Few webmail "clients" are open source and many native clients like e.g. Outlook are also not open source, yet these are very popular. Unless you use a highly trustworthy email provider, considerations about client programs are kind of moot anyway.
I'd personally be more picky about my mail provider and not use any offerings by Google or Microsoft, for instance, because they are stock market companies with interests that principally conflict with the interests of their users. In contrast to this, trusting individual developers and small companies makes much more sense. You check out their online presence and decide for yourself. I'd only be wary about individual developers who offer closed-source security applications (e.g. encryption) and have no prior history of working and posting in this field. But an email client? To be honest, I haven't even checked the vita of the maker of my preferred client, claws-mail, let alone those of any of the authors of the plugins I'm using.
On modern operating systems you basically have to trust every developer of any application anyway, since many installers require admin rights and even if they don't it wouldn't be hard for a malicious developer to exploit a security hole. Your kitchen timer application can get your email credentials almost as easily as your email client.
Outlook is trustworthy for the most part at least as far as security goes MSFT isn’t fooling around and it’s an enterprise product.
And yes choose your email provider based on your threat model but there is nothing wrong with Google or even MSFT for most people security wise privacy is a different concern but these are different threat models.
An email client won’t prevent my email provider from snooping on me (E2E maybe), and no email provider could prevent my client from snooping on me either.
You're already trusting hundreds of individual developers by running their software on your computer.
There is nothing wrong with running an email client made by an individual developer unless you have a particular reason to distrust that person.
>as far as security goes MSFT isn’t fooling around
They have a proven track-record of security bugs for the past 20 years and longer.
> there is nothing wrong with Google or even MSFT for most people security wise
I wouldn't use them as my main email provider security-wise and trust my current email provider way more than those companies. (Not because I think they are less secure, but because I think they are attacked more often.) But of course your mileage may differ, nothing to object to that.
The threat and trust models are completely different.
It's not just about using a piece of software it's about using a piece of software that can lock or unlock your life because essentially every service you use today is tied to an email address.
>There is nothing wrong with running an email client made by an individual developer unless you have a particular reason to distrust that person.
It's not that i distrust that person but it's that I know how unlikely it is for a single person to be able to validate the security of their product especially when it comes to something as complex as a product with a DOM parser and a layout engine, nor do I think they would be able to maintain it up to date when new attacks and vulnerabilities are discovered even they do use something like electron since electron isn't simplicity safe and plenty of electron based software even fairly well maintained one lags well behind it's update cycle including when security patches are concerned.
>They have a proven track-record of security bugs for the past 20 years and longer.
They also have a proven track record of finding and fixing those bugs.
>I wouldn't use them as my main email provider security-wise and trust my current email provider way more than those companies. (Not because I think they are less secure, but because I think they are attacked more often.) But of course your mileage may differ, nothing to object to that.
There are potentially more secure providers but being attacked more often isn't a really good sole metric threat model unless you can effectively estimate resilience responsiveness and compare it to other options.
I used Hushmail as my primary email (still somewhat do) because it was fairly secure and had integrated PGP, I switched to Proton Mail now.
I'd personally be more picky about my mail provider and not use any offerings by Google or Microsoft, for instance, because they are stock market companies with interests that principally conflict with the interests of their users. In contrast to this, trusting individual developers and small companies makes much more sense. You check out their online presence and decide for yourself. I'd only be wary about individual developers who offer closed-source security applications (e.g. encryption) and have no prior history of working and posting in this field. But an email client? To be honest, I haven't even checked the vita of the maker of my preferred client, claws-mail, let alone those of any of the authors of the plugins I'm using.
On modern operating systems you basically have to trust every developer of any application anyway, since many installers require admin rights and even if they don't it wouldn't be hard for a malicious developer to exploit a security hole. Your kitchen timer application can get your email credentials almost as easily as your email client.