Based in | Switzerland |
Storage | 5 - 20 GB |
Price | $4.00/mo. |
Free Tier | Up to 500 MB |
Website | ProtonMail.com |
If you want to protect your email from prying eyes, but don’t need the kind of protection that keeps spies and whistleblowers alive, ProtonMail could be the secure email service for you. It utilizes PGP encryption standards, is based in Switzerland, and has a solid reputation in the privacy community.
Because ProtonMail positions its service as one of the most secure email options available, above and beyond other secure email providers, we’re really going to put it under the microscope.
At the end of the day, only you can decide which is the best secure email service for your unique needs and threat model. Now let’s get started.
+ Pros
- End-to-end (E2E), or zero-access encryption for Email, Calendar, and Contact information
- Officially under Switzerland jurisdiction
- All data stored on servers in Switzerland
- Apps for Android and iOS mobile devices
- Web client, encryption algorithms, and iOS code are all open source
- Strips IP address from emails
- Can be used with email clients through the ProtonMail Bridge feature
- Can import contacts and emails through the bridge
– Cons
- ProtonMail does not encrypt email subject lines
- Utilizes phone number verification
https://ProtonMail.com/
ProtonMail features overview
ProtonMail utilizes strong end-to-end and zero-access encryption standards to protect all email, contacts, and calendar data. That means all your data is encrypted when stored on ProtonMail servers (but not email subject lines). Aside from this multi-tiered encryption system, ProtonMail has several interesting features, including:
- The ability to send “self-destructing messages,” which are automatically deleted at the time the sender specifies.
- Address Verification, a way to ensure that a Public Key received from another user hasn’t been tampered with since you first verified it.
- Full PGP support.
- Premium accounts with a range of additional benefits, including a brandable Business account.
- The ability to send encrypted emails to non-ProtonMail users.
- Android and iOS mobile apps.
- ProtonMail Bridge, which allows ProtonMail to integrate with other email clients that support the IMAP and SMTP protocols. This also allows you to import emails into your ProtonMail account from other services.
Overall, this is a good lineup of features.
Note: At the time of this ProtonMail review, the beta version of ProtonMail 4.0 was scheduled to go live “soon.” While I haven’t seen an official list of 4.0 features, the ProtonMail 2019 Roadmap states that their goals for 4.0 include:
- Encrypted Search
- Conversation View
- Multi-user support on mobile devices
- Encrypted Calendar
ProtonMail company history and funding sources
The ProtonMail family of products is run by Proton Technologies AG, a company based in Geneva, Switzerland. The founders met while scientists at CERN and came up with the idea for ProtonMail in the CERN cafeteria, as the story goes.
Funding for ProtonMail has come from various sources over the years. Aside from regular paying users, Protonmail has also benefited from the following funding sources:
- In 2014, ProtonMail launched an Indiegogo crowdfunding campaign which brought in over half a million dollars.
- In 2015, ProtonMail accepted a $2 million investment from a US-based firm called Charles River Ventures (CRV).
- In 2019, ProtonMail accepted €2 million from the EU to “develop a suite of encrypted services.”
ProtonMail is a bit more expensive than some of the other secure email services we’ve reviewed, such as Tutanota and Posteo for example.
ProtonMail does not encrypt email subject lines
One concern I have is that ProtonMail does not encrypt the subject lines of messages. From the ProtonMail website:
All ProtonMail data at rest and in transit is encrypted. However, subject lines in ProtonMail are not end-to-end encrypted, which means if served with a valid Swiss court order, we do have the ability to turn over the subjects of your messages. Your message content and attachments are end to end encrypted.
ProtonMail complies with the OpenPGP encryption standard. In that standard, address-related metadata is part of the message header and must remain unencrypted to allow a message to reach its destination.
The ProtonMail approach makes them compliant with the PGP specification, but leaves this potentially revealing data unencrypted.
We will return to this important subject more below.
ProtonMail servers and data security
All ProtonMail servers are physically located in Switzerland in secure facilities. This means user data is protected by Swiss law, which generally provides for better privacy than USA or EU law.
However, ProtonMail makes it clear that if you violate Swiss laws, and they receive a Swiss court order, they will have to turn over whatever information they have on you to the Swiss authorities. This is where the lack of encryption for the Subject line of messages can become a problem.
While the bodies of your messages and any attachments should remain safely encrypted, addressing information and the Subject lines of your messages are stored in the clear and would be provided to the authorities. This information is enough to give anyone possessing it a good idea of who you communicate with and the subjects you discuss with them.
Some people also question how free from USA and EU influence Proton Technologies really is. They have two international support centers, one in San Francisco, California (USA), and one in Skopje, Macedonia (Macedonia is a candidate for EU membership).
All that said, the ProtonMail threat model document specifically states that,
“we cannot guarantee your safety against a powerful adversary.”
The spy agencies serving the USA and EU definitely qualify as “powerful adversaries.” So if you decide to take on one of the Five Eyes, violate Swiss laws, or something equally crazy, using ProtonMail is unlikely to save you.
ProtonMail technical specifications
ProtonMail uses a variety of encryption algorithms to protect your messages. All messages are end-to-end encrypted and also remain encrypted in your mailbox until actively being read. The algorithms they use are open source versions of AES and RSA along with OpenPGPjs algorithms:
- AES-128
- TLS 1.0
- DHE RSA
- SHA 3
QuoVadis Trustlink Schweiz AG signs SSL certificates for ProtonMail.
Security features of the certificates include:
- Extended Validation (EV)
- Certificate Transparency (CT)
- 4096-bit RSA
- SHA-256 hash
ProtonMail hands-on testing
If you’ve used email services like Microsoft Outlook or Gmail, you will find ProtonMail to be easy to work with. For this review, we’ll be looking at ProtonMail Plus plan, the first tier of paid ProtonMail service. At this time (April, 2020), you need to have a paid ProtonMail account and access the beta version of the product to use some of the newest features, such as their new encrypted Calendar.
Creating a ProtonMail account
Creating an account with ProtonMail is pretty self-explanatory. You can get an account in a matter of minutes:
- Go to the ProtonMail website.
- Create a username and password. (Recovery email is optional.)
- Go through the verification steps
Next you will need to go through a verification process, but you do have different verification options you can select:
I’ve seen complaints about ProtonMail forcing people to go through phone (SMS) verification when signing up through VPNs or over the Tor network. Although I don’t like how ProtonMail is utilizing SMS verification, it is important to protect the service from spammers and bots.
Signing in to ProtonMail
Signing in to ProtonMail is easy and straightforward. Simply go to the homepage and enter your login credentials. To get access to all the features we will discuss in this review, you need to have at least the ProtonMail Plus plan, and select the BETA link circled in red (below) when logging in.
When using ProtonMail, you have the option to create a recovery email inbox, which can be used if you lose your password. Once you sign into ProtonMail, you can stay with the free plan indefinitely, or you can upgrade to one of the paid plans. As is common with most secure email services, the paid plans offer more storage and additional features over the free plan.
As we go through this ProtonMail review, I’ll let you know which features are available only in a paid plan.
The look and feel of ProtonMail
ProtonMail has a pretty standard interface, with a 3-pane “Row View” layout (we saw that when talking about encrypted subject lines earlier) , as well as the “Column View” option here:
Before we go further, look carefully at the top-left of the preceding image. The three icons that appear there if you have a paid account and are using the beta version of ProtonMail you to switch between different sections of ProtonMail. From the top, they are: ProtonMail, ProtonContacts, and ProtonCalendar.
We’ll talk about ProtonContacts and ProtonCalendar once we finish with ProtonMail.
With Column View, you get all the usual folders in the left-most pane, with the ability to add any custom ones you wish. In the center is the message list, with the body of the selected message displayed in the right-most pane. Once you start using it, you’ll notice that like other privacy-oriented mail services, ProtonMail blocks remote content like images by default, giving you the option to load them right at the top of the window.
ProtonMail Settings
You can customize the layout of your ProtonMail inbox by clicking the Settings icon, then selecting Appearance in the left-hand column of the Settings window. For example, I used the Layouts section of Settings to switch back and forth between the Row View of the inbox and the Column View.
Exactly what you can do here will of course depend on which ProtonMail plan you subscribe to. We’ll look at differences between the plans later in the review.
Composing messages with ProtonMail
You compose ProtonMail messages in a pop-up composition window with a good set of HTML formatting options, including inline images. Once you get used to the layout, the composition window makes including things like Attachments, an Expiration time, a Read Receipt Request, and Encryption fast and easy. You can adjust the size of the composition window in Settings.
There are a few keyboard shortcuts that help with composing messages. But you won’t find more advanced editing features such as macros and automatic suggestions.
Sending messages to non-ProtonMail users
Like some other secure email services, such as Tutanota and Mailfence, ProtonMail gives you the option to send encrypted messages to people who don’t use ProtonMail. The recipient will need to know the shared password you are using, so that will need to be arranged outside the system. These encrypted messages automatically expire in 28 days (but you can set a shorter date if you wish).
The recipient will see something like the following in their Inbox. If they enter the correct password and click the View Secure Message button, they will be able to see the message you sent them.
This system seems to work very well, as long as you can share the password outside the ProtonMail system to get the process started.
Searching for messages in ProtonMail
ProtonMail has a very limited ability to search your messages. Because messages are encrypted (except while you are actually viewing them), the client can’t search message bodies. This, of course, can be frustrating and really limit your ability to find the message you are looking for.
Updated search functionality – Version 4 of ProtonMail has improved search capabilities compared to previous versions. Message body searching is still not available, but searches are much faster, and you can use complex search terms such as:
(cat -dog) | (cat mouse), which would match text that includes ‘cat’ and not ‘dog’, or ‘cat’ and ‘mouse’
The ProtonMail client works smoothly although there can be a delay when opening a message, given that the message must be decrypted before you can read it. Since the client is browser-based, instead of a stand-alone app, you might find that it slows down as the number of messages in your folders increase, but I wasn’t able to test this.
Comparison to Tutanota search – In comparison, Tutanota (another fully-encrypted email provider) has been offering full-text search capabilities since 2017. To do this, Tutanota creates an encrypted search index which can then be searched locally on the users’ device.
ProtonContacts
The ProtonContacts secure contact manager is integrated into ProtonMail, giving users a secure way to protect their contacts while functioning smoothly with ProtonMail.
ProtonMail creates ProtonContacts encryption keys for you. It uses those keys in their zero access encryption system to encrypt clear text contact data, ensuring that once they do encrypt your data this way, even ProtonMail can’t read it. ProtonContacts also uses digital signature verification to ensure that no one else can secretly tamper with your contact information. ProtonContacts is also implemented in the mobile apps.
Note that email addresses in contacts are not encrypted using zero access encryption. Why? Because ProtonMail needs to be able to read the email address to make sure your message gets sent to the right place.
ProtonCalendar
Building an encrypted calendar sounds pretty easy at first. Just encrypt all the data until the user opens the calendar, then decrypt the data for them. But just as an email service has to interact with other email services, a calendar service needs to be able to interact with other calendar services. Even worse, a full-powered calendar system needs to be able to share events with other calendar systems. The ProtonMail team battled with this complexity for over a year, and on December 20, 2019, they announced the arrival of ProtonCalendar, their solution to this complex set of problems.
ProtonCalendar is still in early beta. The final version will include:
- calendar sharing
- event invitations to anyone (whether they use ProtonMail or not)
- the ability to sync the calendar with events found in your ProtonMail inbox
ProtonCalendar is also scheduled to be added to the iOS and Android apps at a a future date.
The ProtonMail mobile apps
ProtonMail has apps for both iOS and Android. I’ve been working with the Android app and it looks good and functions smoothly. At the time of this ProtonMail review, the Android app had almost 24,000 reviews with a solid rating of 4.5 out of 5 stars.
At the time of this review, ProtonMail’s Android app is not open source and is not available on F-Droid.
On October 30, 2019, the company announced that their iOS app is now open source. This app gets a score of 4.3 out of 5, with over 1,200 reviews.
Is ProtonMail really secure?
There is a lot of debate out there about how secure ProtonMail really is.
Aside from the financial ties to the US and EU that we discussed earlier, there have been some criticisms of the service on other grounds as well.
- The browser client uses JavaScript encryption libraries. These are considered to be less secure than the libraries used in the ProtonMail mobile apps.
- Leaving the Subject field in the clear (for PGP compatibility) means more data could be exposed to those spying on the message traffic.
- A paper published at the end of 2018 criticized ProtonMail’s cryptographic architecture on a number of grounds. However, these same criticisms could be applied to any browser-based email client (not just ProtonMail). Here is the response from ProtonMail.
On the subject of using PGP, there are also some benefits in terms of security. OpenPGP is an open standard, which has been extensively audited for security, and is battle tested, and well proven to be secure. ProtonMail also the maintainer of OpenPGPjs, which is the most widely used open source encryption library and has therefore been thoroughly audited.
Lastly, we also have to keep in mind that ProtonMail is arguably the biggest name in the private email space. This makes it a good target for criticism, as we have also seen with NordVPN, the largest VPN provider.
ProtonMail business features
ProtonMail also offers a service for businesses that provides “end-to-end encryption to secure your business communications.”
This service includes migration tools and dedicated support to transition your business from its current hosting to the ProtonMail infrastructure. It incorporates a user hierarchy allowing your Email Administrators to manage user accounts appropriately.
Given the current limitations with search and calendar, I’m not sure ProtonMail would be a great fit for businesses that need all these features. There are other good options that are more fully-featured, such as Mailfence or Mailbox.org.
ProtonMail cost and pricing plans
Since they don’t display ads in their clients, or sell access to your messages to advertisers, ProtonMail charges for their services. As you can see below, ProtonMail has four pricing plans, including a free tier with 500 MB of storage.
The Free plan, with 500 MB of storage, 150 messages per day, and 3 folders / labels could be enough for you. If not, one of the paid plans will likely meet your needs.
Note that the Free, Plus, and Professional plans all offer ProtonVPN as an option, while the Visionary plan has the VPN built in.
ProtonMail alternatives
While there are several secure email services on the market, Tutanota is the first alternative I would suggest. Rather than using PGP and S/MIME, Tutanota has rolled out their own encryption standard incorporating AES and RSA, which encrypts the subject line, supports forward secrecy, and can be updated/strengthened over time. Tutanota has also rolled out a fully-encrypted Calendar feature and is much better than ProtonMail about open-sourcing their clients.
My verdict: Tutanota is the best alternative to ProtonMail in the high-security category. (It is based in Germany.)
There are other alternatives to ProtonMail that offer a lesser degree of encryption and security, but with more features:
- Mailfence is a Belgium-based email that has many features, integrated PGP support, and it works well for groups/teams.
- Mailbox.org is another good option based in Germany with many features and options for teams.
Both Mailfence and Mailbox.org support custom domains.
ProtonMail review conclusion
ProtonMail is a polished and popular end-to-end encrypted email service that will meet the needs of many regular users.
As the most popular secure email service on the market, with a free basic account, it is a great option for regular encrypted communications with friends, business partners, and others who want protection from routine snooping and hacking. For those who want maximum security, with full encryption of subject lines and strong data security, Tutanota might be a better fit.
Is ProtonMail the best secure email service for you?
I can’t tell you that since everyone’s needs are different. There are many factors to consider when selecting a secure email provider and the choice all comes down to your own preferences.
You can learn more about ProtonMail on their website here:
https://ProtonMail.com/
Alternatives to ProtonMail
We have reviewed about a dozen alternatives to ProtonMail. Click the email provider below to see our full review. These are the top alternatives:
And you can also check out our full lineup of recommended secure email providers.
ProtonMail Review
-
Rating
protonmail is safe ?
https://privacy-watchdog.io/protonmails-creation-with-cia-nsa/
I addressed this website already.
If you look down to October 12, 2020, my comments are there.
I redirect your thought to this fact:
If ProtonMail, the reportedly #1 secure email in the world, were to violate that trust with millions of users, why is there only a couple of posts and one blog site that is saying this?
I assure you, if PM was indeed in violation of this, they WOULD be found out and the noise of that splash would be web wide.
One more thought, the author uses Tutanota as his email.
Besides the inherint issues with them, I believe he may be biased.
I at least admit I am.
Protonmail does not seems safe for privacy !
“we cannot guarantee your safety against a powerful adversary.”
Nobody can or will “guarantee your safety against a powerful adversary.”
I am really impressed not only by your in-depth review but you obviously researched, in-depth, a question from a commenter. Well done Sven!!
I have recently created a Free PM account and have been satisfied overall. My only surprise and concern for my personal usage is the lack of the ability to create sub-folders. I have searched and searched and I am pretty sure sub-folders is not a feature. Perhaps on the paid version but there is no indication to that affect either. In fact, in the PM comment section it seems that this has been a concern of users since at least 2015.
In the big picture this is not a really big deal but it is one of the little nuisances that would inevitably continue to pop-up when trying to organize messages.
I cannot comprehend why this feature is not available and therefore believe it should have gotten a listing under the “Cons” list in your review.
So far I’ve only heard good things about Protonmail. I’ve really thought about actually using it. And this contributes heavily to it. Thanks for talking about this!
Has anyone tried to create a workspace on Android with Shelter and be able to have two email accounts for example Protonmail with two separate inboxes ?
I think Shelter is reliable as it is open source.
https://play.google.com/store/apps/details?id=net.typeblog.shelter&hl=en_US&gl=US
What do you think ?
Proton mail sucks. Deleted my accounts – no recourse (forget your BS recovery email – never worked!!)
Tech support must speak an alien dialect as several emails resulted in asking for info emailed in previous emails!!
Add that to stealing the information from 3 million Zoho users – I think Zoho is a dangerous place to tread!!!!
Beta calendar for android is now out for paid members!
https://protonmail.com/blog/calendar-android-beta/
Update:
Been playing with it for a few hours now, and so far the syncing between the app and the Beta Desktop is working flawlessly.
I am hoping to see a share calendar feature come out soon, but for now, it is really good.
Another brilliant feature for Basic, Plus, and Visionary users!
Really great item to have for there are many times I have found mistakes after I hit send.
https://protonmail.com/blog/undo-send/
@pega,
No, POP3 doesn’t work. You have to use the bridge.
The do have directions for setting it up. Here you go:https://protonmail.com/bridge/
The directions are pretty easy to follow but there are a few tricky points as well.
They are really good for CS so reach out to them if you need help.
Bye,
With Thunderbird can I download my Protonmail account mail using POP3?
Proton did a audit of their public keys to protect against batch GCD attacks. Here is their report. Links are in the article to more advanced stuff if you are interested.
https://protonmail.com/blog/batch-gcd/
Thanks for this thorough review!
As a complement, it would be very interesting to discuss some common opinions against ProtonMail, like e.g. https://privacy-watchdog.io/truth-about-protonmail/. How much sense do such negative claims make? How can we as end users understand what is real and relevant?
@Matt,
I read through the site and here are my thoughts:
1) I find it interesting that really the only company he goes after is ProtonMail. For being a “Watchdog” he is letting a whole lot slip by.
2) Please notice his contact email. Tutanota. While it may not be bad, there are some issues he doesn’t bring up (which, btw, he doesn’t allow for Proton).
3) The evidences he is “proving” is a lot of here-say. I will explain why in a minute.
4) he tries to bridge a chasim between the NSA and PM. Interesting leap.
I could go on, but let me share what I have discovered and asked.
First, I am not new to PM. been almost a year now using them. I have spent a lot of time asking questions and searching. Here are some notes.
1) He uses the report from a professor who neither had his report peer reviewed or tested. Lot of claims with no real substance.
2) the thrust of the letter deals with web apps and the risks. Yet Tutanota, interesting enough, uses web apps. Why no problem from him? Is he using the desktop client? Maybe. But that is buggy at best when I did. So, how safe is it?
3) JavaScript is active for the site (I kmow the risks here) however, upon logging in, JavaScript is disabled. I know because I emailed and asked.
4) Financially, yes, they did receive funding. The EU, Swiss Gov, and Venture Capitalists. Asking them to what degree they have a say, I was told, and I quote, “ProtonMail is owned by the employees. The outside revenue did not and never will give them a controlling voice.” What is further, let us turn the eye on Tutanota a minute. Secomd, the EU and swiss money was not just singled out to PM. It was to help develop a privacy service, if I remember how it was explained.
5) Unlike PM, Tutanota IS a member of the EU and is a member of the 14 eye nations. Have you looked at their retention laws? The author of the site neglects to point that out? As far as retention laws for PM, please see the link in my last post below.
6) Searching for more info regarding the other claims (reading messages, NSA, etc.) I wish to answer all of that in one thought. PM is the big name. They are going to be targeted by EVERYONE. Naturally, that is the name of the game. If, and I do mean if, PM compromised or was truly a spying org, would that not be a much BIGGER noise than a few out of the way people and blog sites? Yet crickets.
7) back to security, my question for the author is, did he make his own keyboard? How about monitor? Mouse? Cpu? Why? Let’s say Logitec desided to be maliciouse. Would they have to crack the encryption? Nope. They can program the firmware to capture keystrokes and report it. Well, there goes privacy.
The author really seems stuck on the NSA. They are bad charectors for sure, but don’t toss out this angle while letting the EU go free.
8) CIA? I don’t believe it. I am not going to say why I know this (and no, it has nothing to do with my position. I have said before I am with an NPO). But this is a stretch. Longer than the NSA angle.
9) MLAT? He does realize that EVERY Email providor is required to respond to a legal court order. Again, an email I sent asking about this was answered. They said, “An MLAT treaty has never been filed for us.”
It seems that he has a burr under his saddle, and he is taking a moment of fame.
But lets consider the security set up. PM is using tried and true standards. CTemplar uses the same and credits PM for the work they do. Tutanota rolls their own. Has it been set up correctly? We don’t know. How about the engineering? Maybe. But the real danger here is that someone may THINK they have security and because it is only tested with Tutanota, are we sure?
It all comes down to trust. We all most trust. I have my biases, and I am not a fan of Tutanota. Not even close. But even I am willing to say that if they work and do things right, give them credit. But the blog? I see anger and hatred and no ammount of objective looking at facts will change his mind.
Now, I will respond with two links of my own. But please know that I am not arguing or attacking. You had asked for a discussion and I am simply responding. If we don’t agree, no problem here. But I think that I laid my case out as well as I. Could at the presant time.
Here are the two links. I did not include the Reddit thread about this topic as. I don’t like them. However, it was an interesting discussion for sure.
https://protonmail.com/blog/cryptographic-architecture-response/
This next link is interesting. Please not what is said about both PM and Tutanota:
https://binsec.nl/email-security-privacy-concerns/
Hope these help.
I sent the article to Protonmail.
They sent me this reply. I forwarded a copy to Sven, so he can authenticate it.
On Tuesday, February 16, 2021 8:43 AM, ProtonMail wrote:
Hello,
Thank you for contacting us.
We have read the article that you linked carefully and we have to say that what they claim is truth is based on bunch of assumptions and mis-interpretations.
We will try to comment on the accusations in the same order as they are presented on the web page.
1. ProtonMail offers the users to log into their account through our Onion site due to privacy reasons. Some users simply prefer to use TOR and we allow them to access their accounts through our Onion site. The fact that we have an onion site does not automatically mean that we are linked to CIA. We are not related to CIA in any way, nor we have any backdoors that would allow anyone to access anyone’s messages. We also do not allow sign-ups from the Onion page as part of our anti-abuse measures.
2. The claim that we do not use end-to-end encryption is a lie, and in fact, the author of the article that you linked has also linked our explanation on this topic.
https://protonmail.com/blog/cryptographic-architecture-response/
ProtonMail uses zero-access encryption to store the user’s messages on our servers and we certainly use end-to-end encryption.
https://protonmail.com/support/knowledge-base/what-is-encrypted/
https://protonmail.com/blog/zero-access-encryption/
3 and 4:
Proton Technologies is majority owned by employees of the company, and is solely under Swiss jurisdiction. Information about the company and our directors are in public record, and can be found in the Swiss commercial register: http://ge.ch/hrcintapp/externalCompanyReport.action?companyOfrcId13=CH-660-1995014-1&ofrcLanguage=4
Regarding VMS, VMS is not an investment fund or investor. It’s part of MIT (http://vms.mit.edu), which is an university in Cambridge, Massachusetts. As a company heavily focused on cryptography research, we do share research with many of the world’s top research institutions, including CERN, MIT, ETH Zurich, and several other research institutes. This is actually a benefit as it ensures that our technology is thoroughly checked by others to be certain it is secure.
5. The present employer of people that used to work for us in the past does not mean anything.
6. If someone uses EML files, that cannot mean that they are automatically related to CIA. EML is a file extension that is used for an e-mail message saved to a file. EML files are widely adopted.
7. This is not correct, because we do not have access to our user’s messages, nor the means to decrypt them.
https://protonmail.com/blog/zero-access-encryption/
8. We have used Radware in the past for DDOS protection, but they never had any access to any data.
https://protonmail.com/blog/a-brief-update-regarding-ongoing-ddos-incidents/
https://protonmail.com/support/knowledge-base/email-ddos-protection/
9. This is not true and we don’t see how this claim is a security concern of any kind.
10. We are unable to comment on this.
11. See points 3 and 4
Also, you are welcome to review our terms and conditions, privacy policy and transparency reports.
https://protonmail.com/terms-and-conditions
https://protonmail.com/blog/transparency-report/
https://protonmail.com/privacy-policy
If there is anything else we can assist you with, let us know.
Best Regards,
The ProtonMail Team
—
https://twitter.com/ProtonMail
https://facebook.com/ProtonMail
https://www.instagram.com/ProtonMail/
https://www.reddit.com/r/ProtonMail/
Want to support ProtonMail? You can upgrade or donate!
I was sent a new article claiming that Protomail is compromised.
See: https://theconsciousresistance.com/protonmail-is-insecure/
reposted here:
https://healthimpactnews.com/2021/protonmail-is-inherently-insecure-your-emails-are-likely-compromised/
Unlike the Privacy Watchdog article mentioned above, this author identifies themselves and is not anonymous. Additionally, when I tried to email the Privacy Watchdog site, the email bounced, it seems defunct. The author of this new article is known within privacy circles.
I’d like to see people critically evaluate his claims.
I’ve used ProtonMail for years now. I didn’t realize until I got a bounced email that ProtonMail appears to be heavily routed through and dependent on Chinese servers! Header excerpts below:
Reporting-MTA: dns; mail-41103.protonmail.ch
Authentication-Results: mail-41103.protonmail.ch;
Received from mail-02.mail-europe.com by mail-41103.protonmail.ch;
X-Spam-Checker-Version: SpamAssassin 3.4.4 on mailout.protonmail.ch
So, what gives? Is PM safe to use or not??
.ch is actually the Swiss top-level. .cn is China.
@Sven and all others,
Sven, please feel free to post the info on these links anywhere else on the site. It can go in so many areas and has a lot of impact.
Great info! One argument is the “6 mo retention law” that many say subjects ProtonMail.
Info on that as well as a law update: https://protonmail.com/blog/eu-data-collection-illegal/
Another good news for US people: https://protonmail.com/blog/congress-antitrust-report/
Good info, thanks J.M.!
Of course.
Fantastic website Sven. The world owes you! (unless this is all false info and your are one of ‘them’, but I doubt it).
Excellent in-depth Proton’ review here!
Not the most important issue but, I’ve never seen anyone comment on the fact that P’mail’s free tier is not supplied with spellcheck as standard (unless it is in v4). No issue, just use an open Word doc’, but its a pain.
On another note – they do respond directly to phishing concerns, thought can duplicate template auto-responses. Also, they went outside the box and helped me regain a password! Noteworthy.
Import/Export app is now available, out of Beta. All open source. Not yet available for free version but coming.
https://protonmail.com/blog/import-export-app-release/
Saw this and wanted to share: https://protonmail.com/blog/searches-increase-for-email-privacy/
One basic complaint about a design aspect of Protonmail: ‘Trash’ is listed in left nav right above ‘All Mail’. It is quite easy, even when careful (but sometimes busy/distracted), to inadvertently click ‘All Mail’ (rather than Trash) then delete, then damn!, realizing that ALL of one’s email across ALL folders have just been eliminated forever. Whether a change to the placement of ‘All Mail’ (away from being co-located by ‘Trash’), or maybe give users a Settings option to suppress display of ‘All Mail’ … this is a significant enough issue that I have decided to leave Protonmail and try competitor secure email services that do not have this key design issue.
Here recently, Protonmail just announced the coming of ProtonDrive. It is there answer to Office and Google’s cloud services.
Wow! Just saw the misstype.
Their not there.
Thanks for writing this article. You should let people know that Tutanota is based in Germany (part of the 14 eyes), so, in theory, more likely to cooperate with other countries than ProtonMail (based in Switzerland and outside the 14 eyes).
Hey Tom, yes and we covered that issue more in the Tutanota review.
@Sven Taylor
Just an FYI. But, I believe that Protonmail’s forums are moderated against any “implied” dissatisfaction of their product. I purchased the Plus version of Protonmail based upon your review and some other review sites which had rated Protonmail as highly recommended. It seemed to have all the features I was looking for; most especially, the ability to import my Gmail accounts. I posted the following on their message board below the Import-Export Knowledgebase article. My comment was put under moderated review. Here’s my message:
“I am attempting to use the Protonmail Import-Export application. I receive the error message: CANNOT AUTHENTICATE – INCORRECT EMAIL OR PASSWORD.
I tried troubleshooting this error using Mozilla Thunderbird (new installation). I was able to download my GMail into Thunderbird without issue (meaning my username and password were correct).
Since there was no prompt from the Protonmail Import-Export application for 2FA that I received while importing into Mozilla Thunderbird, I temporarily disabled 2FA. I still was not able to import my GMail emails via the Import-Export application.
My next step in troubleshooting was to import my Gmail emails from Mozilla Thunderbird. The Protonmail Import-Export application could not see any emails to import. I had the correct file location.
I have already sent an inquiry via the support-form.
So far, I am very disappointed in Protonmail’s Import-Export application since it was a major selling point in purchasing your product.”
Mr. Taylor, that was my entire post. It was removed by the Protonmail moderators. I received zero feedback from them in regards to my message. I still have not heard back from Protonmail’s staff regarding my issue with not being able to import my emails from another service.
I posted my message because it included the troubleshooting steps that I took (in the hope that if someone else was having the same issue that they might want to try those troubleshooting steps as well to see if they could succeed where I couldn’t).
By the way, I signed up for the free version of Tutanota (since it was also highly recommended). but their import functionality is still in the “planning” stage.
You may want to check out Mailfence. The import feature works well.
Thank you for the quick reply. I’m looking at Mailfence now. I really appreciate your honest reviews and how in depth you are regarding the products.
You mention only Tutanota as a more secure mail service than ProtonMail.
Maybe you forgot CTemplar or did not try that out when you wrote this.
I was sorely disappointed in Protonmail. In all the research I did about email sources and privacy, not once did I see a review, comment etc. warning Protonmail users that outgoing emails may be undelivered if the recipient blocks all incoming emails arriving from overseas (due to cyber attacks). I learned this the hard way. I will say that Protonmail was swift to reply to my help ticket. But since their server is outside the USA, no hope.
Ahhh yes. The fact that you used an email provider located overseas was not indication enough that it was “overseas”. No provider can inform you of all private policies. While an extreme example, no email can be received from GMAIL on SIPRNET. Or more applicably, employees working on a sales floor can only send to and receive mail to domains whitelisted.
This is a due diligence issue rather than a provider issue. The same would apply to Tuta or any other overseas provider.
I’m a paid ProtonMail user and just now came across an article in Security Week written by Eduard Kovacs published on May 30, 2019. Even though it has been a year, I haven’t seen any further discussion about these accusations against ProtonMail. The article is titled: ProtonMail Accused of Voluntarily Helping Police Spy on Users and the link is: https://www.securityweek.com/protonmail-accused-voluntarily-helping-police-spy-users. Below are a few quotes from the article:
“On May 10, Stephan Walder, a public prosecutor and head of the Cybercrime Competence Center in Switzerland’s Canton of Zurich, had a presentation on cybercrime at an event. Martin Steiger, a Swiss lawyer who had been live-tweeting from the event, claims Walder incidentally mentioned ProtonMail as a service provider that voluntarily offers assistance to law enforcement for real-time surveillance, without requiring an order from a federal court.”
“While ProtonMail provides end-to-end encryption, which prevents the company from reading the actual content of emails, it does have access to metadata. Citing the U.S. National Security Agency (NSA), Steiger pointed out that metadata can be highly valuable to law enforcement and intelligence agencies.”
“ProtonMail cannot be used for any purposes that are illegal under Swiss law. Not only is this against our terms and conditions, we are also obligated by law to assist police investigations in criminal cases. However, the claim that we do this voluntarily is entirely false,” ProtonMail said.
“Laws are subject to interpretation, and because the relevant Swiss law itself is ambiguous, there are differing interpretations of the law. Steiger’s interpretation is different from the one taken by the Swiss government agency tasked with enforcing the law, whose directives we are legally obligated to comply with. His interpretation, therefore, is just an opinion, and not grounded in legal reality.”
“Laws are subject to interpretation, and because the relevant Swiss law itself is ambiguous, there are differing interpretations of the law. Steiger’s interpretation is different from the one taken by the Swiss government agency tasked with enforcing the law, whose directives we are legally obligated to comply with. His interpretation, therefore, is just an opinion, and not grounded in legal reality.”
“However, we also do not agree with the interpretation taken by some branches of the Swiss government. Therefore, we have asked the Swiss Federal Administrative Tribunal to rule on the appropriate interpretation of the law, and we will appeal to the Swiss Supreme Court if necessary. Until a ruling comes down (in one- or two-years’ time), our company policy has consistently been to take the most pro-privacy position, which is indeed the position we have taken in all our court filings,” it added.
“Steiger says ProtonMail still hasn’t addressed some of the points from his article, and claims the company threatened to take legal action against him for defamation.”
So, should we still feel that our privacy is being protected by ProtonMail? After reading this article, I don’t really know what to think. Sven’s review here clearly states that ProtonMail metadata is not encrypted. I think that the question would be based on whether ProtonMail is voluntarily giving open access to users metadata possibly in real time to the NSA or other US spy agencies.
ProtonMail clarified this in a blog post here. But Steiger also removed his blog post and retracted the claims. Make of it what you will.
I just found this interesting site: http://protonmail.uservoice.com/
There are a lot of suggestions and comments. Of course you have your spammers which really drains but those that are real are very good.
Proton does listen, it seems, to their customers. Thought I would spread this
I have suddenly lost 6 months of mail today. I have a free account with protonmail for 3 year now. I am a Daily user.
How can this happen?.
Last week, the ProtonMail Abuse team disabled our Paid Visionary account we had open for several years. We operate a small offshore domain/Crypto/e-banking consulting firm.
Over the last few weeks, an offshore bank stole over $50,000 from one of our partners by refusing to process the withdrawal. Over these weeks, we learned this bank has a reputation for creating absurd hurdles to processing client transactions.
As a result of this, we sent several (aggressive) messages to this bank including a link to blog site we created in order to expose this banking scam.
As a result of this, the bank seemingly contacted ProtonMail to attempt to indicate we were “harassing them” or something to that regard. As a result of this, our account was immediately deactivated by ProtonMail.
Since then, we have ZERO access to ANY Emails/Contacts from 10+ addresses linked to the account including addresses used by our clients/partners.
Our attorney sent a letter to ProtonMail and they refuse to give any detailed information and only suggest we were involved in “impersonating a company and scams”.
These email accounts are linked to 2FA for Crypto, Websites, and other e-services we own.
I am honestly shocked an encrypted email service would behave like this. Even Google or Yahoo would never shut down an account entirely, provide barely any response, and not even give you access to your Contacts/Emails to change providers.
I am pleading with ProtonMail to treat the situation with seriousness and re-activate our account or at least allow us to temporarily re-gain access to it. Thank you.
Interesting, thanks for sharing this information. I’m going to look into this issue more because I recall seeing other complaints about accounts getting suspended without any explanation.
Utilizes phone number verification
– this is completely optional, you can use a dedicated hardware device for MFA auth
Android app, IMAP bridge, and backend are closed source
– not true
It’s hard to trust someone offering privacy advice when they can’t even do basic things like read the product description before writing about it…
Dan, the statement “utilizes phone number verification” is completely true and accurate. We did not say it was mandatory.
The closed source “Con” was overlooked as that was a recent update. But I have removed it from the “Con” list.
Dan,
Please see my updates below. I have been trying to keep up with it as well.
I have mentioned this to Sven and am willing to leave it to him if he wishes to change it.
Second, Sven has a lot going on and every little update is best reported by us as commentors. I would urge patience with Sven.
Our own posts help the site and brings a wide range of wisdom and knowledge that really do help.
Thanks for the update though.
I Agree with that – things change so fast but we’re all stuck at around 2012 in web technology relating on our ends. Those that read from all points of the web will have key points they could share as friendly – “Did you know or Hey that’s change now?” type of ‘hey this wrong now’ as could you update it. Heck too I’d bet Sven reads more than many here.
Dan does probably possess a little better knowing to currents of things that interest him – so he’s needing to see an updated area of a topic here, but man he has some questionable vibs coming from him. Maybe too other parts of the site here scares him and in striking back or out for seeing many Internet dangers of the things brought together under one roof. He couldn’t control it as he’s found it’s one deep black hole pit to sucking up your data.
Could be. A lot of information could cause a feeling of dispair.
Not saying he is but just trying to point out a way to and to not approach something.
Believe me, I can be very abrupt but I work on keeping myself under control.