A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 57 users / day
- 383 users / week
- 1.5K users / month
- 5.7K users / 6 months
- 1 subscriber
- 2.96K Posts
- 74.6K Comments
- Modlog
I use both, bit Proton is more fearute rich. Never mind the fact that this is the first company I’ve seen that lowers it’s prices because they are making good money. That alone is worth a shot.
I really like Proton.
I’m a proton unlimited subscriber and it’s great. I love the email aliasing from simplelogin, protonvpn, drive storage, calendar, etc. well worth it imo. I love the company.
I am using Proton Mail, paid account, after having moved from Gmail.
I like it; it’s private and secure, and I like the web interface and the new android app. To use mail clients like Thunderbird you have to install an app called Proton Bridge - it’s basically a dedicated VPN to ensure your email communication is kept secure when communicating between their servers and your client. I’ve had no problems when I tried it on windows, but I did have issues on Linux with the app forgetting my credentials and forcing me to start from scratch; each time it starts from scratch it downloads your whole mailbox which is frustrating. I’m on KDE and I think it’s to do with the Kwallet and PGP. It seems to be working now but tbh I use the web interface mainly in linux, and the android app on my phone.
I have no regrets using proton mail, and I would recommend it. I didn’t have problems with the old android app, but the new one is good and seems to address other peoples experiences of slowness previously.
I was using Protonmail, and their other services, and was a paying customer for over a year. But I stopped because of their poor Linux support, and not being able to receive email notifications on my de-googled phone. I made a shift to mailbox.org and am liking it. Yes, I have to manage my own PGP keys, but the experience is much better, in my opinion. Their storage even supports WebDAV. I can encrypt the whole inbox and the files stored in their drive with my own key.
Be careful with mailbox.org and their “your contract period ends soon” email. It actually means “pay us or your data will be irrevocably deleted under 60 days”. The mail sounds inconspicuous enough, is rather verbose, and even contains the phrasing “you may silently ignore this email”. And you will not be getting a single warning before your data is entirely, irremediably deleted.
And even if you only wait 30 days, not 60, your account gets deleted (but not your emails), so you lose any and all ways of contacting their support (rescuing your emails after that gets much trickier). Speaking of which, make sure you use a widespread browser on a computer to use their support platform: otherwise you will get a visual confirmation that a ticket was created, but none will ever be.
TL;DR: mailbox.org good, but (A) make absolutely sure you always have up to date local backups, and (B) beware of the unexpected caveats and the clumsy, confusing wording.
I tried both. Proton email client on Android at least was awful. Super sluggish to navigate. In fact I have a chunk of credit with them because I cancelled too late to get a refund. No idea what I’m going to do with that. I already have a VPN and a Pwd manager…
Fastmail has been snappy and I like that the app has a notes section for quick jotting of ideas. I also like that Rclone can attach directly to Fastmail files. They just recently added Proton Drive support too though.
Give the new Android app a shot. Its been flawless so far.
It does seem snappier. But damn, I’ve come to love Fastmail’s all-in-one app. Having calendar, notes, contacts and files all in the email app is something I didn’t realize I’d care about but not sure I can do without now.
Yeah, I kind of miss the convenience of that, but all I need those for is email, everything else I self-host, so I’m used to the opposite, lol. In any case, both are great options, and e2ee for Proton only really works with other Proton users, so its not like you’re missing much by using fastmail instead. As long as we stay away from the mainstream providers, were golden.
That and not being shown ads in my damn inbox is what lead me to the hunt for a better provider than Gmail. Another I just remembered about Proton that I didn’t care for (and there may be a way to opt out) is the amount of promotional notifications/emails I’d get for their other services. Not as bad as NordVPN, but then again I don’t think anyone is as bad as them regarding self-promotion. I’m happy to pay for a service if it means retaining some more privacy but mostly get rid of ads but the constant need to upsell was getting to me.
FYI, that was one of the things I disliked the most about Proton (email client slow). They released the newly rewritten app few weeks ago finally, and it’s working great.
I did hear about that. But haven’t tried it yet. I’ll check it out, thanks!
I’ve used both and have had good experiences with both. One benefit of Proton is that emails sent to other Proton users are encrypted, but if you mostly just email people who have @gmail.com addresses, then Gmail’s going to store a copy of your emails to that person on their servers anyway.
Both Proton and Fastmail allow you to have a custom domain with a wildcard catch-all address, but the process for replying from that random wildcard address is much more seamless on Fastmail. Proton requires some extra setup and workarounds. But then again Proton is more secure.
It really depends how you use email and what’s important to you (security, convenience, features). I mainly just get junk mail and newsletters. For more private communication I use Signal.
Proton Mail with a custom domain. The only reason why is that I had it before I knew Fastmail existed and it would be a pain in the ass to move my entire family to it. However, I was VERY tempted when 1Password put Fastmail temporary email support into their product.
Fortunately, Proton Mail just released their own temporary email product based on SimpleLogin.
Fastmail is great but it’s a totally different market /use case, you wouldn’t go with them if you’re privacy oriented. They’re better than Google in that sense but you’d go with Proton if you’re looking for privacy features.
Also keep in mind Fastmail is based in Australia and their government tends to be anti-privacy with the laws that get passed there.
AU laws are worse than US laws, in fact, the US gets AU to do things for them that would otherwise be illegal if performed by US agents
I’m happy with fastmail. I haven’t used Protonmail and have had some doubts about them overclaiming about end to end encryption and stuff like that, but they sound good too. The concept of privacy in email is problematic since a) if the person you are emailing uses gmail, then Google has a copy of your email’s plain text no matter how much encryption your own provider uses. b) Even if the email content is encrypted, having the metadata intercepted can be just as invasive, c) even if encrypted, having an archived and authenticated copy of a message can be a big problem due to e.g. rubber hose cryptanalysis, d) for secure communication to exist at all, both people have to be quite security conscious, which isn’t easy. Technical features like cryptography are of very little help with that.
There’s a good movie “Citizenfour” about Edward Snowden, and I remember reading that when the producers needed to have a private conversation while working on the film, they would go outside and talk, leaving their phones in the office. A real privacy approach has to go well beyond using the right email provider.
I like that Fastmail has humans answering support tickets. That’s already light years beyond anything like gmail. I don’t know how Proton is about that. Maybe they can do it for paid plans. I don’t see how they can do it sustainably for free plans but who knows. The main drawback of fastmail is that it is on the expensive side, but I use it so much that it doesn’t sting as much.
If you just want cheap non-megacorp email for your own domains, I like mxroute.com. Their sticker prices can be kind of high, but they frequently have sales with super cheap plans.
I looked at both, and went with fastmail because at the time it had a shared calendar you could use, which I do with my family to track events and do scheduling. Fastmail is standard commercial privacy though. Good enough for me, but no where near Proton Mail from what I understand.
Note that ProtonMail and Fastmail have quite different feature sets.
ProtonMail does not store your Email in plain text for instance; they cannot read them or be ordered to read them. This comes with some drawbacks such as that standard protocols such as IMAP do not work without a bridge because they necessitates that the server can read all the emails.
Though the bridge works really well
removed by mod
What vendor lock-in are you talking about?
I can take my domain, customize DNS records and in a couple of minutes I am using a new provider. They also allow to export email content, which means I obviously don’t lose anything.
With a free email account, you are anyway locked-in as with every provider, because you are using their domain. You can set automatic forwarding in that case.
Vendor lock exists when you invest substantial amount of work to build tools around a specific platform (say, AWS), or where you have no way to easily take the data from one platform out and use something else to do the same thing (say, Meta).
The fact that you can’t use SMTP, which is a protocol that requires data on the server is not a vendor lock-in in any sense of the word. It’s a decision that depends on having that content e2e encrypted, because the two things are simy incompatible.
Also the code for all Proton clients and the bridge is open source, and the bridge is essentially a client that emulates being a server so that you can use your preferred tools to access the emails. Even in this scenario, there is no vendor lock and all it takes is changing the configuration of your tool from the local bridge address to whatever SMTP server you want to use elsewhere.
Can you please describe in which way you are actually locked-in, to show that you have a clue about what the word means?
removed by mod
removed by mod
removed by mod
removed by mod
Yes, and that requires using a client. The JS code of the webclient and the bridge are clients for PGP.
TLS is completely pointless in this conversation. TLS is a point-to-point protocol and it’s not e2e where the definition of the “ends” are message recipient and sender (i.e., their client applications), it only protects the transport from your client to the server, then the server terminates the connection and has access to the plaintext data. Proton also uses TLS, but again, it has no use whatsoever for e2ee.
They didn’t do anything obscure, they have opensource clients that do PGP encryption similar to how your web client would do. Doing encryption on the client is the only way to ensure the server can’t have access to the content of the emails. It just happens that the client is called “proton bridge” or “proton web” instead of OpenPGP.
It’s their official product, and anyway it’s not a blocker for anything. They stop giving you the bridge? You move in less than 1h to another provider.
Do you know that there are, or are we arguing on hypotheticals?
True. You can still get the data out, whether they don’t do in a “best practice” way or not. It’s not vendor lock.
https://github.com/ProtonMail. All the mail clients are opensource.
Also, WebDAV, CardDAV, CalDAV do not support e2ee. You need once again a client that extends it, which is what Proton also does!
So the question is very simple: do you prefer e2ee or you prefer native plain caldav/webdav/carddav? If the answer for you is the latter, Proton is simply a product that is not for you. If you prefer the former, then Proton does it. Either way, this is not again vendor-lock. They allow you to export contacts and calendar in a standard format, and you can move to a new provider.
SMTP does not allow e2ee by definition. I am not sure whether you don’t understand SMTP or how e2ee works, but SMTP is a protocol based on the server having access to the content. The only way you can do e2ee is using a client that encyrpts the content, like PGP (which is what Proton uses), before sending it to the server. This is exactly what happens with Proton, the webclients use SMTP to talk to proton server but before that they do client-side encryption (using PGP), exactly like you would do with any other client (see https://github.com/search?q=repo%3AProtonMail%2FWebClients smtp&type=code).
Now, you made a claim, which is that Proton vendor locks you:
So your claim that you are vendor locked it’s simply false, deal with it.
You made some additional claims about Proton not using plain standard protocols. That’s true. None of those protocols support e2ee, so they wrote clients that extend those protocols. All clients are opensourced, including the bridge. This has anyway nothing to do with being vendor locked, which in fact you completely did not explain. You talked about interoperability at most, which is not related to vendor lock.
You also made additional uniformed or false claims:
removed by mod
How is this relevant? I don’t know and I don’t care why they picked this technical solution.
It is, and you have been proven wrong. Either that, or you completely misuse or worse misunderstand what vendor lock is.
It’s not if. You can.
Yes, you explained interoperability that has nothing to do with vendor lock. They are two. different. things.
False. Again. Interoperability it’s a property that has to do with using the application. Interoperable applications potentially can totally vendor lock. Lemmy interoperates with Mastodon, but vendor locks you because you can not export everything and port all your content away. You definition is wrong. Just admit you misused the term and move on, there is no need to double down.
They use TLS. TLS is useful for transport security. Proton uses TLS. TLS doesn’t have anything to do with e2ee in the context of emails because TLS is always terminated by the server. Therefore it is by definition not an e2ee protocol in this context. It is in the context of web, because there the two “ends” are your browser and the web server. It’s not in the context of messaging where the other “end” is another client.
This has nothing to do with perfection, you are simply misunderstanding fundamentally what e2ee is in this context.
And in fact Proton doesn’t do that.
I am not ashamed because I understand TLS, and I understand that it’s useless in the context of email e2ee. You simply don’t understand the topic but feel brave enough to evangelize on the internet about something you don’t fully understand.
JFC. Proton uses TLS for transit connections. E2EE means that the server does not have access to the data. If the server has the key, in whatever form, and can perform a decryption, it’s not e2ee. The only way to have e2ee for these protocols is that the client(s) and only the clients do the encryption/decryption operations. This is exactly what Proton clients do. They use DAV protocols but they extend them with implementing encryption on the client side. Therefore, naturally, by design, they are not compatible with servers which -instead- expect data unencrypted to serve it, unencrypted (only via TLS, which again, it’s a transport protocol, has nothing to do with application data) to other clients.
Ironically, when saying what “decent companies” do, you have described what Proton does: they use your client key to encrypt data on client side. Then they transfer this data via a secure channel (TLS). The server has no keys and sees only encrypted data, and serves such data to other clients (Proton web, android etc.) that do the decryption/encryption operation back. Underlying it’s still CalDAV/WebDAV.
I don’t need to buy propaganda, I am a security professional and do this stuff for a living. I also understand what vendor lock is because all the companies I ever worked with had forms of vendor lock, and I am aware of Proton features instead.
Maybe you should really stop, reflect and evaluate if you really have the competence to make certain claims on the internet. I understand nobody is there keeping score and there are no consequences, but you are honestly embarassing yourself and spreading false information due to the clear lack of understanding about concepts such as e2ee, transport security, vendor locking, etc.
removed by mod
Yes, mentioning things that have not to do with e2ee. Anything that is encrypted with TLS is not e2ee in the context of emails. You talked about metadata, but the server has access to those because it terminates the connection, therefore, they are not e2ee. It’s a protection against leakage between you and the server (and between server and other server, and between server and the destination of your email), not between you and the destination, hence, irrelevant in the context of e2ee. Metadata such as destination can obviously never be e2ee, otherwise the server wouldn’t know where to send the email, and since it needs access to it, it’s not e2ee, whether you use TLS or not. TLS in this context doesn’t contribute at all to end to end encryption. Your definition is wrong, e2ee is a technical definition, is not an abstract thing: e2ee means that only the two ends of a conversation have access to the data encrypted. TLS is by definition between you and your mail server, hence it doesn’t provide any benefit in the context of e2ee. It is useful, but for other reasons that have nothing to do with e2ee.
Exactly, and this is what Proton does. You simply don’t accept that Proton decided to write another client that is tightly coupled with their mail service, which is absolutely nothing malicious or vendor-locky, compared to using an already made client. Proton is simply PGP + SMTP.
Yes, and this middle-man is proton client, which sits on the client’s side. I am glad you understood how the only way to have e2ee with *DAV automatically technically impedes you to use “whatever server”. If anybody else but the client does the encryption/decryption, you lost the end-to-end part. I am not saying e2ee in this context is absolutely necessary, you might not care and value more the possibility to plug other *DAV servers, good. Proton is not for you in that case.
Yes, you can using a PGP client, like OpenPGP of Proton webmail, or Proton bridge. You need stuff on top of SMTP.
Nope, you are simply misinterpreting it. In SMTP the server requires access to the data because it’s the one delivering it. PGP is built so that the data it’s a ciphertext and not plaintext, so that the server can’t see the actual content of the mail, but it needs to have the data and ship it, in contrast for example to a p2p protocol. PGP is however on top of SMTP and requires a client doing it for you. OpenPGP or Proton do exactly this. There is no way to support SMTP “natively” and offer e2ee. You would like Proton not to do e2ee and leave the responsibility of the client to do the PGP part, with the freedom of picking whatever client you want? Well, that’s exactly the opposite of their business model, since what they aimed is to make PGP de-facto transparent to the users so that it’s available even to people who are not advanced users.
https://github.com/search?q=org%3AProtonMail+CalDAV&type=code you can dig yourself into the code if you are curious to understand.
I sent you already a GIthub search of their clients for SMTP, look for yourself in the code. Do you think that makes any sense at all for them to reinvent the wheel and come up with ad-hoc protocols when all they need is a client? You can also have a look at the job offers they post: https://boards.eu.greenhouse.io/proton/jobs/4294852101 You can see SMTP mentioned and experience with Postfix in production. It’s very likely that they are running that in the background.
No it’s not. Vendor lock means:
Proton uses open standards, and just builds clients that wrap them. This means, emails are in a format that can easily be imported elsewhere, same for Calendar and Contacts. You are now watering down the definition of vendor lock to try to make your claim less wrong, but it is wrong. I repeat, and you are welcome to prove me wrong:
This means that I can change vendor easily without significant cost, hence I am not locked-in.
What you actually mean is that while using Proton you can’t interoperate easily with other tools, and this is a by-design compromise to have e2ee done in the way they wanted to make it, which is available to mainstream population. You disagree with their approach? Absolutely legitimate, you prefer to use OpenPGP, handle keys and everything yourself? Then for sure, Proton is not worth for you as you can choose the tools you want if that’s important for you. But there is no vendor-lock, they simply bundled together the email client with the PGP client, so that you don’t have the full flexibility of separating the two.
You disagree with this definition of vendor lock? Awesome, give me your definition and link some source that use that definition. Because if you keep moving the goalpost and redefine what vendor lock means, there is no point to discuss.
I’ve never used Fastmail, so I cannot comment on that but I just closed my Proton account because of their donation to Bellingcat. It might not be a problem for some but it was for me.
https://propagandainfocus.com/proton-mail-imperialist-stooge/
deleted by creator
I have had a Tuta (Tutanota) account for years and they’ve always been good (I just have a free account and it’s always been fine for my needs) https://tuta.com/
But it looks like Proton does not choose the beneficiaries. From their statement:
While in theory it is nice that an organisation would give over so much power to its customers in terms of where donations go, it does come with the risk of problematic decisions being made. Then later, when they’ve boxed themselves into a corner, quite unnecessarily, all they can do is go along with what their customers decide and then pass on the morality of that decision to those customers. But that’s not really good enough to say “My customers made me do it!” No, you gave your customers too much power in the first place. It’s a privacy organisation so surely better to give some money to a group that supports and compliments your aims. Bellingcat (regardless of the problems raised in the article I posted) has nothing to with privacy. If people read the article and decide they are happy with Proton, then go for it. I’d rather people make a decision with their eyes open.
While I kinda like what Bellingcat does, you do have a point. Crowdsourcing decisions rarely lead to good outcomes
I’ve used Fastmail with a custom domain for a few years now… (5+?) and have been really happy with it. I wish it was a bit cheaper (or had a better family plan), but it works well with my terminal email client (mutt).
The web client is pretty quick and I use the calendar there all the time. Fastmail supports all the normal standards such as CalDAV, so you can use it with third party applications.