ProtonMail is a joke. It doesn't report security vulnerabilities to the users, when researchers discover them[1]. It publicly boasts about hacking a phishing site, when claims the journalist's report is based on "unsubstantiated rumors"[2]. It outsources a free VPN service to a data mining company[3], when claims it used it only as "an office space provider"[4].
It's true, that Tesonet operates both, NordVPN and ProtonVPN, but it's not true, that Tesonet has any ownership of ProtonMail, as far as I'm aware of. ProtonVPN seems to be a partnership between ProtonMail and Tesonet.
No, that is not correct, and for some reason, you post this misinformation in every single topic about ProtonMail. It seems likely you are affiliated with the people who are putting out these false statements in the first place.
Hmm, looks like you locked that thread. That looks suspiciously like there was some information you didn't want to get out. After all, trolls spamming will just get downvoted.
A lot of inaccuracies in that reply. PIA troll (maybe also you, the same person, given the similarities) also made a nearly identical reply in the Reddit thread we linked previously, which we also replied to:
https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn...
Mailbox.org and Posteo.de are currently the best ranked privacy-focused email providers[1]. Both are based in Berlin, and are extremely low-profile. Mailbox.org supports custom domains, Posteo.de doesn't.
I use Gandi's email service because they offer you a mailbox when you buy a domain from them (and you use your domain of course). It is based in France (9 eyes).
There are two reasons I'm still with Google for mail at this point: Inertia, and cost. The former is pretty easy to understand. The latter has more to do with the fact that I have a private domain for our family and I've been using Google Apps since the days when it was free. If I want to convert to another service like ProtonMail then I'm either going to tell a bunch of people in my family to pay up (with all the accompanying annoyances), or I pay $50+/year on their behalf out of my own pocket. And in either case I probably get to move their email for them. It's hard to get up the enthusiasm to do any of that, even if I do have a growing desire to disconnect from Google.
I haven't done any thorough searching recently, but if I could find a reputable provider that had a reasonable family-priced solution that would be ideal. The per-account pricing adds up relatively quickly.
Just as someone who has done a decent amount of research on what would be the best/cheapest way to host my family email... I found that runbox.com had the best deal. You pay more for a base/master account w/ a custom domain ($35/yr and up) then you pay a lesser amount for sub-accounts ($8/yr and up). It quickly overtakes the 2-3/mon/account rates that the other providers cost.
I was in a similar situation and I moved everything to Runbox https://Runbox.com, the business and social model are amazing and running on green energy
I'm pretty speechless. $50/year is twenty seven point oh two (27.02) cups of startbucks small coffee a year for a family.
Do people truly think that's expensive for email hosting?! Honestly, no wonder Facebook and Google keep trampling with the so called "rights" of people successfully by peddling "free stuff" -- even those in tech paid six figure salaries think fifty dollars for essential communication for a year for multiple people is expensive.
> Facebook and Google keep trampling with the so called "rights" of people successfully by peddling "free stuff"
I don't think you get this correctly.
Many people use Gmail is because it's stable and came with Google Account, so they sign up conveniently.
Plus, not many people still using email as their main day to day communication method these days. After all, there are many specialized tools out there to pick (For example, some people may use Slack for work, and Facebook for friends etc).
So, I think it's not because $50/year is expensive, rather, it's because many people don't care anymore.
The person to whom I replied said it was $50 that mattered to him. That's the person who spends time on HN, is in tech and I'm guessing well paid.
I'm going to also make an educated guess that someone who meets the "Spends time on HN, is in tech and is well paid" is likely to be someone who is concerned about "privacy" as well as leaks of PI.
How can I possibly reconcile those positions with $50 per person per year is too expensive?
I think they may have been saying $50 (the lowest paid tier) per user per year is too expensive.
However, the $75 paid tier "Professional" has multi-user support. I think you could probably use just that to run accounts for your family, if you desired.
Fine, even fifty per year per person for an essential service is $4.16 per month which is two cups of small starbucks drip coffee ( + taxes ) per month per person.
If this is too much for essential communication tool which does not sell your information to others in the view of HN-reading, tech-working, six-figure-salary-having tech elite then we have a value problem.
The problem is it's not actually a problem unless you consciously remind yourself it is. Put bluntly, me using gmail has 0 negative impact on my everyday life.
What does have negative impact on my life is
1) paying for stuff (always, no matter how wealthy you are)
2) specially when it is less convenient
3) and has worse user experience (hard to beat gmail here)
4) while also having to invest time in educating yourself about alternatives and setting it up
5) and actually migrating to it, spreading the new email address, transferring data, learning all the ins and outs of the webmailer (if you use it)
Solve for some of these, do it really well and you have built something that people will be happy to use.
We have a practical demonstration that email hosting for $50/year per person is "too expensive" for people who make 6 figure salaries per year while working in tech and needing email. There's no real market here.
ProtonMail and FastMail and other paid for competitors are picking up the long tail.
> 1) paying for stuff (always, no matter how wealthy you are)
and until this changes as the mindset one can be assured that he or she would be monetized via selling and influencing his or hers behavior information. After all, someone needs to make money to pay the six figure salaries to people who keep Gmail running and we are unwilling to be charged for it.
50+/year? That is a big plus indeed, I also want my family on Protonmail. I donated btc in the beginning and got on board immediately, now that the bridge software is out, regular people can use their MacOS mail and their Thunderbird so the service is really attractive. But... on my own domain with 2 kids and a wife and a father it is 25 euros per month or 240 per year. I email about once every couple of days, as does my wife. Kids do even less... Now I have 3 mail users for 3 euro/month at transip.com. The price difference is pretty big. A family package would be really welcome. Before you ask, be aware that the "Addresses" of the Plus account are not users, they are aliases.
Edit: I still think protonmail is absolutely great, it works well, it looks very nice. I'd love to pay and probably would switch just for me, however, it's pretty hard to route one address of a domain to one server and the other to another.
How about Zoho?
Their free offering comes with support for custom domains and something like 20 accounts.
As a bonus, you can choose between Zoho.com and Zoho.eu. Both offer the same services, but Zoho.eu is hosted in Europe ender the protection if the various privacy and data protection laws.
Thanks, I will take a look. At first blush it seems like things have changed and the free offering isn't what it used to be -- 5 accounts not 20, and as someone else mentioned, perhaps no custom domain.
But it's worth looking into, because at first glance their lowest paid option fits my general requirements and is only $36/year/user, which is less than ProtonMail.
Yes, it's a few bucks cheaper, but for me Protonmail has that security focus that I worry Zoho don't have. Zoho also provide many other spaid services and that makes me worry about what they have to focus on. Exciting features vs boring security.
I looked into this recently. The free plan doesn't include custom domains anymore. If you had an account before they removed it, you still have it on the free plan.
That's less than 30/year for 100 accounts, custom domain, imap/pop/smtp (just 5gb storage shared though).
Now, I'm happy with hetzner as a dedicated hw host - but there's a bit of a bad neighbour effect - and you obviously get less for 30/year than for 500/year...
But seems strange that fastmail doesn't have something in between for family accounts. Maybe they do if you shoot them a mail?
the usual argument is that typical citizens have more to fear from their own intelligence agencies than from foreign ones outside their country's sphere of influence.
then again, it is probably futile for a normal person to even include TLAs in their threat model.
I'm curious what you'd think a reasonable price point would be. For context, I'm currently trying to set up a paid email hosting company because $50 a year seemed a bit ridiculous to me, and it seemed like it could be done a lot cheaper.
I'm a bit of a cheapskate, so I think a couple hundred a year for the family would be acceptable. That includes my parents, brothers, nephews, nieces -- I give out accounts under our domain to any blood relative with the same last name. Not a huge number, but it's like ~16 accounts. Only four or five that get any substantial traffic, but the rest are still perfectly valid individual accounts. At about $55/year/account for ProtonMail (if I looked in the right place; prices were in Euros), it pushes a thousand bucks a year. For email, that's simply more than I want to pay. I'd go back to hosting it myself on a Digital Ocean droplet before I'd spend that much on it. But ... I don't yearn to be in charge of security and tech support again ;-)
is there any particular reason why your whole family needs to be on a private domain? most people i know outside the tech field couldn't care less what domain is on the end of their email address, as long as they don't have to change it.
Proton is good, Tutanota is good, but my personal favorite is Fastmail, especially for family members who don’t need or want the security bells and whistles, but also don’t want Google snooping on them.
So they want users to ditch one centralized service provider with another?
I have no Google/Microsoft/iCloud account, ProtonMail has been covering my (pretty basic) email needs for well over three years now, and now I'm leaving them.
Proton has been talking about adding calendar for years (unreleased), then they started working on ProtonDrive (unreleased), now they talk about an office suite... Then then flirted with the idea of doing an ICO to fund themselves, at which point I decided to leave. I don't want to be in a ship that sails in circles and doesn't have a clear direction.
ProtonMail free has 500MB, no IMAP, and max of 3 folders and 150 emails a day, versus Google's free, familiar, full-featured set of well-integrated services. Will they convince the average Google user to leave productivity behind, and pay in the process?
And again, they are a for-profit. What will happen the day they realize they can't pay the bills at the Alps with free users?
They can promise whatever they want, Google's motto was "Don't be evil".
I found proton to be a bit expensive, I really like tutanota.com (meaning secure note in spanish). Only about $1 per month and doesnt come with things I dont need like a VPN. Plus, believe it or not, employers raise the eye at the .io, in a good way like what they did when gmail.com was new and cool.
Yeah, ProtonMail is about 150% the price of G Suite with weird limits on things like number of aliases or domains. And while I understand that the selling point is privacy, it's not that expensive to maintain one more record in your database while not violating your users' privacy.
I don't know, I pay about 10 EUR per month for my mail server, which services N users. So then it's suddenly not peanuts anymore.
So yeah, I probably don't fall into the normal category here, a handful of friends & family users and a ton of domains. Protonmail/Fastmail would cost me at least 40 EUR per month, and that's a rough estimate, could easily be 80.
Sorry for the late reply, but it's a pretty standard (imo) setup with postfix, dovecot, spamassassin, postfixadmin.
I'm planning to redo this soon (been a few years) and I'm as of yet undecided if I just do it manually again (like I do every 3-5 years) or if I'll use some template ala sovereign, mailinabox, mailcow, modoboa.
I strongly recommend FastMail over ProtonMail. ProtonMail doesn't support SMTP or IMAP (standard protocols that are a basic requirement of an email service) without using paid, proprietary software which only supports some platforms and is a major pain to use. They also require a proprietary app to read email on your phone. ProtonMail also makes questionable tradeoffs in the name of questionable security gains.
The IMAP/SMTP issue is the main one. The stated reason they do it is to decrypt/encrypt incoming/outgoing emails on the client rather than on their servers. But the problem with that is that decrypting emails on the client is well supported by PGP in almost every email client, and even if an unencrypted email is sent with SMTP you can easily add encryption on the fly server-side - something they already do for incoming, unencrypted emails. So the tradeoffs don't make sense, it's just a convenient excuse which allows them to take advantage of vendor lock-in.
They also make promises which are based on trusting ProtonMail rather than trusting the math that underlies their security model - for example, they could trivially store a copy of incoming emails in plaintext before encrypting them normally, and they could then keep your emails in plaintext without you being any the wiser. Users who depend on their communications being private shouldn't rely on this, PGP does not require trust from anyone but the sender and recipient and has been working well for years. If they wanted to improve ease-of-use for PGP they should have done that, rather than building their own crap with questionable security promises on top of it.
In the past 3 months I have setup accounts on all three of FastMail, HushMail, and ProtonMail. I was mainly interested in having an account with a custom domain. I used the domains I got through Amazon AWS Route53. ProtonMail was the only one I could not setup custom domain on. It would get stuck in the TXT field verification step. I contacted their support and they were not interested in helping me figure out what's going on. They just told me that was AWS problem and I needed to contact AWS support. I cancelled that account. I only used it for about 3 weeks, and my impression is that it was least polished (web UI and iOS app-wise) of the 3. FastMail was the best.
I've also had bad luck with ProtonMail support, such as I send them an inquiry and they never reply back. This definitely doesn't build confidence in the service.
Personally, I'm unwilling to use a mail provider that does not offer standard IMAP and SMTP. So I use Fastmail. (And I've been using them since 2002. Is this what being a hipster feels like?)
IMAP is far too chatty, latency kills performance due to numerous round trips. It might be a standard, it might be open, but it's far from optimal. New standards will replace it (hopefully) https://jmap.io/.
FTP has same problem. Telnet was once a standard, time-proven, open protocols - does anyone have preference for that?
You can polish a turd by wrapping it in secure socket (SMTP over TLS etc..), but doesn't address the underlying issues with protocols that were designed for a day long passed.
AFAIK fastmail is driving jmap as a new standard - because they like standards - but like everyone that works with imap implementation for any length of time - don't like imap very much. (That's just an observation based on imap server and client implementations).
I think they both have there pros and cons, however I would like to emphasize having both around. It really does make for a healthy email ecosystem which prevents larger market holders from changing the federated standard.
I've switched to RunBox. Custom domains are supported; they're based in Norway. The web interface is very basic (I think they're about to release a new version), but I prefer IMAP anyway.
I'm quite happy with ProtonMail, it does what I need (folders, receives emails, privacy). The bridge is also quite neat and I set it up so I can use offlineimap with it so I get backups of all my mail...
Regardless of which you pick, I do recommend to look into getting a personal mail domain, then it's yours.
The ProtonMail mobile app on Android isn't very good. Swiping emails to archive is very slow and often messes up. Sometimes after archiving an email, it randomly reappears in the list until I manually refresh again. Just a lot of little annoyances such as these has turned me off from ProtonMail.
Also, if you want to have Calendar integration, there is none in ProtonMail.
I am sorry I am pasting an article instead of making my own point but the fact remains that just because it's Switzerland doesn't meant it's any better.
I'd add to that, a possible single point of failure for us as users: CEO Bron Gondwana. Bron also shares out his own time for a technical standards effort -- "JMAP".
OTOH, if you're in the US, the next step up in perceived national security threat might well see Protonmail getting blocked. Fastmail, with five eyes on it, maybe not so likely to just "disappear".
Since encryption (and decryption) is done by client-side Javascript, and you don't want them to run Javascript, how would you prefer the encryption be done?
I was looking on my dashboard and seems that bitcoin is only available for the yearly payments.
Try switching to yearly and you should now see the option.
This is odd because my first monthly payment was effectively done with bitcoin (I wanted to try it out). This was some 10 months ago. Maybe it got changed in the meanwhile.
It stops most of them. You can buy data on the number to see if its VOIP, or a legitimate cell phone. There are even some data providers that tell you about the subscriber like how long they had service, if its prepaid, or recently forwarded/ported.
Twilio has some of the basic APIs that will tell you the carrier and whether its VOIP or Mobile. Sometimes it will return you the name on the account. Subscriber stuff you'll need to find a data provider that partners with the carriers. Its pricey from what I heard.
ProtonMail was a bit expensive for me, so recently switched from Gmail to Soverin [0]. Based in the Netherlands, costs less than $4 per month for 25gb storage on a custom domain.
Also have a Roundcube web interface, but smtp is fine.
Doesn't look like they have Zero-access encryption. My guess is that they can save money on storage though mass marketing emails that share the same contents, attachements, etc.
I'm seeing lots of posts full of frustration about cost, clients, support, protocols, direction of the company, whatever . . .
I don't care about any of that. Okay, I do. But mainly, I need the thing to be secure (zero knowledge, encrypted between clients), and I'll pay a high premium for it. People are suggesting other providers. Are there other providers that have a better product in terms of security?
I'm not saying there aren't; I'm just having trouble figuring out which providers are judged to be better in terms of security.
I like ProtonMail. It does what I need it to within the free option. I have a domain name that I forward to my ProtonMail, so I'm not really worried about lock-in. I have slowly been moving my accounts over away from Google Inbox. Now that Inbox is going away, I'm about to kick the transfer into high-gear. I don't care to re-learn the 'new' Gmail when I was already invested in Inbox.
So, just curious, how does filtering out spam work, if the email provider does not have access to the contents? Not saying it's not possible, but I wonder if any current users of ProtonMail could comment on this? If you use ProtonMail, are you mostly just on your own in regards to spam filtering?
> So, just curious, how does filtering out spam work, if the email provider does not have access to the contents?
Much (most?) of spam filtering is done using DKIM/SPF/DMARC/ARC, domain reputation, and IP reputation, none of which require access to the contents.
I'm not saying that you should go and make all your email subjects "Free herbal viagra" or whatever, but modern spam filtering algorithms revolve somewhat less around those kinds of trigger phrases than they used to.
Also, spam is by definition sent in bulk, so as long as the emails are hitting either some accounts on other email providers or else are hitting some honeypots on ProtonMail then you still get the benefit of being able to have the sender blacklisted based on the contents.
When ProtonMail's mail handler gets an email from mail.foo.com it's not coming in encrypted with the user's ProtonMail key. They have full access to the contents at that point and simple things like spam assassin would work, along with the usual DKIM/SPF checks.
This is for external mail only though. Presumably they don't have a bad problem with internal users sending mail to other internal users. I'm guessing any that did would get found quickly via reporting or heuristics.
There are some useless spam filters. I have received two phishers posing as protonmail customer support. On the other hand it seems like i haven't received nearly as much spam as my gmail gets.
If ProtonMail manages to offer (a) seamless calendar and contacts syncing and (b) decent office suite functionality, I would consider switching all my accounts.
Let's hope Andy Yen and his team at ProtonMail can it pull off!
Protonmail would be great with some usability and feature improvements. Right now it has limited support for imap, smtp, pop3. You're basically limited to the biggest desktop clients. The desktop web client is okay.
But the biggest drawback right now that I can see, is mobile. Their app does not support threaded conversations or any of the newer features that we've come to expect because of Gmail. You also can't use a third party app like k9. So for me at least, it's not good enough yet to use as my primary account. Really wish it was though.
I just signed up for the Linux trial version of the ProtonMail bridge and installed it on my Mint box. Now I get mail via IMAP on Thunderbird totally transparently and couldn't be happier. My only complaint right now is the inability to forward mail automatically (which I understand, they can't decrypt my mail in order to forward it), and also that I can't sign up my wife on my custom domain without getting a significantly more expensive business plan, but otherwise I'm very happy and getting closer to ditching Gmail altogether.
I have switched to mail.tutanota.com and I love it. All the features I need are there. Super fast backend (really instand email delivery). The all new webapp is nice (only the phone UX can be improved a bit)
It is important to pay for email services and support the diversity of email companies.
Paid services tend to have good support and care for their users.
Users of free email service that hit a problem (ie. password lost), are essentially screwed. The free email service (gmail/yahoo/outlook) will not give proper "manual" support to solve that problem. They are so big and this fact essentially makes the users of free email services just another user (worth nothing). The big brands that provide free services will not care about your problem when you go in trouble.
Users that only have free email services, should really consider testing paid email services. And slowly move all their emails into a paid email service. But dont forget, it is very important to use purchase your-domain.com and use that in signups. Never use your-user@gmail/yahoo/hotmail/outlook.com to signup. Because when the user uses @gmail/yahoo/etc they get locked in and it gets hard to move out of the free email services after a while (because all the friends, family and websites will only know your free services email).
Another important point to note is, the only secure encryption is end-to-end encryption that the user has control of. For example openpgp. Users that care so much about encryption should rely on openpgp. If encryption is so important, dont belive the servers and use openpgp. No matter what, when the email is sent, its sent in plain text. So openpgp is the only way to send it in plaintext encrypted.
Paid services will care more about the user than free services.
"Hushmail supplied cleartext copies of private email messages associated with several addresses at the request of law enforcement agencies under a Mutual Legal Assistance Treaty with the United States.; e.g. in the case of U.S. v. Tyler Stumbo. In addition, the contents of emails between Hushmail addresses were analyzed, and 12 CDs were supplied to U.S. authorities."
"The court records show that the FBI sought Lavabit's Transport Layer Security (TLS/SSL) private key. Levison objected, saying that the key would allow the government to access communications by all 400,000 customers of Lavabit. He also offered to add code to his servers that would provide the information required just for the target of the order. The court rejected this offer because it would require the government to trust Levison and stated that just because the government could access all customers' communication did not mean they would be legally permitted to do so. Lavabit was ordered to provide the SSL key in machine readable format."
Parent doesn't seem to be arguing that these providers are anonymous, just that you get what you pay for in customer service. They explicitly say that end to end encryption (ie client side PGP) is required for privacy.
Then his argument is even more flawed, because one can just as well pay for Gmail or Outlook and use PGP with them, without exposing himself to vulnerabilities of smaller email providers.
You are not paying for customer service, you are just becoming a paid customer[1]. And then you can compare which email provider treats its paid customers best. For me, the best treatment is when a product is so well thought-through, that I never need to contact anyone about it.
ProtonMail also offers a free inbox with a way to pay for additional storage[1]. Would you also think, that by upgrading your ProtonMail storage you are not paying for email service? The only difference is, that Gmail doesn't limit its features for the free users. It's just a different business model.
[1] https://www.theregister.co.uk/2014/07/07/protonmail_fail_jav...
[2] https://motherboard.vice.com/en_us/article/qvvke7/email-prov...
[3] http://litigation.maxval-ip.com/Litigation/DetailView?CaseID...
[4] https://news.ycombinator.com/item?id=17775554