This announcement is an example of why I am not using ProtonMail anymore. There are a lot of things they do that sound very good on marketing materials, but upon examination are security theater.
For example, they claim, "We have chosen a particular elliptic curve system known as X25519, which is fast, secure, and particularly resistant to timing attacks. It’s simple to implement".
However, previously they've said that they use Indutny's library [0]. This library is somewhat infamous because its leadership deciding to discard any pretense of defending against timing attacks on the grounds that would make the library "too slow." [1]
There are other options. They could have used something with good timing attack resistance from WebCrypto. Those options exist. Folks with more skill than I have recommended P-256 as an option.
We are aware of the the issues brought up in [0] and [1]. As suggested in [2], we are already considering to switch to an implementation in WebAssembly to mitigate the possibility of timing attacks on the web platform.
In our mobile and desktop apps, where timing attack resistance is easier to achieve, the X25519 implementation is already constant-time.
Once they are generated, keys are controlled by our users and not easily updated, so we wanted to make our choice of default curve as future-proof as we could while balancing speed and interoperability.
NIST curves like P-256 is generally not considered trustworthy, which is why the general consensus is to use Ed25519 for any elliptic curve cryptography.
Using Ed25519 is by popular opinion the right choice.
However, the concern about their use of indutny's library and the comment you link to is entirely separate. Choosing to have timing attacks for performance in a cryptographic library seems absolutely absurd, and if this is still the case (the comment is from 2017), then that library should be avoided at all cost.
That is not at all the case. P-256 is widely used and no cryptographer seriously believes there's anything "untrustworthy" about it. Rather, the problem with P-256 is that it's easy to misuse, like most curves. It's hard to implement in constant time and the NIST P-curves generally lend themselves to invalid curve attacks, which need to be guarded against.
Curve25519 avoids these problems. But then, if you're using a naive Javascript library, you've thrown out one of the main benefits of Curve25519 already, and are left essentially with invalid curve attacks, which are not especially hard to defend against and not always even relevant to a given protocol (who could be bothered to go look at what OpenPGP.js is doing with them, I don't know).
Ed25519 is the signing curve equivalent to Curve25519/X25519. It's what you'd use to generate and verify signature, but not what you'd use for ECDH.
There is general distrust in NIST, not any known issues with those curves. However, it is general consensus to prefer Ed25519 over NIST curves, specifically preferring it over P-256. The benefits of its implementation are a cherry on top. I have yet to see any suggestion or reason to pick P-256 when Ed25519 is available.
And yes, Ed25519 is the defacto standard. Hell, I don't even recall the last time I heard P-256 mentioned. It surprises me every time I stumble upon it. Picking anything other than Ed25519 means deviating from the norm, which would normally cause worry. Granted, P-256 is fine, but there is absolutely no argument for claiming Ed25519 was the wrong choice of algorithm.
And yes, I specifically refer to Ed25519 because it is the one relevant here. We're talking about signing, not key exchanges.
The article itself talks about X25519, which is Curve25519, not Ed25519.
Ed25519 is not in fact the de facto standard for signing on curves; that's clearly P-256 ECDSA. You're saying that Ed25519 is better, and I agree, but P-256 is much more prevalent.
Again, people don't use Ed25519 because they distrust NIST (although many people do distrust NIST). They use it because:
1. It's easier to implement in constant time.
2. It's derived (if that's the word) from a curve that was selected to avoid invalid curve attacks.
3. They want a more modern, Schnorr-based signature construction, and Ed25519 gives you that and a better curve at the same time.
For signatures, as opposed to key exchange, I think the tradeoffs are pretty much the same: by using a goofy JS library, you're giving up the implementation and side-channel advantage. You're left with the superior signing construction, but you can just use Pornin's deterministic DSA and neutralize most of that problem as well.
Seems like they made a mistake. They're referring to your private key (which is used for signing) as "X25519", but X25519 is meant for key exchanges.
Nothing but Ed25519 makes sense in this particular context, unless they've gone out of their way to do something very non-standard.
> Ed25519 is not in fact the de facto standard for signing on curves; that's clearly P-256 ECDSA.
Having never been confronted with anyone having chosen P-256 ECDSA, I question the validity of this statement.
It is important to remember that this also requires use. I have a few times stumbled upon things where only NIST curves where supported, but in those cases, RSA remained the choice of the users.
> Again, people don't use Ed25519 because they distrust NIST (although many people do distrust NIST).
None of these arguments make sense to those not implementing the cryptographic libraries on their own (which, while fun, is not recommended).
For the integrator and the user, it's simply a case of reading the docs and picking.
Actually, Ed25519 is the Edwards curve isomorphic to Curve25519 (which IIRC is a Montgomery curve).
Edwards is faster than Montgomery for signature, but not significantly slower for key agreement.
You can use it for ECDH, and unless I've missed some non-obvious attack (which is of course, entirely possible) you probably should, since that allows you to use (mostly) the same elliptic curve math primitives for key agreement as for signature.
(That is, you should use Edwards form points as shared-secret output. It's possible to implement Curve25519 using Ed25519 internally, but probably not a good idea.)
My understanding is that Ed25519 is birational to Curve25519, not actually isomorphic, but also that the difference between the two ("almost" vs "perfectly" isomorphic) is not really all that interesting. I thought Ed25519 was better for multiple-base operations used in signing, but slower for variable-base operations in ECDH.
> that Ed25519 is birational to Curve25519, not actually isomorphic
That might be the case, I only meant isomorphic in the programming sense of f(x) = h⁻¹(g(h(x))) for relatively trivial h.
> I thought Ed25519 was [...] slower for variable-base operations in ECDH.
My understanding is that Ed25519 requires replacing several of Curve25519's field squarings with general multiplications, but isn't actually any slower if you use a general multiply for everything. I'm not sure how much optimization you can get out of squaring though, so it might be a easy 10% bonus you're passing up there.
I tweeted "They would have been better off with P-256, since that uses WebCrypto" after I inspected OpenPGP.js code because it's already implemented there (since it needs to support decryption from senders that use different curves) and uses WebCrypto API implementation. To me, it's a safer choice than the `elliptic` npm package that they use for X25519.
If WebCrypto supported X25519, their choice would be a no-brainer, as 25519 is a safer curve (https://safecurves.cr.yp.to/). But P-256 is definitely not considered untrustworthy — see tptacek's reply — and at least Chrome implementation (BoringSSL) is good. (Browsers use the same implementation for TLS and P-256 is the most popular curve for TLS right now. In fact, delivery of their JavaScript code to browsers already depends on P-256 due to TLS.)
Regardless of the choice, my main concern is that they advertise X25519 as timing safe, while not having a timing safe implementation. This is a red flag.
Disclaimer: I ported TweetNaCl (which uses 25519) to JavaScript. The port intends to be "algorithmically" constant-time, but doesn't guarantee real-life timing safety due to JS.
I unfortunately implemented and maintained several cryptographic algorithms (block ciphers, UMACs, key exchanges, whatnot, a bunch of it proprietary for extra awfulness) and compression algorithms in JavaScript as part of a previous job. It was awful, and I broke the JIT more times than I could count. JS is not well-suited for this.
I still find the argument to be wrong, in the sense that picking Ed25519 is an entirely correct decision to make. Picking that library is not a correct decision, and that might lead to needing a different algo (I'd argue that WebCrypto needs to pick up its pace for common algorithms, rather than picking picking up whatever dropped fruit is available).
We shouldn't slander them for Ed25519 (although you are right that such claim about timing safety is borked—maybe that got lost in marketing). We should only target the library choice.
Plus, with WASM widely available, we should be able to port a constant-time of Ed25519 with good performance without much work. WebCrypto is just a cherry on top.
I have found no evidence that the author has changed their stance on this issue. You can find other issues that have also been closed with a brief explanation.
If the author wants to show up and say otherwise, I'm happy to take correction.
But, I'd rather have a robust implementation of a speculatively less secure scheme then have the undelivered promise of a more secure scheme papering over an insecure implementation.
>"There are a lot of things they do that sound very good on marketing materials, but upon examination are security theater."
Indeed like still pushing the trope that since their datacenters are located in Switzerland they are able to provide more privacy protections. This is even mentioned on their homepage, and of course this hasn't been true in a few years now.[1]
Does anyone use gmail + PGP ? if the two parties understand how to send encrypted messages over web clients, isn't that still secure ? I haven't heard much about PGP for the past 5+ years. I realize PGP itself isn't a protocol, but there used to be a system where you'd publish your public key (irrespective of what protocol (RSA, ECDSA, etc) you use) somewhere and anyone could send you encrypted messages and paste the base64 text into insecure clients.
I agree that the search in Fastmail is fairly bad - it does have an 'advanced' menu option that isn't immediately obvious, but it's still not super great.
You made me panic when you mentioned Spam false positives, as I've never really bothered checking that folder!
Thankfully I don't appear to have any so far. Better than bloody GMail arbitrarily deciding that subscriptions and emails I've long-since received from various sources being suddenly spam... .
I've been using Tutanota for almost a year now and it's pretty good. I'm no expert on encryption but that part also seems pretty solid [0,1]. NordVPN "leans towards" TN over PM, but only for convenience and not security (that's more or less equal between the two)[2]. However, PM is based in Switzerland (not bound by GDPR), while TN is in Germany (bound by GDPR and other privacy laws that the EU is really progressive in pushing, compared to the rest of the world)[2]. That said, PM is what Cambridge Analytica was using to overthrow governments so I suppose that has to be pretty secure[3].
PM pricing is €48-288/y while TN is €12-60/y[4,5]. Both have freemium options too; I'm paying €12/y for TN just to receive support (more to be able to message them with feedback, really).
My only complaints w/TN is that it's a bit slow; notifications will remain even seconds after I'd read the mail, and sometimes (especially in the beginning) I would hit "Del" twice or more for the same email because it would remain in my inbox, ultimately accidentally deleting the emails after it in my inbox (something I noticed only after refreshing the tab, which -- annoyingly but also securely -- would cause me to have to log in again).
I ultimately went with TN because of one thing, however: I can export emails. Yes, it's a hassle, and yes, I have to generally do it by hand, bundle by bundle, but I love being able to have all my emails archived offline. Plus, with their new (beta) desktop client, this should be even easier[6]. I'm staying with them for now because they're the only ones (that I know of) who encrypt both your emails and your contacts, as well as the subjects, contents, and attachments of all the emails you send[7]. This is HUGE for me. However, the moment a better service comes along who does all this and who is smoother, faster, I won't mind switching ship. Especially because the name is so annoying to tell people, especially over the phone ("Puta? Duda? T like Dom or like Tom?"). Yes, I get it means "secure message" in Latin, but come on now. Just use a simple word already. Or do what PM did and enable a neat shorthand domain (pm.me, how neat is that?[8]). Though they also do offer custom domain names so I suppose this isn't too much of an issue, I just haven't had time to properly look into this yet.
After reading this thread though I'm curious to find out more about FastMail. But Australia, uhhh... Five Eyes, no thank you.
ProtonMail also encrypts emails, contacts, contents, attachments, of all emails you send and receive, with end-to-end encryption.
However, the most important differentiator is the trust model. ProtonMail has Address Verification, which means it is trust on first use, which is significantly more secure than the trust on every use model Tutanota uses for key distribution. Details here: https://www.reddit.com/r/ProtonMail/comments/b84kd3/why_is_p...
My biggest issue with Tutanota is there's no IMAP support. I don't wish to jump through hoops to get my mail out easily and in standard formats if I want to leave a service. That's why I won't use it. Same goes for ProtonMail, which is slightly better but has a tedious IMAP bridge to be installed and used for paid accounts.
I don't know OSX very well these days. Is that... is that actually installing a new global SSL trust root? Doesn't that mean ProtonMail now can seamlessly MitM all SSL connections on that machine?
Please tell me I'm reading that wrong, because I don't recall doing this for ProtonVPN on linux.
In the instructions they ask the user to "always trust" the cert for all use cases, including SSL. If you do that, any app that uses OS certs can be MITMed. It should be enough to trust the cert for IPSec only.
My knowledge is limited in crypto, but I'm pretty sure you should never trust a root cert (even for "IPSec only") unless it carries responsibility and public scrutiny equal to or greater than a standard CA. (Unless it's the owner of the device [including you] or a close associate you trust.)
Indeed, it is enough to trust the cert just for IPSec, and we have updated the article to reflect that. We also have native applications on macOS so the manual IKEv2 setup is not the recommend method of usage of ProtonVPN.
X25519 is great, but it doesn’t make Protonmail (really, OpenPGPjs) a net safe communications mechanism.
It inherits all of the flaws inherent in OpenPGP, including optional authenticators (which lead to EFAIL), kitchen sink bulk protocols complete with negotiation (did you know your public keys specify what algorithms you like?), lack of forward secrecy, repudiability, et cetera.
We should stop using RSA. But RSA isn’t what was keeping OpenPGP from being a great secure communications channel. That’s aside from the question if it’s meaningful to say you control your keys if you use OpenPGPjs served up every time by a third party. (I say that being extremely on the PGP apologia side of the scale compared to some of my peers!)
Shouldn't it be possible to have the library built in to the browser? I can't seem to find any information on attempts to make that happen, either directly by browser developers or as an add-on.
Sure: that’s WebCrypto. The main problem it solves is that you don’t really want your AES implementation to be in JS which is only a small part of the problem. You still have the problem that the site would be telling you to do with all of that good crypto, and you still need to do key management.
You could do all of this well if WebCrypto was good and you had a WebExtension, or an Electron app, or some other way where you weren’t just going to do whatever the website tells you to do.
(That is not a blanket security recommendation in favor of Electron. XSS does not normally get me RCE.)
tl;dr version is one pins all resources on the page with Subresource Integrity hashes and signs the page. The extension verifies the signature matches before rendering anything.
I was silly enough to sign up without looking in to it because it was recommended on HN. Then I realised they need this bridge software to connect. I asked about it stating I'd like to build it my self and confirm it is libre software. They just sent back a generic link to a .deb beta file. I had a look and its got this eula.txt with the standard you-have-no-rights. Messaged them again asking what they intended to do license-wise and they ignored me. Someone else has written their own bridge and put it on github but it's a bit of a joke to have to do that. Not sure what to move to now, mailbox.org was another I saw recommended.
My email history:
- gmail.com > US spying, escape.
- lavabit.com > Shutdown due to US government legal attack.
- Ran my own server > Too much bother, gave up.
- openmailbox.org > Died for months, ran away with my money.
- protonmail.com > Sketchy, cancelling it now.
- Free mailbox.org with custom domain.
I use mailbox.org. On the topic of crypro, they have a fairly neat feature where you can give them a PGP public key and they'll encrypt all plaintext messages you receive to your public key. Not perfect of course, but it means that your long-term message storage is encrypted on the server.
My only complaint with mailbox.org is that their 2FA system is really silly (you append your 2FA token to your passphrase, and there's no equivalent to Google's "app passwords").
I'm actually kind of surprised to see the only reference to lavabit, in all of the comments, is that it was shutdown. It seems to be back and their server is open source: https://github.com/lavabit/magma although you can pay for their hosted version also: https://lavabit.com
Seconded. Anyone know of a good email workflow? Rolling your own server no longer seems practical. From what I have read most email providers now simply blacklist the email address of an email from sent from a non-major email service.
They say it doesn't matter for them as they comply with all lawful requests anyway. Haven't seen any comment regarding the need to build full backdoors, but the insidious part about that dumb law is that they wouldn't be allowed to talk about that anyway.
Love ProtonMail. Over the past few years I've slowly switched more and more of my usage onto it as my confidence in the service grows. Gmail now occupies a similar niche as Facebook in my life, where I keep a vestigial & largely empty account for those few organizations which still insist on proprietary apps (Google groups/docs, Facebook groups/chats) for organization.
I had a proton email created when it was announced & didn't use it. I found out that my mailbox decryption for that email id is not working (not sure how, I use password manager) & I haven't set a recovery email to recover my account.
I saw a HN comment earlier telling, the user had recovered their Proton mail account by answering few questions to customer service.
I attempted the same, the issue is that I used VPN to create the email id & didn't provide any personal details for the account.
They asked questions like,
-Do you remember the exact time and date when your account was created?
-When was the last time you have accessed your account?
-What is your display name?
-Do you remember to which addresses you have sent your last messages?
-Do you remember the email subjects of the last sent messages?
I tried to answer the account creation date by using the date of password creation in my password manager (the login password was working); but the support didn't seem to buy it.
They were insistent on,
-Can you please tell us if you remember from which addresses have you received your last few messages?
-Could you tell us if you have used the ProtonMail account to sign up for some other web services?
I told them, I don't remember receiving email from anyone else & I didn't sign up for any service
-There is a service that the xxxxx@protonmail.com address has been used to sign up for. Can you please tell us what that service is?
I told them again that I didn't sign up for any service using that email id.
- Can you tell us the full address below?
no-xxxxx@drxxxxx.com
Even though I could obviously guess the username of that email id. I told them that I didn't sign up with such service, that it must be a spam mail sent by some service.
They said,
- If you have not signed up for this service, the account probably belongs to someone else.
Then I typed 'no-xxxxx@drxxxxx.com' on Google Search, the instant results gave 'no-reply@dropbox.com' as the first result.
I sent them,
Hey sorry, I remembered the service. I did signed up for Dropbox & used the account for a while.
This would worry me more than drama about one algo choice over another. Encrypting the data at rest (even it's not perfect) is probably better than letting it sit around in plain text.
OTOH account hijacking is a well documented[1][2] threat.
I don't like the idea that if I set up a secure password and 2FA someone could call up Protonmail and go "Uh yeah, I use, uh... Hulu? Reset my password please!"
It's a valid concern, though in my case there's no other means to check the ownership albeit being flawed one; note that me having a valid login password/ or not doesn't seem have any impact on me recovering the password as I contacted them using web form support.
I don't think that would have made any difference, if someone with malicious agenda wanted to gain access to my email account.
It all depends upon how much trust, my initial answer to the question 'When you account was created'; I'm 90% sure I have correct year & 70 % on the month (I gave another month as well).
If that answer really did create some trust, then there's something; if not then I'm quite sure anyone can hijack an account without recovery email if they are able to guess few email ids correctly.
There’s two separate passwords. If you reset your encryption password it’s supposed to make all prior received mail unreadable. Was this the case for you?
Correct, existing emails become inaccessible when the mailbox is reset. Can be recovered though, if there's a backup & the original decryption password is found again.
I agree, access to other accounts is of greater threat.
When I created this account, I wanted to build upon the premise of privacy of proton mail & so I created using VPN, with no personal link whatsoever (hence no recovery email).
Unfortunately when my decryption password failed, I had no means of recovery until I attempted to talk through support successfully.
One major issue with the iOS client is that it cannot handle more than one Inbox. So, if you use two accounts (e.g. home and work), you can only be logged in in one at a time, and have to go through the full sign-in-sign-out process each time you want to switch. And my understanding is that the iOS app doesn't actually cache email offline, so it's not terribly possible to work on an airplane, etc.
Also, understand that due to the encrypted nature, you can't just point an IMAP client at their servers. They offer separate software to serve as a bridge, but it's complicated. So, you are only using their web interface. They don't offer a native app for OS X, even. So again, no offline mail processing.
I recently put serious thought into moving my personal and business presences to PM to support the idea and normalize serious encryption, but ultimately felt like my need of the security it provides doesn't justify the complexity and UX compromises it forces. But ymmv.
I've setup multiple domains on the same Protonmail account. You can create new addresses (@protonmail.ch/protonmail.com/pm.me/domain) with a paid account (iirc up to 5 total addresses with Protonmail Plus).
We use proton for our business mail (small startup < 10 people). The app itself, and web interface are great. However i wish they'd stop dicking around with crypto and actually start working on some features that are outright required for businesses to operate (mail flow rules, signatures using html, group setting/enforcing of signatures, 2fa, password policy, tagging mail as outside of the org/inserting headers, making bridge better).
The idea is great, works well, and we support it as best we can. However they REALLY need to step up their game in terms of making it easy to manage as opposed to just "moar security!". I put in tickets for each of the aforementioned pain points 6 months ago, and heard nothing back really. I doubt the developers ever got to see them. If they want more money and more users, which i'm sure they do, they need to really step up their game in terms of group management and onboarding.
Hey, I work with ProtonMail. Sorry you haven't heard back from support. Would you mind sending the feedback to enterprise@protonmail.com? We're actively working on getting most of the mentioned features out the door, but would love to get some specifics from you.
In case I don't hear from you, HTML Signatures are live.
Will email later thanks for letting me know this. The specifics I was getting at was being able to paste a raw html signature or set a signature for a group of people. You can use html in signatures but you're limited to using you tinymce editor. It does, however, work and save properly if you edit the source of the page and then save it...so I can't see why I can't just paste in my html as is? Anyway, sorry for having a bit of a rant here. I'll forward the specific tickets etc. I sent later today. Cheers
I adopted a mix of both: FM for non-secure and calendar stuff, ProtonMail.ch for stuff that needs to stay private. I do love FastMail -- just wish their iOS app allowed me to sign into and switch between multiple FM accounts like Gmail does. The lack of this feature is the ONLY reason I'm not Gmail-free yet.
I love Protonmail! I use it both on desktop and Android. It's interface is very basic, but that's the way I like it. I pay for it as well as ProtonVPN so they will hopefully stay in business.
Been using it as my main account for over a year, have an old gmail account which I'm giving a bit longer grace period until old clients and contacts stop emailing. Using it on iOS, it's works great but don't expect many features. Same can be said of the webapp. I use a custom domain so I'm not worried about it shutting down, I'll migrate to something else. One issue I've had is emails from new contacts sometimes showing up in junk.
Sorry about the issue with mail from new contacts ending up in junk. We're working on improving inbound spam filtering. For now, make sure you move those messages to the inbox folder, this will add them to your whitelist (which you can adjust within the Settings of your account).
Thanks for getting back to me, I have been moving those messages back into the inbox, I'll take a look at the whitelist. Overall very happy with the service and ProtonVPN too. Keep it up!
I've been using it as my primary email since around May of 2017. I can only speak for the web and Android versions of protonmail, and those work pretty well (comparable to the gmail app and gmail in the browser).
I'm using the paid version of protonmail with a custom domain, giving me the ability to somewhat easily switch to a different provider in the future if they go out of business or end up losing my trust.
I switched to ProtonMail from Gmail (with a custom domain) about 6 months ago. The web app is a bit janky, compared to Gmail, but I use Apple Mail with their desktop bridge app and they work fairly well, together. Their iOS client is comparable to the default mail client, but not to the Gmail app in terms of features.
Would love to get more feedback on what you would like to see in the iOS app. You can add feedback here: https://protonmail.uservoice.com/ or send it to us directly. Next feature coming to the iOS app is multi-user support.
I use a ProtonMail address for online accounts whose content I don't need intermingled with my personal mail.
I also use a ProtonMail "+" alias when signing up for a totally new service (with a filter to place emails from that alias directly in Spam; as all it does is handle account signup/verify). If I can't change my email after signing up for a service I don't continue using that service, as I define that to be user-hostile. If I can't use "+" in an address when signing up I default to GetNada.
The other use case for a PM address is for anonymity (e.g. throwaway/whistleblowing) with a requisite VPN and browser-only login, etc.
As an aside, I use a free Outlook address as my newsletter spam box (good storage size and Android interoperability for consuming content).
You can use catchall addresses for this. Any ol email @ that domain that doesn't have an associated account gets routed to the catchall account. Protonmail supports this if you pay, as do a few others.
I use it as my main email, with a gmail account for throw-away spam, and have the protonmail Android app, I like both the web and android versions quite a bit; could have a few more features, but for everyday usage it is good. No frills but everything normal and easy to use.
I have used it for my main email account for some years now. The web client is fine, the iOS client is fine, and the ProtonMail Bridge allows me to bring it into my Mail.app.
The encryption is great and the anti-spam works well enough. No complaints.
I have very limited experience. The client seems to log you out once in a while, as if it's a banking app. That's been an annoyance for me. On the free tier, you cannot login to more than one account at a time on the app. That's another annoyance. You cannot export your mails from ProtonMail unless you have a paid account and use a computer with their IMAP bridge software installed.
I can't comment on the iOS client, but the Android client is what's primarily holding me back from switching to Protonmail as my default. The problem is that it keeps logging me out, for one reason or another, and to log back in I have to enter the password and TOTP code. That's a pain in the butt, and it makes it impossible for me to rely on for, say, airplane tickets.
Sure, I can do that again. My previous tedious interaction with your support department ended in this conclusion:
>Sometimes, when the ProtonMail app is updated to a new version and that update is bigger and more incremental, that could happen.
That's unsatisfactory. However it does not address the complaint I had at the time that every once in a while a notification appears that tells me I have been logged out, with no explanation. I don't know if that still happens, as I cannot be bothered to keep logging in on my phone. I'll give it a new try now.
Retrieving that quote for you meant I had to browse my Protonmail archive. I could log in via web, but for some reason your TOTP works differently from everywhere else: I have to enter it every time, and there is no way for me to "remember this browser". I could use the Bridge, but for some reason the Bridge, too, logs me out whenever it feels like it. Again, I have to enter both factors with no option to trust permanently.
Do you see how these paper cuts could demotivate me?
I swapped last year around the end of November. I'm a fan of their filter DSL, which has let me keep my inbox pretty clean. I don't use desktop mail clients so the bridge thing doesn't bother me. Their web ui does just what I want it to, but their ios app doesn't seem to group conversations which is annoying.
I've been using ProtonMail for a couple of years. iOS client is usable and works fine. Web interface works fine with any browser I tried, including on Linux.
I had problems with Bridge on MacOS, but after learning that Apple Mail is reporting all e-mail metadata to Apple I stopped using it altogether. Don't know if ProtonMail fixed Bridge since then.
Definitely make sure to use this, or any email service, with a custom domain. You’ll have to get an appropriate subscription, but it pays for itself thousandfold when changing providers without having to reverse update your entire contact list.
Aside from that, yes I use proton, it’s fine. The Mac bridge is a joke but the rest works ok.
I have been using it for more than a year on Android as my primary email in an attempt to leave Gmail. I can recommend. The only issue is when an new email comes in it will group them together and show previously deleted emails in the group.
I use it regularly for both personal and professional use.
I now use the pm.me domain for my professional account, since it is easier to share (e.g. phone calls, SMS).
As a PM customer of almost a year, I'd definitely say they should focus more efforts on the UI/UX as opposed to advancing the crypto for now. What's the point of having the world's most cryptologically advanced, unusable inbox. Specifically conversation threading/nesting. I don't expect everyone to be as streamlined as say a Gmail, but basic "1 conversation - 1 email" in the inbox would be nice for starters.
I really really really like thier conversation threading. Because I get so many recurring transactional emails (eg bank statements, auto pay, etc) it makes it very easy for me to view ALL of these in one thread, and not take up a lot of space in my inbox.
Honestly I wish other providers would give me this sort of 'transactional email' conversation tie up because it's convienent. I can see in the last 12 months for example, I have always paid my gas bill on time, at a glance too!
While I appreciate advances in cryptography, I would rather protonmail work on things like getting their bridge returning properly formatted IMAP responses[1] so we can use whatever clients we want with it.
The mobile experience is fine, but desktop is brutal unless you happen to prefer one of the few clients they support.
I like protonmail and will likely move my domains to it. I don't use it for regular social, dating, or sales emails because it is a privacy brand that creates cognitive friction with people who don't get privacy and security.
If I wanted to grow protonmail, I would emphasize users moving domains to it because while the brand has exceptional trustworthiness, anything security and privacy themed runs into the "tacti-cool," problem, where even if it's the best available and used by real operators, it triggers peoples sense of illegitimacy, and depends with users who identify with a "rebel," e.g. "losing" team who are not attractive to other users.
IMO, the same problem killed Silent Circle, and the rest of the cryptophone market.
When you look at who overcame the tacti-cool problem in security and privacy, the way a brand like arcteryx did it in clothing, Apple's iPhone has done it in hardware, WhatsApp did it for messengers, and protonmail is just on the cusp of it.
There is an opportunity to build a new privacy brand that would be as big as a FAANG, and if I were running it, I'd fold protonmail into it.
To answer everyone here, I've been using ProtonMail for 6 months now (and protonvpn) and I love it. The iOS app is great, the web view could be improved but isn't bad.
Slightly OT, but I didn't see an important question being asked:
What is the motivating threat model of ProtonMail?
If I just want to access my email securely, that's done by HTTPS. If I want an end-to-end encrypted solution, ProtonMail can provide that, though only for emails between ProtonMail users. For e2e outside of ProtonMail, I can use PGP.
From what I understand, ProtonMail makes all the PGP stuff easier by baking it into their UI. Is there anything else it offers other than this convenience? Are they encrypting incoming mail with recipient keys and throwing away the original? If so, who is that protecting, and against whom? Presumably the plaintext was stored by the sender and possibly seen by intermediary servers. Can I get similar security properties by periodically downloading my email and deleting it off the server (assuming the deletion is actually happening)?
These are honest questions. I admit I'm skeptical of PM's utility, but I'd this fits someone's usecase and threat model, I can't argue with that.
I'm using ProtonMail because I'm trying to de-Google-Amazon-Facebook my life somewhat as another user mentions. I'm tired of being the product and am willing to pay for certain things.
Are they encrypting incoming mail with recipient keys and throwing away the original?
Yes we do. This mainly protects against service level requests for data in the future.
Can I get similar security properties by periodically downloading my email and deleting it off the server (assuming the deletion is actually happening)?
Yup, assuming you want to deal with that. ProtonMail is designed to give you a privacy focused option for email.
I quit ProtonMail / ProtonVPN after trying over and over and over again to import mail through their IMAP bridge. They won't provide an open API for interacting with their mail services so someone can write a better bridge, and their bridge is very slow, disconnects repeatedly, and basically makes any migrations impossible. If you're willing to start over with an empty mailbox, maybe ProtonMail is for you. I eventually gave up trying to move my mail account in (many tries, with Thunderbird in chunks, with Lamiral's awesome imapsync tool, you name it), and let them keep the money I paid for a year of ProtonMail Visionary.
I ended up using StartMail from the StartPage people. It's not perfect, but I was actually able to migrate to it and use it effectively.
Unsolicited opinion on ProtonMail: I'm a big fan. It's not as flashy as gmail, but so far my mails haven't been marked as spam, which was happening with zoho. Unfortunately, zoho doesn't provide free email forwarding, so the migration to PM is taking longer than hoped for.
I'll probably soon subscribe to PM for two reasons: to use the @pm.me domain for outgoing (currently only incoming), and for custom domain support. Also subscribing gets IMAP support (I think).
They represent vastly different philosophies. Fastmail is direct alternative to Gmail with good UI and UX but they're based in Australia and against message encryption as it impacts their UX (for example it's not possible to index encrypted messages). Protonmail is an OpenPGP company (they directly invest in OpenPGP.js) but have issues supporting other standards. For example IMAP/SMTP is available only through a bridge.
They’re based in Aus, but their servers are in the US (which is why I decided against switching from GMail to them in the end, and picked someone a little more local).
That means their servers cannot be directly accessed but since they're based in Australia the company can be compelled to install decryption software without notifying anyone.
I've used both for some time and decided to move to Fastmail and so far I am very satisfied.
Fastmail does one thing and does it well, email. There is no PGP support. Protonmail does PGP in the browser via a library that they serve you themselves which I find less than ideal. If you want to do it outside the browser you need to have a subscription and download a bridge software that needs to be running on your machine. With Fastmail if I need PGP in my email I do it via the GPGTools plugin for the Mail app which uses the system gpg installation.
I use both. Fastmail is more compatible with clients and has a good per-client security model. However it is based in Australia, which has increasingly insane digital privacy laws.
Proton mail has more advanced cryptographic features and my understanding is that your email is encrypted so they can't offer it up to third parties without your consent (or at least stealing your password.) The usability is not as good: search often does not work very well (I believe this is due to the encrypted nature of it) and there are only a handful of local clients you can use via their bridge. The mobile app is pretty good, the web app is acceptable but clunky.
I use fastmail for day to day stuff I don't care too much about and protonmail for my more important/personal stuff. Both support custom domains so you can move your email to another provider if you get sick of one.
About this point: "- can't really configure your chosen email client to it..."
Do you have any experience with using the IMAP Bridge? It is a daemon you run locally that translates between Protonmail's internal protocol and IMAP, to let you use your email client of choice. I'm using it and it seems to be working OK in my experience, but I don't use my Protonmail account heavily.
Fastmail is a great host and I liked their iOS app. ProtonMail seems like a good idea but promising secure email and secrecy as an mail provider isn’t really realistic at all.
For example, they claim, "We have chosen a particular elliptic curve system known as X25519, which is fast, secure, and particularly resistant to timing attacks. It’s simple to implement".
However, previously they've said that they use Indutny's library [0]. This library is somewhat infamous because its leadership deciding to discard any pretense of defending against timing attacks on the grounds that would make the library "too slow." [1]
There are other options. They could have used something with good timing attack resistance from WebCrypto. Those options exist. Folks with more skill than I have recommended P-256 as an option.
[0]: https://protonmail.com/blog/openpgpjs-3-release/
[1]: https://github.com/indutny/elliptic/issues/128#issuecomment-...