notabot

Level 15
ok let see how you will react when someone will impersonate you and gain access to your most private emails. Im sorry but i wont accept it, hence i won't use such service.
what you are saying it same as "the owner of my apartment has a duplicate of my keys, and will give to anyone who ask them showing a letter from me, no problem". Really?


We are not talking about Google but Protonmail...
What I'm saying is not that the dangers you mention are not valid but they are related to the processes for resetting credentials, not 2FA per se.
Google is one company who got it right in hardening credentials reset with their Advanced Protection Program, you lose your u2f dongle, bye bye new logins unless you pass a really long and tenuous process.
ProtonMail could learn from them in that department.

If you want to harden it even more and completely block resetting credentials, that offers a tiny bit more security compared to Advanced Protection, ( as due to the long interval and tenuous process it's hard to get through it via social engineering ) but with the risk of a huge hustle, not being able to ever again access your email.

In any case at the moment they do not have hardened processes around resetting credentials, but if/when they do, I'd expect them to adopt a credentials reset process on the merit of what most of their users deem sufficient for their needs and the inconveniences alternatives may introduce.
 

Zartarra

Level 2

Thales

Level 6
It seems there are no real options here. Protonmail, Tutanota, same thing happened.
We can try cTemplar but I'm not sure if it is not similarly bad or will be.
 
  • Like
Reactions: venustus

Slyguy

Level 43
ok let see how you will react when someone will impersonate you and gain access to your most private emails. Im sorry but i wont accept it, hence i won't use such service.
what you are saying it same as "the owner of my apartment has a duplicate of my keys, and will give to anyone who ask them showing a letter from me, no problem". Really?


We are not talking about Google but Protonmail...
Umbra is 100% correct here.

Protonmail should not, and really cannot be used at this point. Also with the revelations about Tutanota now providing a backdoor for authorities, that one can also be ruled out. Our options for private, encrypted, secured email grow thin by the week.

Apartment is a good analogy. For my access control I not only need the keys, but I need to control the ability to duplicate keys, and provide authentication to duplicate house keys. Which is why I use Bi-Locks, which require my master key (stored in safe) and my 25 digit code to cut the new key, and only a few Bi-lock key making machines exist in the world. Either you control access, or you don't.

I'll be seeking a PAID service I can trust going forward I guess.
 

Slyguy

Level 43
It seems there are no real options here. Protonmail, Tutanota, same thing happened.
We can try cTemplar but I'm not sure if it is not similarly bad or will be.
Not sure I fully trust cTemplar or some of the other ones. It might be MsgSafe, which is offshore and cannot be compelled to comply with anything or something. Options are growing slimmer and slimmer in the days of mass surveillance. I think in the future, we'll all be using some email service run on an off-shore rig in International waters or something... LOL!
 

Slyguy

Level 43
And what about Mailfence and Runbox?
Not sure about Mailfence.

Runbox, there is an issue.. It's not encrypted at rest. I had an account, needed support, they literally logged right in and worked on my email. Then I asked about backups and was told their backups are not encrypted. I had to put in a support request for a No-Backup account. Overall, I was left with the impression they aren't really secure or hardened at all.

Neomailbox is decent. Countermail seems incredibly secure. Startmail by all accounts is very secure but also not cheap.
 

JimHdy

Level 1
You can try these guys, they we're recommended to me on this forum a while back and they seem pretty good. I did a little research on them and I don't see anybody saying anything bad about them.
 
  • Like
Reactions: Zartarra

notabot

Level 15
Not sure I fully trust cTemplar or some of the other ones. It might be MsgSafe, which is offshore and cannot be compelled to comply with anything or something. Options are growing slimmer and slimmer in the days of mass surveillance. I think in the future, we'll all be using some email service run on an off-shore rig in International waters or something... LOL!
It can be compelled by a court in its jurisdiction, setting aside the 2FA for proton, which in my view is not a biggie, the only real solution for privacy in emails is PGP, with your keys stored locally.
But nobody uses PGP and web of trust doesn't have great adoption.
 

notabot

Level 15
There's no "backdoor for authorities" - if there's a German court order issued for one specific person, non end-to-end encrypted emails from that point onwards will be given to law enforcement.
as was always the case really, but lack of precedence created myths.
Of course a court order can compel companies to store and provide access to data. If the data comes in unencrypted, everyone can read them. If it's encrypted it depends on the jurisdiction whether a judge can or cannot order a person to give their encryption keys.
 

Threadripper

Level 8
If your threat model includes hiding non e2e emails from the German government with a valid court order, then don't use it. Unless you're a criminal, or Edward Snowden, I don't think this needs to be in your threat model.

I'm not saying "if you have nothing to hide you have nothing to fear" but calling this a backdoor is insane.
 

notabot

Level 15
If your threat model includes hiding non e2e emails from the German government with a valid court order, then don't use it. Unless you're a criminal, or Edward Snowden, I don't think this needs to be in your threat model.

I'm not saying "if you have nothing to hide you have nothing to fear" but calling this a backdoor is insane.
It doesn't matter if it's the government who won the case, it could had been a private individual, it's court power that's exercised to force this, not executive power. When a company incorporates in a country the courts in that country can compel the company for a lot of things.
 

Umbra

Level 15
Verified
Luckily my main provider (and soon only one) for secured email is Msgsafe.

Unless you're a criminal, or Edward Snowden, I don't think this needs to be in your threat model.

I'm not saying "if you have nothing to hide you have nothing to fear" but calling this a backdoor is insane.
The principle of using encrypted mails/messengers is to hide from everyone, government and other intelligence organizations included.
If not, and just required to have a safe email provider, I would just use Gmail which is secure enough against normal people who don't have the authority to force my emails to be disclosed.

I use Msgsafe because I don't want any law enforcement agency to read them.

After ditching Protonmail, now it is Tutanota turn. Those two are bullshitters, such a shame claiming to offer full privacy while they give access/backdoors to authorities...

Having anonymity and privacy in our time becomes an almost impossible task for the non-initiate...

As I often said in various forums, if you don't do activist/criminal/border-illegal stuff, dont bother deploying anonymity/privacy tools, too much an hassle. Just enjoy internet on Windows, common services are safe enough.
 

Slyguy

Level 43
Luckily my main provider (and soon only one) for secured email is Msgsafe.
Wise choice. I have been advocating them because they are quite simply in a jurisdiction that nobody can force to disclose anything. That and their client is really really informative.

The principle of using encrypted mails/messengers is to hide from everyone, government and other intelligence organizations included.
If not, and just required to have a safe email provider, I would just use Gmail which is secure enough against normal people who don't have the authority to force my emails to be disclosed.
Absolutely!

After ditching Protonmail, now it is Tutanota turn. Those two are bullshitters, such a shame claiming to offer full privacy while they give access/backdoors to authorities...
Both have turned out to be charlatans, sadly. I guess it was to be expected.. Protonmail had questionable things going on for awhile. Tutanota was mostly a good guy, but they'll continue to market themselves as full privacy when they know they are not. So now, like you, they're both going into the trash bin. Closing them up tonight in fact after I go through the hassle of re-assigning new emails to various accounts and activities.

Having anonymity and privacy in our time becomes an almost impossible task for the non-initiate...
This is true. Which is why it's wise to focus on the important and not sweat the unimportant for most people. Deciding what one views as critical and must-protect information is an individual decision but it is nearly impossible to secure everything properly so focus on what matters.

Strangely, I've been agreeing with Umbra a LOT lately around these here parts.
 

Slyguy

Level 43
Also, another big reason not to use Gmail type services. If you get banned from one platform they can (and sometimes will) ban you from others, and hence, lock you out of your email. People really need to learn to not do this.


In addition, Google may start banning adblock users.


It's time to kick Google to the curb.
 

Umbra

Level 15
Verified
. So now, like you, they're both going into the trash bin. Closing them up tonight in fact after I go through the hassle of re-assigning new emails to various accounts and activities.
yep, doing it without even blinking an eye.

Strangely, I've been agreeing with Umbra a LOT lately around these here parts.
yeah, same here LOL. I guess logic and common sense overweight existing personal sentiments. ;)

Also, another big reason not to use Gmail type services. If you get banned from one platform they can (and sometimes will) ban you from others, and hence, lock you out of your email. People really need to learn to not do this.
if you do activities which may get you banned, you logically won't use your main account and rather use a disposable one.
 

Slyguy

Level 43
Protonmail started to feel scammy and scummy to me a few years ago so I quit using them. It was around the time they employed a specific anti-DDOS firm with a very questionable past.

But now? They are over the top... It's all marketing fluff for them now. The hype level and their excessive promotion of privacy and security absolutely smells fishy. Every website talking about secure email services the comments get bombarded by people, all using female names, extorting the virtues of Protonmail.

Like this;

Proton.PNG