that their service never sees the contents of that message.
the user doesn't have to use protonmail for this to work.
more details can be found at that link and online in various forums.
[EDIT: typos.]
ProtonMail's public security roadmap can be found here: https://protonmail.com/blog/secure-email-roadmap/
By the end of this year, when we get most of the way through our 2016 roadmap, most of the issues in the article will have been resolved.
However, we have an even longer list of additional security improvements we are going to make in 2017. We view security as a moving target that requires constant improvement as the threat landscape evolves. We have seen in 2016 that both state actors and cybercriminals are getting more sophisticated, so we are already doing work to defeat the next generation of attacks.
Protonmail is end-to-end encrypted meaning the e-mail is encrypted on your computer and transmitted to their servers already encrypted, so they couldn't provide anything intelligible if they wanted to.
Additionally they're a Swiss company with servers in Switzerland. They're not in the same position as Google which is a U.S. company with servers in the U.S.
I don't use protonmail, BTW, I just have no illusions about Google. Protonmail doesn't provide a huge advantage unless you're communicating via encrypted e-mail or with other protonmail users, but if you actually need/want e-mail privacy it's one of a handful of services that are even trying.
Sugestões para quem quiser reclamar, mas de uma forma muito mais anónima:
- Instalar o Tor ( https://www.torproject.org/ ) e usa-lo para todos os passos seguintes
- Criar uma conta de email no https://protonmail.com/ (opcional, útil para recuperar a password, mas não é necessário)
- Criar uma conta aqui no reddit (podes usar o email criado no passo anterior)
- Publicar o comentário/reclamação
Cuidados a ter:
- Nunca usar esta conta sem usar o Tor
- Nunca usar esta conta para outras coisas, nem mesmo para comentar numa thread do gonewild
- Cuidado para não usar a conta "normal" ao responder aos comentários
- Nunca divulgar informações que possam ajudar a identificar a nossa identidade (cuidado com as fotos, com os detalhes pessoais, etc)
- Nunca fazer isto a partir do computador do local de trabalho, etc, normalmente conseguem saber quem andou a usar o Tor, VPN's, etc.
Protonmail because its encrypted and it tells you the location of the person emailing you.
Its based in Switzerland so all user data and info is protected by Swiss law. As well, only the user has permission to access to messages unlike other services like Gmail where a gmail employee can access your messages and other private info.
From their blog:
ProtonMail does not fall under the jurisdiction of intrusive US laws (such as the Foreign Intelligence Surveillance Act), and cannot be coerced into working for the NSA
Our encryption ensures that our users have complete ownership of their data. We don’t have the ability to read it or sell it, even if we wanted to
On the other hand, Gmail can and does read every single one of your emails. If you are not comfortable giving Google unlimited access to all of your intimate communications, then ProtonMail’s approach to data privacy provides more security