Given Proton Mail’s fashiness coming out of the woodwork, lots of folks are looking at switching away — but they have a reasonable concern: Aren’t Proton Mail’s privacy features special, different from a normal mail provider?
-
-
@inthehands That made me ask myself: If some smart people were to design a secure, E2E supporting, distributed mail system, how would that look? Maybe some people already have and nobody noticed?
-
Paul Cantrellreplied to Fluchtkapsel last edited by [email protected]
@fluchtkapsel As other replies point out, there’s already S/MIME and GPG.
The thing is:
- Any E2EE is a pain, wrecks UX, and most people don’t care enough to put up with it
- Overcoming the UX challenges is a massive tech + design + org lift
- Large players have little incentive to work on this, and strong incentives againstSo, as usual, it’s not just smart people and the right tech; it’s social systems too.
-
@nazokiyoubinbou @heymarkreeves @inthehands Tuta is not part of the 5 Eyes; we only hand out data if we receive a warrant from a German judge. Plus, all data is end-to-end encrypted and we can't decrypt it. This might also be of interest to you: https://tuta.com/blog/fourteen-eyes-countries
-
@inthehands I know of those, and the security provided by them is only bolted on a system never meant to be secure. There are so many issues: conflating encryption with authentication, insecure by default, key management, no group recipient encryption support with changing members (e.g. mailing lists), additional devices are hard to authorize.
Looking at instant messengers, modern messengers like Signal or WhatsApp solved a lot of the issues of their predecessors. I'd like to know how mail would look if it were to be designed today with all we know.
-
@fluchtkapsel @inthehands This is like saying Signal is bolted on IPv4 which was never meant to be secure. Sorry, but this is non-sense. Both PGP and S/MIME are perfectly viable and proven standards to provide proper E2EE.
But as usual standards have to be *implemented* and made usable. E.g. Apple has done the former, but didn't invest in the latter.
It works for Signal and WhatsApp because they are silos. That's not necessary w/ email. -
@helge @fluchtkapsel
Larger point stands, but:> This is like saying Signal is bolted on IPv4
That’s a bit of a strawman. IPv4 isn’t a text messaging protocol. There’s not a default version of Signal-like functionality on IPv4.
The problem with email is that there •is• a de facto default, and it’s insecure. Thus the change friction.
I mean, this was the case with https, and it took how long for https to become the new de facto default?? And that was (I think) an easier problem.
-
@inthehands Sorry, I don't know the subtext and can't find any recent controversies on google?
-
@tobinbaker
The Proton CEO made posts about how Dems were too corporate, praised JD Vance and said Republicans are the best hope to rein in big tech or some crap along those lines. Deleted posts but not before torches and pitchforks were out. -
Paul Cantrellreplied to Paul Cantrell last edited by [email protected]
Since this thread gained a little traction, I should clarify:
Proton Mail has done some good technical work AFAICT. I appreciate the effort to make E2EE more usable and more broadly accessible. I’m not so sure it’s a good idea to blur the boundary between “E2EE” and “not E2EE” as their product does, but respect for the heavy lifting they’ve done.
I’m not saying their product is a total hoax or anything! I’m just saying that •in practice•, the actual benefits aren’t as large as you might assume.
-
@inthehands The thing is, I'm not sure I can even think of another "credible email provider". I created a payed account with proton for the simple reason that they were the first provider I came across that didn't have a business model based on profiling me to sell ads.
-
@jpkolsen
I use Fastmail; it's great. A few replies have mentioned Posteo with appreciation. There are others, I'm sure!