Hi everybody,
I’ve had a domain name at Gandi.net for quite a while, which included 5 email addresses as well, hosted on my domain. Now they’re however discontinuing this offer, it will now be €3,99 per month per mailbox.
So, I’ve been looking around a bit. I need a service that allows me to connect it to my own domain name, that actually allows IMAP instead of requiring a special client, and preferably should allow me to put up several mailboxes under the same account since I currently have mailboxes for some of my family members.
Security is not a concern since this is only intended to be used for the email I send and receive under my actual legal name, and I know better than to use email for confidential material.
Zoho Mail seems like a good deal, since they have 10GB per user for only €1,13 a month. I’m just afraid that my emails might end up in spam filters since they’re based in India.
They only sorta provide IMAP. You need to run Proton Bridge on your computer and that program will connect to their service and provide a local IMAP connection to your mail app of choice. It’s all a bit hacky but works well enough.
That’s a sign that they aren’t goofing on the encrypted part. If done right, they can’t decrypt your emails to hand them over on IMAP, so a bridge would be necessary to decrypt on your equipment, then hand off the decrypted mail to your IMAP client. It’s nice they offer that solution.
What’s the point with emails that were transmitted unencrypted over the Internet right before that? It’s like sending a post card via mail and then putting it into a safe at the receiver’s side. Sure it’s secure there, but that’s entirely pointless.
I wouldn’t say it’s entirely pointless. You are correct that by the nature of email proton has to be able to read it in transit, there’s no avoiding that, it’s how email(and SMTP specifically) works. But what it does mean is that proton can honestly say it can’t read emails once they move beyond their edge systems. Personally, I don’t use email for anything critical or sensitive without additional encryption.
It’s true that there’s no point when emails are unecrypted in transit, but when sent to other Proton Mail users, they’ll be end-to-end encrypted. Additionally you have the option of not sending the email content itself, but rather a link to the encrypted contents.
It’s a sign they use non-standard tech and lock you in progressively… while touting encryption at rest as a big advantage, when it doesn’t mean anything for email.
The Proton bubble is one evil acquisition away from bursting.
Is there actually a standard tech for end-to-end encryption for emails? Because if not, then I don’t see what other option they had.
There is, it’s called OpenPGP. GnuPG (GPG) is a popular implementation of the standard and many email clients integrate with GPG or implement OpenPGP directly.
To achieve E2E encryption you need to generate a public/private key pair, exchange public keys with the recipient, and then you can encrypt a message that can only be decrypted and read by them.
To simplify the exchange of keys there are keyservers such as keys.openpgp.org where people can publish their public keys in advance. There are many keyservers and they usually replicate keys among themselves. So when you want to email someone and use E2E your email client can look at the closest keyserver and see if there’s a key for that address already there.
This approach to E2E is called OTG (On-The-Go). An OTG method can be applied to any insecure channel not just email. For example the OpenPGP keyservers are being used by programmers who work on open source projects to sign their code so their collaborators are sure it came from them, or by Linux distributions to sign the software packages in their “app stores”.
This is very different from what Proton or Tutanota are doing. They encrypt email at rest while on their server and force you to use non-email protocols when you talk to their servers (instead of standard IMAP/POP/SMTP), but they have no control over messages while in transit to/from other mail servers. Their connections to other servers may or may not be encrypted but if they are it’s only point-to-point for each hop, not E2E. And most other servers do not encrypt email while at rest there. So while email can be called reasonably secure between you and Proton/Tutanota servers, it stops being secure if you actually want to talk to someone who’s not on them.
To achieve secure email, pick your poison: you can try to convince other people to use an open standard & open tool & open keyservers, or you can try to convince them to use a proprietary server & proprietary tools.
Protonmail lets you use PGP