Thoughts on Proton Mail (and their cloud) - How reliable are they?

Hi all, I was just reading through this thread https://forum.level1techs.com/t/best-email-service/ and started shifting some of my core addresses to Proton Mail and I like that everything is encrypted through GPG.

It’s a shame there’s only 3-domains that one can add on the higher plan, but it’s cheaper than $4/month for each account on Workmail - I’m running a few and basically doing redirection.

The reason I’m going for a paid solution is because they all automatically setup:

  • SPF
  • DKIM
  • DMARC
  • another fancy email related tech (pat-pending)…

…and it’s that last part. With more domains to support into the future, I don’t want to have to spend my time supporting “yet-another-service” of my own. I have enough CI/CD to manage as it is.

So, how “secure” and reliable is the Proton cloud vs say Google/AWS? Is Proton fully run by CERN?

Oh, if you want to send me some fun GPG signed messages you can do so by sending electrons to [email protected] - hehe, see what I did there? Yeah :man_facepalming:

Thanks,
Mike.

1 Like

Hi, I’ve been using protonmail for a few years, and they have been reliable for me.

Not encountered emails being blocked or anything.

I am sure it is not run by CERN though, just started by ex-CERN guys.

The guys seem fine, and have even been on podcasts over what they relinquish to police.

They will give stuff to police upon a warrant, but anything you encrypt, IIRC they dont have keys to.

They can see who mailed in, or to whom outgoing mails, and IP’s used and such.

Their bridge also allows for integration to Thunderbird too, which is super cool

4 Likes

Ive used Protonmail since 2018 and they seem to be fine so far.

Theyre caught up with some issues involving lawful court warrants but there is no avoiding that because a business is going to be bound by a jurisdiction somewhere and it has to follow a country’s laws somehow.

There is this minor issue with Proton Wallets but I am not directly affected by this.

Just a minor caveat with their E2EE: it only applies to sending (and receiving) mail to other Proton accounts exclusively. Proton <== ==> Gmail (or other mail providers) isnt encrypted.

1 Like

Ohh that’s lovely, thanks for the Thunderbird tip

1 Like

Yup, that’s fine. I’ve included my public key as an attachment in outgoing mail for anyone wanting to use GPG.

Lost interest in GPG since the ol trade ban of PGP. Have you encountered people in the flesh who actually use it for email?

In one of my past roles, I setup GPG and signed everything via Thunderbird; doesn’t hurt to have an extra layer to keep emails private, since it’s work stuff.

Old habits die hard hehe.

4 Likes

I’ve been using Protonmail (and their other products since conception) for years and with custom domains too.
Very reliable and no dark patterns in the user interface.
They have passed security audits and their privacy is tested in court.

My only complaint is that you can only do SMTP with a Business Account or through their Bridge - but that’s not much of a problem for me personally.

2 Likes

i have used Proton services for a number of years now and I have yet to be disappointed. Now do understand while their goal is to eventually be a direct competitor with Google, but they aren’t there yet and will openly admit it. And the path to get there is a multiyear plan with the philosophy of not releasing products or services until they are ready.

1 Like

@bsodmike My understanding of Proton Mail email encryption is that only emails between Proton Mail members are encrypted; for example, emails between Gmail and Proton Mail are not encrypted. I could be wrong.

2 Likes

That is for sure the way I understand it.

then like you said, GPG for contacting anyone via email, unless they have proton / compatible.

also means incoming mail can be read in the clear, like normal email

2 Likes

I assume email isn’t a secure form of communication. But that’s just me; I probably overreact when it comes to security. I just think government agencies are always spying on me, and there isn’t anything I can do about it, except not be online.

2 Likes

I also count email and a bunch of stuff, as open.

Same with SMS and voice calls

1 Like

Yes, SMS and voice calls are definitely open. It is the nature of the protocol used.

1 Like

iirc, sms is technically encrypted, but a very weak algo

2 Likes

very weak algo = open communication.

1 Like

Email in it’s simplest form is completely insecure. But with numerous encryption schemes it becomes much more secure (PGP to name one). As for how that applied to Proton the general comments are correct in stating that external emails aren’t e2e encrypted, but all the contents on their server is encrypted and inaccessible to them. Thus if LE does get it via legal means all they get is encrypted data. But that isn’t to say LE can obtain the same content on the other end.

Right, so as long as:

  1. Proton AG encrypt data at rest and in transit… (if!)
  2. Emails are Encrypted via GPG (as per their platform and tools)…
  3. …and the other recipient is also a Proton email…
  4. OR a 3rd party email BUT they also sign via PGP

…then we can assume it’s E2E encrypted and cannot be accessed by any LE/Govt actor? :man_shrugging:

P.S. transit means not only internal to Proton but from our local clients, so MITM SSL attacks etc etc can be a factor but still we assume that GPG/PGP will guard against that. Right?

OT: I’m debating moving 3x AWS Workmail accounts to a Proton Unlimited account.

$9.99 vs $4 x3 = savings of $24/year. All this will do is redirect mail to other mailboxes though, security isn’t as paramount for these, but they cannot throw up errors or drop mail.

Workmail offers 50MB/account, with Proton Unlimited 500GB shared, so this looks like a good option. And I get “catch all” as well.

Thoughts?

No, I would say, protons too proton may be encrypted transparently, But… If going outside, I would manually encrypt it… But… Easy enough to test.

Whenever I send to a non-proton mail, it is in the clear. I dont have access to any other encrypted platform.

As in, expect compromise, and double up, just in case…

1 Like