Edit: removed some statements for legal reasons. Bottom line is that too many weird unexpected things are still happening to peoples emails and attachments. ProtonMail isn’t helping themselves when their communication is “just upload your private key to our servers and then everything will work great again because we can sign your emails with your key for you! But don’t worry, we don’t have access to keys. We just use them to sign emails after it’s uploaded to our servers. The key we don’t have access to after it’s uploaded to our servers. That we then use to sign emails with forevermore.”
ProtonMail’s communication needs to be a lot more clear on these issues, they need a dumb docs page or slideshow or YouTube video that address all the concerns in a super concise way that can be linked when these concerns come up.
And especially they need a warrant canary that says “we’ve never handed a government the contents of a private accounts emails or the metadata for when/whom they sent/received emails from”.
—————————-
Definitely not[0].
Black market sellers are often kicked off protonmail for “illegal activity”.
LavaBit was probably the last “secure” email provider, they got an NSL for Edward Snowden and chose to fold up the entire company rather than carry out the orders in the NSL.
CounterMail may deserve an honorable mention, but you’d likely want all parties that you need to communicate securely with to also have a countermail account and it’s invite-only. P.S. I would love an invite if anyone has one: HNrunnerup@protonmail.com
That isn't really fair. If you read the article, protonmail essentially supplied the FBI the recovery email of the account. This is metadata that protonmail must have that isn't encrypted by the user for obvious reasons.
Regarding the "MITM" for every email sent, this is related to their "bridge" software which allows regular IMAP/SMTP software to use Proton Mail. This software must edit the emails to encrypt them in their scheme.
no one can ever know Protonmail is really encrypting mails. Opensourcing a piece of software doesn't really mean that Protonmail deployed that and also doesn't really mean that you are using their promised encryption.
Worldcom passed audit I recalled. Enron too. FTC gave Bernie approval. How about FTX? Remember once uoon a time there was big 5 with one of them as Aurther Andersen? Did anyone auditted Securitum? And oh yeah did anyone actually verified what is being auditted and what is not? When so many info about a compromised Protonmail to law enforcers that Proton didnt even actively deny, I give Securitum as much confidence as AA 2 decade ago.
You can read some forums and head over to mastodon or discord. Protonmail isn't secure. Some seems to hint compromised. Use it like what you would with Gmail or Yahoo. As for paying, no thanks. Nothing secure about it. You get more security buying separate VPN and even having qqmail (yes, Xi can read your email, but wont have the authority to send law enforcers to your home in Oslo or NY). NSA and CIA can...but will have zero chance of reading your qqmail.
I mean, what are people's expectations here? If you're sensible, you don't sign up for Proton Mail believing that the FBI will never be able to read your email. You sign up with the expectation that Proton Mail will follow the laws of Switzerland and only disclose information when they must do so under Swiss law.
Do you have any proof that they store all the keys to emails? Because in none of the cited cases did they provide email contents to law enforcement, only data that you know is not encrypted, like recovery email.
Your encryption key is stored encrypted so that we have no access to it. It is decrypted when you enter your password, which we have no access to. The article above confirms that, in fact, and all of these cases are proof that our encryption cannot be bypassed by legal means. All the data stored encrypted on our servers (email content, calendars, attachments, etc.) is inaccessible to us: https://proton.me/blog/zero-access-encryption. All we can provide is the unencrypted metadata which we need to have access to in order for the services to work properly.
For emails between Proton Mail users, it's end-to-end encrypted, meaning the encryption happens client side before the message even reaches the Proton server. If a message is coming from Gmail, then of course that cannot be encrypted until it reaches the server, unless of course the Gmail user is using PGP, which Proton Mail is interoperable with.
Hmm? Trusting their client aside (a huge issue with any secure service), I do seem to remember the key being used client-side with password-protection, i.e. not accessible to their server. Am I misremembering something?
The part that is easier to misunderstand is encryption-at-rest, where normal emails are still readable at ingress before they are encrypted with an appropriate public key.
Also, secure and private != willing and capable of hosting illegal activity. They can kick suspicious behavior without having to read your emails.
Yes your encryption key is stored encrypted so that we have no access to it. It is decrypted when you enter your password, which we have no access to. The article above confirms that, in fact, and all of these cases are proof that our encryption cannot be bypassed by legal means. All the data stored encrypted on our servers (email content, calendars, attachments, etc.) is inaccessible to us: https://proton.me/blog/zero-access-encryption. All we can provide is the unencrypted metadata which we need to have access to in order for the services to work properly.
Do you know how Proton Mail actually works? Encryption keys are encrypted client side so Proton never has access to your private key, just an encrypted copy that cannot be decrypted server side.
I might be missing something, but how are the keys decrypted? Isn't it using the password? I assume the passwords are hashed on the server, but how would we know if you are storing the nonhashed password when we log in?
You're asking for a negative proof. How do you want an email provider to demonstrate they are not storing your nonhashed password? I don't see how that's feasible. Audits are a step in that direction, but it's not like mathematical proof.
I agree it is impossible. I don't like their claims that they don't have access to the decrypted keys and we can prove it by looking at the code. They could have access to the keys and looking at the code wouldn't prove they don't.
I understand but I read the statement differently. It's a description of their security model simply. Sure they could be lying like any other company, so a certain amount of trust is required.
Unless you read and compiled the code yourself and run it locally, some level of trust is always required.
I haven't reviewed all the code, but my question would be related to the back end which I can't find the source for. Even if the back end is open source we wouldn't know if that is the same code on the servers.
Ah, I tried to boot up my old account but it looks like it's been deleted from being in the free tier too long. I cancelled my subscription after they had a nearly week long downtime.
We've got to get better at securing email, and I've been really impressed with protonmail (not currently using them myself though).
Consider Gmail, they send 20% of outbound email as clear text and 4% inbound is unencrypted[1]. Of the encrypted email, it's unclear how much actually validates DNSSEC/DANE or a trustworthy CA and refuses to send when these are missing.
Encryption on email is generally about as secure as using http:// for 20% of your web browsing and ignoring certificate errors when you use https://. We tolerate it because email clients generally don't warn end users when this happens and there's not much we can do without harming delivery.
Worrying about legally compelled metadata sharing misses the larger context email operates in.
I got into a discussion at IETF with some people over email security a few years ago. The reality is, email was invented in the 70s. It’s missing all the modern messaging related crypto innovations (E2E security, signing, encryption, otr messaging, etc). And there’s very little interest amongst the big email providers in overhauling email to add these features. Even if some niche email providers have good security, if the person you’re communicating with uses gmail or something you’re still screwed.
If you want a communications system that’s safe from government snooping, don’t use email. Stick to signal or maybe WhatsApp. Or if you must, self host. At least then the court order to see your server will come to you.
Its only safe if you're only talking to other people who also use protonmail. (Ideally also through tor.). As soon as your email thread includes people on gmail, the government can just ask them for the email thread.
And if you're restricting your conversation to people on protonmail for security, why bother with email at all? Seems easier to just put the conversation on signal anyway. And then you get all of signal's other security benefits, like E2E encryption, crypto ratcheting, disappearing messages and so on.
Have you tried registering an account on proton via Tor? I get a prompt to verify my phone number or give them a recovery mail (trash mailers are blocked) 99% of the time.
It is not possible to sign up over Tor (neither through their .onion nor through proton.me) without providing a non-disposable verification email address or a non-cryptocurrency payment method.
This second restriction is especially damning: They accept cryptocurrency, but only for existing accounts - after you've already doxxed yourself.
Those services require coughing up your phone number to use. And since recovery emails are apparently the weakness used in proton's case, not the encryption of the mailbox, that sounds worse.
You don't have to have a recovery method on your Proton account, it's optional. You can also use a recovery phrase instead of having a recovery email on your account: https://proton.me/support/set-account-recovery-methods.
For a very long time I saw articles on self hosting, where people complain that their emails are filtered out by big providers and it is no longer feasible. How do you deal with this part?
yes. i will give you my personal experience from 3 years ago and last month.
3 years ago:
gmail/outlook was an ass. They marked all emails as spam. I had to call recipients to check spam and mark as not spam. this was on-off for the first few months. then things went good on their own.
They would mark spam initially all emails, then emails with attachments then once marked as not spam, things got better.
today i have 0 issues in outgoing email. funnily, i have a website that sends me emails and there is some unknown problem on "receiving emails". just one website so haven't had much look into it.
last month:
followed the same setup and gmail/outlook made no complaints. this was surprising to me as i deliberately sent attachments but nothing.
one thing to note. i once send 15-20 mails in bulk (not cc/bcc but separate) at once and that triggered some spam response. marked as not spam fixed it though on recipient side.
both times i used mailinabox and a cheap vps from lowendbox deals. racknerd or something on offer.
takes 1 hour almost from domain/vps purchase to full setup and sending emails.
backup on backblaze b2.
takes 5 minutes every 6 odd months to update the software but that's about it.
I recently set up my own self-hosted email solution again and made sure to do all of these things:
* Proper A and MX record set up in DNS per SMTP standards
* Proper SPF record in DNS
* Proper DMARC record in DNS
* Proper DKIM record in DNS
* SMTP server (postfix) is not configured as an open relay
* SMTP server is configured with a DKIM milter to sign outgoing messages
I used basic guides for the DMARC/DKIM stuff since that was new to me and tested with a Gmail account. The first few messages were marked as spam but I was able to unmark them. Once I was able to verify a correct SMTP setup, after two or three unmarkings, all messages were just delivered normally and no longer marked as spam. Google will even email you a report to help debug issues if your DMARC record is set up for it.
As far as I know this is about the best you can do. Everything else is pretty much getting your mail server IP addresses removed from various blacklists which can be easy to impossible depending on the service. The other option would be to forward to another service that allows relaying and has IP addresses with better spam scores but I personally prefer to avoid that.
Choose a host that is not lax on spammers and guard your IP well. Don't use something with a fast moving shared IP pool like a vm. A dedicated server is best.
Do not bring your server up without securing the email setup and setting up essentially useless things like DKIM, SPF (and DMARC). Large providers want to see those.
If you get into a block list, know quickly and fix quickly.
Use a well established domain suffix like .com. The cheap vanity ones are usually blocked more.
If you need software recommendations, there is nothing Postfix+Dovecot cannot do.
The easiest way is to use an SMTP service like smtp2go to send the emails but I am not sure if it invalidates the point (you still host the email server, just not the SMTP side).
I run my own self-hosted email server for the last 15 years but I had to move to this hybrid system recently because Microsoft (outlook.com, hotmail.com, etc) blocked all the IPs of my hosting company. It is a shame but there's no point appealing (which I tried anyway). So it may or may not work, it depends on luck mostly.
I just googled that to be polite. Looks like signal, except missing all my contacts. What advantage does Session have over signal that might make it worth moving my social network?
No phone number or email to use Session. Session is a fork of Signal. Each communication is decentralised. My biggest concern is they are based in Australia, which has even worse backdoor baying for blood than USA. Some details here. https://optf.ngo/
That's what I don't understand about these click-bait titles -- some people live in some lawless alternative reality, what do they expect? That a company will hire some warriors resisting a lawful order by the state they operate under?
I'm all for privacy, and indeed, stored data should be kept to a minimal. But if a lawful order against a criminal is complied with, I definitely won't cry murder.
> But if a lawful order against a criminal is complied with, I definitely won't cry murder.
The problem is that Proton markets themselves as "secure, encrypted email" when in reality they have access to all your stuff and say they don't.
What I would expect from a service that kept their word: police knocks at their door, they say "sorry we cannot give you data we don't have, we don't keep records here".
They would probably battle against the authorities in court, but that should be the modus operandi if you care about your users privacy in the first place. Proton doesn't do that.
They say they are under strong Swiss laws but any subpoena or warrant they get, they just comply with it instead of battling it.
cock.li is a provider handled by a single person only and he received several gag orders and never complied to one of them, and he lives in the US. At least the guy is honest and tells people that if you're worried about privacy, you should know that he can read your emails whenever he wants to.
The problem here is that Proton sold itself as a privacy-first service that would protect you from the authorities, but it turns out it's just as normal as a service than Gmail or Outlook.
Note that this is a false statement. The cases such as this show that our encryption provides privacy by default: we are not able to provide any of the content stored encrypted on our servers to third-parties, even when presented with a data request we cannot legally contest. All we can provide is the limited data which we need to have anyway for the services to function.
You can also see in the Transparency report that we contest all of the legal requests we have any legal ground to contest. We are also working on improving the Swiss privacy legislation (which is already one of the strictest in the world) further - we won a major court case in 2021: https://proton.me/blog/court-strengthens-email-privacy.
> What I would expect from a service that kept their word: police knocks at their door, they say "sorry we cannot give you data we don't have, we don't keep records here".
I could see the proper legal (IANAL) answer (for a fully E2E encrypted system) would probably be something like:
Sure, we will gladly comply as legally obligated to, you will find the whole of the requested data we can provide attached.
<zip file>
The zip file would contain an index.txt with:
This is all the content we have access to, which is none at all. This is not a bug, and neither it is a refusal to comply. We do not have access to any other data as it is encrypted when it leaves the user premises.
And maybe a csv file with headers matching the requested data fields but zero rows.
The difference being one doesn't say "no we can't" to law enforcement, instead say "yes, but the result is empty"
Mullvad and CounterMail allegedly do a good job of this (retaining no user data). However, USA authorities occasionally look into what it would take, in a legal sense, to force companies to write and distribute edited code to gain more access to customer data that the company immediately lacks[0]. For now it’s probably a bridge too far for law enforcement agencies, but one can never be sure about the future.
This is already the case with Proton Mail. Your encryption key is stored encrypted so that we have no access to it. It is decrypted when you enter your password, which we have no access to. The article above confirms that, in fact, and all of these cases are proof that our encryption cannot be bypassed by legal means. All the data stored encrypted on our servers (email content, calendars, attachments, etc.) is inaccessible to us: https://proton.me/blog/zero-access-encryption. All we can provide is the unencrypted metadata which we need to have access to in order for the services to work properly.
This is fundamentally incompatible with software updates. The keys must not just never leave the device, both the key distribution and what the software does with decrypted data must be locked as well. Which means it must be impossible for the software to update, as the government could use force to compel a company to hack it's own users.
This means that the cloud model, where code is downloaded through a web browser, is right out. Regardless of where the keys are.
> as the government could use force to compel a company to hack it's own users.
Currently, in the USA, the most generally accepted view among legal scholars is that this is not legal for the government to do -- mainly because of a view that it's a particular form of compelled speech / forced labor which is unconstitutional for the government to compel.
It is, however, an avenue that the law enforcement community does occasionally investigate as a possible route to get what they want. There's no clear court ruling as no cases have gone that far.
The FBI can request assistance from a Swiss court and the Swiss government may assist in some cases, and that's what happened here. That being said, even in such cases, emails cannot be decrypted, which was proven again in this case.
Why does Proton store IP addresses in the first place? If they didn't have them, they couldn't give them out. Same with the recovery email. They should write a warning next to it, so that you can then decide for yourself whether a recovery email is advantageous or harmful for your own threat model.
Most of this metadata is kept only temporarily, including IP addresses, which you can read more about in our Threat model (https://proton.me/blog/protonmail-threat-model ), Privacy Policy ( https://proton.me/legal/privacy ) an this article (https://proton.me/blog/enhancing-protection-information-for-... ). By default, we don't retain IP addresses permanently. Your signup (account creation) IP address is temporarily kept for abuse-prevention purposes, and can be retained indefinitely if your account is found to be engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities. If your threat model includes anonymity, we recommend that you follow the advice shared at the end of the Restore Privacy article above.
For the majority of users, it's better to have a recovery email on their account, as the risk of losing their password is higher than the risk of being targeted by a legal request. However, even in those cases you can have both, by setting up a new email address which you don't use for anything else as a recovery email.
For signup it seems a non-disposable recovery email or a phone number is required. After signup you can remove those (and add other ways to recover if you wish).
This feature is off by default, and if you enable authentication logging for your Account or voluntarily participate in Proton's advanced security program, the record of your login IP addresses is kept for as long as the feature is enabled. However, the IP logs from before the feature is turned on and from after it is disabled are not kept.
I've come to the conclusion that email will never be secure. I've settled for keeping my email data out of the hands of banks and advertisers by using Fastmail, and wildcard aliases. If I were doing any kind of journalism, politics or security sensitive work (I'm not), I would rely on solutions that are built on a foundation of end to end encryption like Signal. I try to use Signal as much as possible not because I'm discussing sensitive things, but just because I want more people to use it so that it's mainstream and using it doesn't automatically become a suspicious activity.
There is no comparison between Crypto AG and us. Our encryption occurs client-side, our crypto code is open source (https://proton.me/blog/openpgpjs-3-release), and our tech can and has been independently verified.
The cases mentioned in the article above actually confirm that our encryption works as advertised and cannot be bypassed by legal means - we are not able to share any content stored encrypted on our servers, because we don't have access to it.
They also have a few annoying bugs and missing features:
- Does not use the email notification sound on iOS
- Cannot open iCal attachments in the system Calendar on iOS - this is infuriating!
- Proton Calendar itself doesn't support shared calendars, despite being advertised as 'for business'. Almost every business needs a calendar that multiple people can modify.
Aside from that I've been generally satisfied, but the problems mean I can't recommend Proton for a business.
Thank you for your feedback! Note that shared calendars are supported: https://proton.me/support/share-calendar-with-proton-users. Currently, only Proton users can edit the calendars, though.
The other two suggestions have been passed to our team internally.
Besides the fact that once you create your account you are automatically subscribed to their newsletter and you have to manually opt out of it once your account is created. I grew tired of receiving marketing emails from them and I didn't remember opting in to receiving those BS emails.
The amount of people commenting here that protonmail's privacy or security is insufficient without even having read up on their security model and/or without the slightest understanding of encryption is staggering. What's happening?
I'm sincerely curious, I'd like to understand why protonmail is getting so much hate on HN, is it they are getting too mainstream?...
Wth! Proton provides privacy not bulletproof email hosting! If the government is investigating a crime, of course proton will comply!
Does the writer of the article even consider who the audience if the "opsec" section are? Unless i am missing something about swiss law, that section is advicing criminals who wish to evade the law.
Any actual privacy must be equally efficacious to lawful and unlawful users, as being able to discern between them inherently indicates leaked data.
I use Proton, and the metadata they do keep unencrypted would only be useful to LE/feds if some other source (ISP, IXP, OS, etc) has given up info, which you certainly can't blame Proton for.
The article is bad for trying to insinuate that responding to warrants indicates failed security, when the reality is that what you respond with is what matters, and in this case it appears to be metadata only.
Warrant canaries are useless in any jurisdiction that partners with foreign police and courts. At that point, you need an "unencrypted content sharing canary".
If you need security or privacy, there's an app for that™, and it ain't email.
Email wasn't designed to be such, and trying to workaround the design to make it, is fragile and error prone, with multiple opsec pitfalls, it's practically impossible long term.
article says that "All businesses must comply with the laws in the countries where they are legally based.", right after listing requests from usa and france that the company accepted and cooperated. what a joke this company is. i can use pgp with any provider. don't need to be sold a piece of hot steaming shit and told it's a chocolate cake.
Countries have agreements between them, and Protonmail only complied to French requests when the French government did the right process in a Swiss court. In other words Protonmail had to comply to respect the Swiss law.
Not sure what happened with the US, but US is a bit special because they have extraterritorial laws (i.e. laws that apply everywhere in the world) and the means to enforce it. Because the USD is used as an international money, and the US position in the world, if the US wants to punish you they'll find a way even if you're based outside US.
I don't think the Swiss will want to piss off either France or the USA on these issues.
I also see that ProtonMail is headquartered in Geneva, about 2km from the French border... which I suspect means that a fair number of employees commute from France on a daily basis...
Maybe a reference to Hervé Falciani? I find the comment pertinent, no offence to you Frontalier. You can thank guys like Falciani if lots of bank jobs in Switzerland also require residence in Switzerland now.
Another question I have is: "If governments have nothing to hide (apparently we don’t so they shouldn’t, no ? They said to me they are my equal and truthful protectors), shouldn’t they be legally obligated to warn users when their data/info have been requested by any entity ?"
A bit of a tangent, but one thing that annoys me is I get at a minimum 3 spam emails a week in my inbox. That hasn't improved for the past 5 years that I had it.
ProtonMail’s communication needs to be a lot more clear on these issues, they need a dumb docs page or slideshow or YouTube video that address all the concerns in a super concise way that can be linked when these concerns come up.
And especially they need a warrant canary that says “we’ve never handed a government the contents of a private accounts emails or the metadata for when/whom they sent/received emails from”.
—————————-
Definitely not[0].
Black market sellers are often kicked off protonmail for “illegal activity”.
LavaBit was probably the last “secure” email provider, they got an NSL for Edward Snowden and chose to fold up the entire company rather than carry out the orders in the NSL.
CounterMail may deserve an honorable mention, but you’d likely want all parties that you need to communicate securely with to also have a countermail account and it’s invite-only. P.S. I would love an invite if anyone has one: HNrunnerup@protonmail.com
0: https://news.ycombinator.com/item?id=36639530