| Based in | Switzerland |
| Storage | 5-20 GB |
| Price | $4.00/mo. |
| Free Tier | Up to 500 MB |
| Website | ProtonMail.com |
ProtonMail gets a lot of attention as a secure email service, even getting shoutouts in various media outlets. But when you strip away the flowery language, does this email provider really stand above the competition? And is it worth the above-average price? We’ll answer all this and more in our new and updated ProtonMail review for 2022.
If you want to protect your email from prying eyes, but don’t need the kind of protection that keeps spies and whistleblowers alive, ProtonMail could be the secure email service for you. It utilizes PGP encryption standards, end-to-end and zero-knowledge encryption. A high level of encryption is very important in an age of eroding security and regular data breaches in the news.
Because ProtonMail positions its service as one of the most secure email options available, above and beyond other secure email providers, we’re really going to put it under the microscope in this updated ProtonMail review for 2022.
At the end of the day, only you can decide which is the best secure email service for your unique needs and threat model. So let’s get started.
+ Pros
- End-to-end (E2E) and zero-access encryption for Email, Calendar, and Contact information
- Operates under Swiss jurisdiction
- All data stored on servers in Switzerland
- Apps for Android and iOS mobile devices
- Web client, encryption algorithms, Android and iOS code are all open source
- Support for custom domains
- Strips IP address from emails
- Can be used with third-party email clients through the ProtonMail Bridge feature
- Can import contacts and emails
– Cons
- ProtonMail does not encrypt email subject lines
- Sometimes requires personal information for verification of new accounts
- Confusing and expensive pricing
- Incredibly long beta test cycles
- May log IP addresses for government agencies
ProtonMail features overview
ProtonMail utilizes strong end-to-end (E2E) and zero-access encryption standards to protect all email, contacts, and calendar data. All your data is encrypted when stored on ProtonMail servers, except email subject lines (more on this later).
Note: To understand the difference between E2E and zero-access encryption, check out this excellent explanation.
Aside from this multi-tiered encryption system, ProtonMail has plenty of interesting features, including:
- The ability to send “self-destructing messages,” which are automatically deleted at the time the sender specifies.
- Address Verification, a way to ensure that a Public Key received from another user hasn’t been tampered with since you first verified it.
- Full PGP support.
- Premium accounts with a range of additional benefits, including a brandable Business account.
- The ability to send encrypted emails to non-ProtonMail users.
- Android and iOS mobile apps plus a web client.
- ProtonMail Bridge, which allows ProtonMail to integrate with other email clients that support the IMAP and SMTP protocols. This also allows you to import mail into your account from other services.
Overall, this is a good lineup of features.
ProtonMail company history and funding sources
The ProtonMail family of products is run by Proton Technologies AG, a company based in Geneva, Switzerland. The founders met while scientists at CERN and came up with the idea for a secure email provider in the CERN cafeteria, as the story goes.
Funding for ProtonMail has come from various sources over the years. Aside from regular paying users, Protonmail has also benefited from the following funding sources:
- In 2014, ProtonMail launched an Indiegogo crowdfunding campaign which brought in over half a million dollars.
- In 2015, ProtonMail accepted a $2 million investment from a US-based firm called Charles River Ventures (CRV).
- In 2019, ProtonMail accepted €2 million from the EU government to “develop a suite of encrypted services.”
ProtonMail is a bit more expensive than some of the other secure email services we’ve reviewed, such as Tutanota and Posteo for example.
ProtonMail does not encrypt email subject lines
One concern I have is that ProtonMail does not encrypt the subject lines of messages. From the ProtonMail website:
All ProtonMail data at rest and in transit is encrypted. However, subject lines in ProtonMail are not end-to-end encrypted, which means if served with a valid Swiss court order, we do have the ability to turn over the subjects of your messages. Your message content and attachments are end to end encrypted.
ProtonMail complies with the OpenPGP encryption standard, which is based on the proprietary PGP standard. In that standard, address-related metadata is part of the message header and must remain unencrypted to allow a message to reach its destination.
ProtonMail does not encrypt the subject of your emails. If this is a problem for you check out our Tutanota review, which does not rely on PGP and fully encrypts subject lines.
The ProtonMail approach makes them compliant with the PGP specification, but leaves this potentially-revealing data unencrypted. We will return to this important subject in a moment.
ProtonMail servers and data security
All ProtonMail servers are physically located in Switzerland in secure facilities. This means user data is protected by Swiss law, which generally provides for better privacy than USA or EU law.
However, ProtonMail makes it clear that if you violate Swiss laws, and they receive a Swiss court order, they will have to turn over whatever information they have on you to the Swiss authorities. This is where the lack of encryption for the Subject line of messages can become a problem.
While the bodies of your messages and any attachments should remain safely encrypted, addressing information and the Subject lines of your messages are stored in the clear and would be provided to the authorities. This information is enough to give anyone possessing it a good idea of who you communicate with and the subjects you discuss with them.
ProtonMail logging IP addresses
Additionally, ProtonMail may also be logging your IP address and providing this to government authorities. I learned about this by reading ProtonMail’s Transparency Report.
There was another high-profile case of ProtonMail logging IP addresses in 2021. This case received lots of attention because:
1) the ProtonMail user was arrested by authorities; and
2) ProtonMail then scrubbed its website of the “no IP logging” claims after the incident
This is another reason we also recommend using a good VPN service that hides your true IP address and location. Using a good VPN is also essential for basic digital privacy in a world when ISPs log everything you do online.
Some people also question how free from USA and EU influence Proton Technologies really is. Additionally, Switzerland now has data retention regulations, but ProtonMail argues that these regulations do not apply to their services, but rather Swiss internet providers.
All that said, the ProtonMail threat model document specifically states that,
“we cannot guarantee your safety against a powerful adversary.”
The spy agencies serving the USA and EU definitely qualify as “powerful adversaries.” Under most circumstances, this is a secure email service. But if you decide to take on one of the Five Eyes, violate Swiss laws, or do something else equally crazy, using ProtonMail is unlikely to save you.
Is ProtonMail really anonymous?
If you look at the ProtonMail home page, you’ll find this claim:
I like the idea of being able to create an account without providing any personal information. Just finding a secure and private email service is hard, which is why we have created this series of email reviews for you. An anonymous and encrypted email service would be great — but there’s a problem.
When creating an account to test out ProtonMail for this review, I was forced to go through a verification that is the exact opposite of “anonymous” — as they boldly claim to offer.
How does ProtonMail square this requirement to enter personal information, with their claim that, “no personal information is required to create your secure email account”? To me, it seems like a clear contradiction.
To attempt to explain away this contradiction, ProtonMail has created a page explaining their “Registration Human Verification” procedures, which you can read about here.
First, the system doesn’t always force you to enter personal information. They have, “an intelligent algorithm that determines the required verification method based on a number of factors.” Sometimes it will only require a reCaptcha to confirm that you are human.
At other times you will be forced to use email or SMS verification, or make a “donation” using a credit card or PayPal. In other words, their algorithm will decide for itself whether or not you are allowed to create an account without disclosing personal information. So let’s call it conditional anonymity.
The page also explains that if you do use email or SMS for verification, only a cryptographic hash of this information is stored. This hash, “is not permanently associated with the account that you create.” The page doesn’t explain if “not permanently associated” means “never associated,” or “temporarily associated.” Nor does it explain how credit card and PayPal verification is tracked.
I can understand the company’s desire to have processes in place to prevent spammers from abusing the system. But I can’t understand their claim that no personal information is required to create your secure email account with the fact that sometimes personal information is required. The fact that the email and SMS hashes are not permanently associated with your account doesn’t change the fact that you must provide them, then trust ProtonMail’s handling of them.
We have reviewed other secure email services that give you more privacy when registering for an account. For an example of this, see our Tutanota review.
My Two Cents: ProtonMail needs to clarify or eliminate the claim of offering anonymous email.
ProtonMail technical specifications
ProtonMail uses a variety of encryption algorithms to protect your messages. All messages are end-to-end encrypted and also remain encrypted in your mailbox until actively being read. The algorithms they use are open source versions of AES and RSA along with OpenPGPjs algorithms:
- AES-128
- TLS 1.0
- DHE RSA
- SHA 3
QuoVadis Trustlink Schweiz AG signs SSL certificates for ProtonMail.
Security features of the certificates include:
- Extended Validation (EV)
- Certificate Transparency (CT)
- 4096-bit RSA
- SHA-256 hash
ProtonMail hands-on testing
If you’ve used email services like Microsoft Outlook or Gmail, you will find ProtonMail to be easy to work with. For this review, we’ll be looking at ProtonMail Plus plan, the first tier of paid ProtonMail service. At this time, you need to have a paid ProtonMail account and access the beta version of the product to use some of the newest features, such as their new encrypted Calendar.
Creating a ProtonMail account
Creating an account with ProtonMail is pretty self-explanatory. You can get an account in a matter of minutes:
- Go to the ProtonMail website and select the SIGN UP button.
- Create a username and password. (Recovery email is optional.)
- Go through the verification steps
I’ve seen complaints that ProtonMail sometimes forces people to go through phone (SMS) verification if they try to sign up using a VPN or the Tor network. While I don’t like the idea that ProtonMail may force you to use SMS verification, I understand their desire to protect the service from spammers and bots.
Note: I have no reason to suspect that ProtonMail is lying to you about this, but I also understand that many people want to use ProtonMail truly anonymously. I could imagine someone like that using an anonymous payment method like a new, virtual credit card to make a donation. Or maybe renting an SMS number just long enough to complete the process. Even using a disposable email address then discarding it once the verification is done.
ProtonMail betas
Before we go further, we have to discuss how ProtonMail handles beta versions. They are serious about wanting community involvement in the process. As a result, the newest version of ProtonMail can be stuck in beta for a long time. How long? Years.
ProtonMail version 4 went live in October of 2019. The new ProtonMail was finally released in June of 2021, more than a year and a half later.. I find this mind-boggling but that’s the way this team rolls, apparently. In response to the various complaints on Reddit, ProtonMail acknowledges the missed deadlines and delays:
So what does this mean to you? I don’t think it is a good idea for a privacy-oriented person to rely on beta software. By definition, beta software isn’t completely ready yet. This could include flaws, bugs, and/or exploits that undermine your privacy and security.
Unless you are comfortable with the real, but hard to quantify privacy risks of using beta software, I recommend you stick with the released version of ProtonMail (v4.0.20 at the time of this review).
Signing in to ProtonMail
Signing in to ProtonMail is easy and straightforward. Simply go to the homepage and enter your login credentials. When using ProtonMail, you have the option to create a recovery email inbox, which can be used if you lose your password.
Once you sign into ProtonMail, you can stay with the free plan or upgrade to one of the paid plans. As is common with most secure email services, the paid plans offer more storage and additional features over the free plan. We noted this same dichotomy in our ProtonVPN review.
Note: As we go through this review, I’ll let you know which features are available only in a paid plan or only in the beta.
The look and feel of ProtonMail
The new version of ProtonMail has a pretty standard interface, with a 3-pane “Row View” layout (we saw that when talking about encrypted subject lines earlier). They also offer the “Column View” option, as you can see here:
With Column View, you get all the usual folders in the left-most pane, with the ability to add any custom ones you wish. And like other privacy-oriented mail services, ProtonMail blocks remote content like images by default, giving you the option to load them right at the top of the window.
The web client works smoothly although there can be a delay when opening a message, given that the message must be decrypted before you can read it. Since the client is browser-based, instead of a stand-alone app, you might find that it slows down as the number of messages as your folders increase, but I didn’t notice any problems during testing.
ProtonMail Settings
You can customize the layout of your ProtonMail inbox by clicking the Settings icon. In the menu that appears, select Go to settings, which opens the Settings window. Then select Appearance in the left-hand column of the Settings window. For example, I used the Layouts section of Settings to switch back and forth between the Row View of the inbox and the Column View.
Exactly what you can do here will of course depend on which ProtonMail plan you subscribe to. We’ll look at the differences between the plans later in the review.
Composing messages with ProtonMail
By default, you compose ProtonMail messages in a pop-up window called Composer. It comes with a good set of HTML formatting options, including inline images. This window appears in the lower-right corner of the ProtonMail window, and looks like this:
Once you get used to the layout, the composition window makes including things like Attachments, an Expiration time, a Read Receipt Request, and Encryption fast and easy. If you don’t like working in this little window, can make the Composer window large by clicking the Settings icon, then Appearance. In the Composer section that appears, select Maximized.
Note: You can only set an expiration time on messages sent to other ProtonMail users or encrypted messages sent to non-ProtonMail users. You cannot make an unencrypted message to a non-ProtonMail user expire.
There are a few keyboard shortcuts that help with composing messages. But you won’t find more advanced editing features such as macros and automatic suggestions.
Sending messages to non-ProtonMail users
Like some other secure email services, such as Tutanota and Mailfence, ProtonMail gives you the option to send encrypted messages to people who don’t use the service. The recipient will need to know the shared password you are using, so that will need to be arranged outside the system. These encrypted messages automatically expire in 28 days (but you can set a shorter date if you wish). Here’s a screenshot from our tests:
The recipient will then get an email with a secure link. If they enter the correct password and click the View Secure Message button, they will be able to see the message you sent them.
This system seems to work very well, as long as you can share the password outside the ProtonMail system to get the process started. For this endeavor, you could consider using a secure messaging app.
Searching for messages in ProtonMail
ProtonMail has a very limited ability to search your messages. Because messages are encrypted (except while you are actually viewing them), the client can’t search message bodies. This, of course, can be frustrating and really limit your ability to find the message you are looking for. Here’s a screenshot of the search feature:
If you give ProtonMail 4 permission to do so, it can download, decrypt, and index the bodies of your messages to facilitate searching them. This approach appears very similar to that taken by Tutanota several years ago.
Comparison to Tutanota search – In comparison, we noted in our Tutanota review how this email offers full-text search capabilities — and has done so since 2017. To do this, Tutanota creates an encrypted search index which can then be searched locally on the users’ device.
ProtonContacts
The ProtonContacts secure contact manager is integrated into ProtonMail, giving users a secure way to protect their contacts while functioning smoothly with ProtonMail.
ProtonMail creates ProtonContacts encryption keys for you. It uses those keys in their zero access encryption system to encrypt clear text contact data, ensuring that once they do encrypt your data this way, even ProtonMail can’t read it. ProtonContacts also uses digital signature verification to ensure that no one else can secretly tamper with your contact information. ProtonContacts is also implemented in the mobile apps.
Note: Email addresses in contacts are not encrypted using zero access encryption. Why? Because ProtonMail needs to be able to read the email address to make sure your message gets sent to the right place.
ProtonCalendar
Building an encrypted calendar sounds pretty easy at first. Just encrypt all the data until the user opens the calendar, then decrypt the data for them. But just as an email service has to interact with other email services, a calendar service needs to be able to interact with other calendar services.
Even worse, a full-powered calendar system needs to be able to share events with other calendar systems. The engineers battled with this complexity for over a year, and on December 20, 2019, they announced the arrival of ProtonCalendar.
It features:
- Calendar sharing
- Event invitations to anyone (whether they use ProtonMail or not)
- The ability to sync the calendar with events found in your ProtonMail inbox
- The ability to import other calendars in .ICS format
ProtonCalendar is also now available for iOS and Android.
ProtonDrive (beta)
In November, 2020, Proton announced the release of ProtonDrive in beta. This is a basic secure cloud storage feature that can be used with certain accounts. However, as we noted in our ProtonVPN vs NordVPN comparison, the Proton team has a habit of restricting features to only the highest-paying subscription tiers.
We see that ProtonDrive is only available to the following users at this time:
- Visionary or Lifetime accounts
- Accounts with both ProtonMail Plus and ProtonVPN Plus with one-year or two-year plans
- Accounts with both ProtonMail Professional and ProtonVPN Plus with one-year or two-year plans
How long will ProtonDrive stay in beta? Who knows. But given Proton’s history, it could be a really long time. I’ve seen a growing chorus of ProtonMail users voice their frustration over the endless beta status of this and other products:
This will someday be a welcome addition to the Proton product line. But if you need secure (non-beta) cloud storage now, I suggest you consult our guide to the best cloud storage instead of waiting for ProtonDrive to come out of beta.
ProtonMail mobile apps
ProtonMail has apps for both iOS and Android. I’ve been working with the Android app and it looks good and functions smoothly. At the time of this ProtonMail review, the Android app had 42,000 reviews with a rating of 4.2 out of 5 stars.
Since our last major review, Proton Technologies completed the process of making their Android app open source. However, it is still not available on F-Droid.
The iOS app is also open source. The iOS app gets a score of 4.0 out of 5, with over 2,900 reviews.
ProtonMail business features
ProtonMail also offers a service for businesses that provides “end-to-end encryption to secure your business communications.”
This service includes migration tools and dedicated support to transition your business from its current hosting to the ProtonMail infrastructure. It incorporates a user hierarchy allowing your Email Administrators to manage user accounts appropriately.
Given the current limitations with search and calendar, I’m not sure ProtonMail would be a great fit for businesses that need all these features. There are other good options that are more fully-featured, such as Mailfence or Mailbox.org.
ProtonMail Support
ProtonMail provides differing levels of customer support depending on which subscription plan you have. Not surprisingly, free users get a basic support level, with access to a searchable knowledge base and some helpful step-by-step guides. As you move up through the paid plans you get email support and eventually priority support.
ProtonMail cost and pricing plans
Since they don’t display ads in their clients, or sell access to your messages to advertisers, ProtonMail charges for their services. ProtonMail has four pricing plans, including a free tier with 500 MB of storage.
The Free plan, with 500 MB of storage, 150 messages per day, and 3 folders / labels could be enough for you. If not, one of the paid plans will likely meet your needs.
The details of each pricing plan tend to change, so I haven’t included a screen capture. Your best bet is to go to the signup page and see what the current offer looks like.
ProtonMail’s paid plans have historically been more expensive than the competition. Their individual plans (Plus and Visionary) will set you back $48 per year and $288 per year respectively, while the Professional plan runs $6.25 per month per user.
Note that the Free, Plus, and Professional plans all offer ProtonVPN as an option, while the Visionary plan has the VPN built in.
ProtonMail alternatives
While there are several secure email services on the market, Tutanota is the first alternative I would suggest. Rather than using PGP and S/MIME, Tutanota has rolled out their own encryption standard incorporating AES and RSA, which encrypts the subject line, supports forward secrecy, and can be updated/strengthened over time. Tutanota has also rolled out a fully-encrypted Calendar feature.
My verdict: Tutanota is the best alternative to ProtonMail in the high-security category. (It is based in Germany.)
There are other alternatives to ProtonMail that offer a lesser degree of encryption and security, but with more features:
- Mailfence is a Belgium-based email that has many features, integrated PGP support, and it works well for groups/teams.
- Mailbox.org is another good option based in Germany with many features and options for teams.
Both Mailfence and Mailbox.org support custom domains.
ProtonMail FAQ
Here are some of the more common questions about this product and its related components such as ProtonMail Bridge.
Is ProtonMail really secure?
There is a lot of debate out there about how secure ProtonMail really is. Aside from the financial ties to the US and EU that we discussed earlier, there have been some criticisms of the service on other grounds as well.
- The browser client uses JavaScript encryption libraries. These are considered to be less secure than the libraries used in the ProtonMail mobile apps.
- Leaving the Subject field in the clear (for PGP compatibility) means more data could be exposed to those spying on the message traffic.
- A paper published at the end of 2018 criticized ProtonMail’s cryptographic architecture on a number of grounds. However, these same criticisms could be applied to any browser-based email client (not just ProtonMail). Here is the response from ProtonMail.
On the subject of using PGP, there are also some benefits in terms of security. OpenPGP is an open standard, which has been extensively audited for security, and is battle tested, and well proven to be secure. ProtonMail also the maintainer of OpenPGPjs, which is the most widely used open source encryption library and has therefore been thoroughly audited.
Lastly, we also have to keep in mind that ProtonMail is arguably the biggest name in the private email space. This makes it a good target for criticism, as we also noted in our NordVPN review, as the largest VPN provider.
Can ProtonMail hand over my data to the authorities?
Because ProtonMail uses E2E and zero-knowledge encryption, there isn’t a lot of data that they can hand over to anyone. The only thing that is stored unencrypted is message headers and the email addresses of contacts.
Even here, Proton Technologies says they won’t hand over any data unless directed to by the appropriate Swiss authority. Your data is about as safe as it can be using publicly available tech.
A bigger risk to the security of your data, is the way governments are pushing to break end-to-end encryption. There are constant efforts to force companies to insert “backdoors” into their software that would allow law enforcement to bypass encryption. This recent Fortune magazine article nicely describes the situation in the United States today.
Can you switch between paid and free ProtonMail versions?
Proton Technologies allows you to switch between the free and paid versions of this encrypted email service. You can go from a paid version to the free version, but if you do you’ll lose all the premium features of the paid version you are leaving. You can also return to a paid version from the free version. How? By subscribing to the paid version you want. You won’t lose any of your messages when you do this.
What is ProtonMail Bridge?
ProtonMail Bridge handles encrypting/decrypting messages when you connect it to a third-party email client. The ProtonMail Bridge page describes it best:
Bridge runs in the background by seamlessly encrypting and decrypting messages as they enter and leave your computer. The app is compatible with most email clients supporting IMAP and SMTP protocols.
You must have a paid subscription to use the bridge.
ProtonMail review conclusion
ProtonMail is a polished and popular end-to-end encrypted email service that will meet the needs of many regular users.
As one of the most popular secure email services on the market, with a free basic account, it is a great option for regular encrypted communications with friends, business partners, and others who want protection from routine snooping and hacking. You will, however, need to be patient about getting advanced features thanks to ProtonMail’s extended beta test cycles.
For those who want maximum security with full encryption of subject lines and strong data security, or simply faster delivery of new features, Tutanota might be a better fit.
Is ProtonMail the best secure email service for you?
I can’t tell you that since everyone’s needs are different. There are many factors to consider when selecting a secure email provider and the choice all comes down to your own preferences. You can learn more about ProtonMail on their website here:
Alternatives to ProtonMail
We have numerous email solutions that offer a higher level of privacy and security. You can also check out our full lineup of recommended secure email providers.
We also have a roundup guide on temporary disposable email services if you need a quick email for registration.
And here is a list of other email services we have reviewed:
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
This ProtonMail review was last updated May 1, 2022.
Several months ago after utilizing a free Protonmail email account, I paid for VPN services. Shortly after I began paying for email services since I wanted to support Protonmail. I might have paid for these services in the reverse order, I can’t remember and don’t have access to the Protonmail account to verify the exact dates. I truly enjoyed the security of the account but had no idea what the customer service was like since I never required their assistance.
On 5/15/2021 I noticed a charge on my American Express for $115.20 from a vendor named Stripe. So, since:
– I had no idea who Stripe was
– I had not made any purchases in the amount of $115.20
– I had not used the card at all on that day of transaction
– I had not received any notice of charges from anyone via telephone, email, or otherwise
I disputed the charge. My bank began an investigation, reversed the charge, and issued a new card with a new account number.
Shortly after, my email account was disabled. A few days afterwards when I was reviewing my account I noticed that the vendors’ name that had charged me, Stripe, had been changed to Protonmail. I immediately called my bank to alert that I did have services with Protonmail and asked them to cancel the investigation and repay the funds to Protonmail. Protonmail never sent me a receipt or notice, or even a reminder that I was being charged. In addition, since I originally paid for VPN services and email services separately, I thought that I would be charged for them separately when it was time to renew. I had no reason to believe that Protonmail would lump the charges for these 2 services together, but they did. However, they did not inform me they would be doing so. Hey, it’s not like they didn’t have my email address, right? Anyway, the investigation was updated and the charge of $115.20 was returned to Protonmail.
On 6/10/2021 my account access was still disabled and I emailed Protonmail support, advising them of the above and informing them that I had requested that my bank repay them the money. I received a response from Lars, who stated that fraudulent claims are made when stolen credit cards are used and any funds returned to Protonmail are refused. He required me to provide a copy of the credit card so they could verify it belonged to me. I thought it was odd and advised him of this. He told me that he could not assist me without it. Several frustrating emails later, I advised Lars that I simply wanted to return to the free version of Protonmail and was no longer interested in being a paying customer because quite frankly, their support was horrible. Desperate for access to my email, I finally submitted a photo of my cancelled AMEX card. Several emails later with Lars, I still don’t have access to my email. I can log into my account, but I am unable to access my emails. According to Lars, I must pay the amount of $115.20 again. He states that Protonmail will then provide a prorated amount in refund. Does that really make sense???
The funny part? Protonmail still has my $115.20 since 5/28/2021. If Protonmail has refused these funds, they certainly have not been returned to my account. Lesson learned. I have lost quite a bit of information that is of great importance to me and support has not been helpful at all. In addition, when I attempted to post this information on ProtonMails’ Reddit page, it was censored.
Their security audit was just released. Good job PM.
https://protonmail.com/blog/security-audit/
What is security when you mysteriously lose access to your account and the support team hardly respond and offer no solution? This has happened to me, despite having done nothing suspicious or illegal (unless they’ve somehow misinterpreted my use of a VPN, required by my job, as a red flag).
I was originally happy to use ProtonMail and relied on them for most communications and account registration (including financial), but now my trust in them has been forever destroyed.
I’m not a spammer but my email was marked as fraudulent. I called an IT department to ask why the email wasn’t being delivered where it was supposed to go. The answer I got was that the email address extension changed during delivery from .com to .ch – I’m wondering if my account could have been hacked? I’ve had trouble with delivery of my emails sent by protonmail or tutanota and others I’ve tried.
For this one email, it says –
Diagnostic-Code: smtp; 550 permanent failure for one or more recipients (————-:blocked)
X-Spam-Status: No, score=-0.7 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE shortcircuit=no
autolearn=disabled version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
mailout.protonmail.ch
Updated layout.
I’ve been using it all day and it really is good.
https://protonmail.com/blog/new-protonmail-announcement/
Is it now easier to select/deselect multiple emails? Can we automatically select unread emails?
@ Restorer,
If I understand what you are asking, first, I can select emails by clicking on the box next to the email without opening it. I am not sure if that is what you are asking?
Your second question, yes, at the time they offer three options: All, Read, Unread. I can click the unread and it will only show those.
I don’t know if this is what you are looking for, but I hope I answered correctly. Thanks.
Thanks J.M., you got it right.
By the way, if you select unread emails, then click on one of them to read, would the selection still be there once you go back to inbox view?
The funny thing is, I never tried, lol.
When I get back next week, I will try it. Usually I just open and delete it when I am done.
@Restorer,
I am able to check out your question. For me personally, I use a column view where I see my emails and the message off to the right. However, when I switch to the Row option, I can see my emails in the inbox and the unread are bold (same as in the column view).
When I click on the unread option, I isolate only the unread messages. When I click on the message (in row view), the message opens up. When I go back to the inbox by clicking on the back arrow, the unread option is still selected.
If I, on the main Inbox button on the left hand menu, select that, it will refresh the whole inbox and it will reset that unread option.
Thanks for your patience.
Protonmail is designed to identify all the details of your device. Identifying users of this email service will not be difficult.
**Unsupported browser**
**You are using an unsupported browser. Please update it to the latest version or use a different browser.**
as one can see, If you use a browser that is not recognizable, you will not be served by protonmail.
Hi everyone…
In case the new version of Protonmail does not support your browser, you can still access the old version by clicking the link below. 🙂
https://old.protonmail.com/login
I would like to add more pros and take away the cons on ProtonMail (PM). Please note that if I duplicate anthing above, please just combine those together to make it complete.
Pro (in addition to all the pros above):
1) Can send encrypted messages to non-users- This feature is great to keep major tech giants from snooping. There are some who complain about this but it is your privacy and it does work.
https://protonmail.com/support/knowledge-base/encrypt-for-outside-users/
https://www.howtogeek.com/717472/how-to-use-protonmail-to-send-secure-encrypted-emails/
2) Strips IP address from emails- This is important, and while they don’t store IPs it is wise practice to still use a VPN.
https://security.stackexchange.com/questions/149343/is-my-ip-address-leaked-when-i-send-messages-on-protonmail
3) Mobile, and web apps- I use them everyday
https://protonapps.com
https://protonmail.com/blog/calendar-android-beta/
4) Open source code on web and mobile apps-
https://protonmail.com/blog/protonmail-open-source/
https://protonmail.com/blog/android-open-source/
https://protonmail.com/blog/bridge-open-source/
https://protonmail.com/blog/ios-open-source/
https://fossbytes.com/protonmail-open-source-all-email-apps/
Plus they have a bounty program! So now, not only are they honest, they pay you to keep them as such!
https://protonmail.com/blog/protonmail-bug-bounty-program/
5) Great apps for mobile devices- indeed. They have the calendar, vpn, and mail. Please see the link for your device or your phones app store. You can also use Aurora store (Android).
https://protonapps.com
6) Free accounts with 500 MB of storage- this could also be under the con, but the company has to make money to survive.
https://protonmail.com/pricing
7) Encrypted calendar- yes. It is out and now for all.
Encrypted- https://www.theverge.com/2020/1/1/21045836/protonmail-launched-encrypted-protoncalendar-beta-2020
For All- https://www.neowin.net/news/proton-calendar-beta-now-available-for-all-protonmail-users/
8) Encrypted contacts- this is vital and is here, however, there is a slight caveot (under cons).
https://protonmail.com/support/knowledge-base/encrypted-contacts/
8) Inbox rules with Spam filter
https://protonmail.com/support/knowledge-base/spam-filtering/
(Rules) https://protonmail.com/support/knowledge-base/filters/
9) Multiple email addresses (aliases)
https://protonmail.com/support/knowledge-base/addresses-and-aliases/
https://protonmail.com/support/knowledge-base/creating-aliases/
10) Support for custom domains and other price+ features-
https://protonmail.com/support/knowledge-base/custom-domains/
https://swiftsilentdeadly.com/protonmail-five-years-later-part-ii-tiers-paid-features/
11) Discounts and additional support for non-profits-
I am a Visionary user and an NPO and will attest to how good they were in helping me with setup and discount!
They really do an amazing job for groups like mine!
https://protonmail.com/blog/encrypted-email-for-organizations/
Please read the comments ;).
12) Two factor authentication (2FA) support-
I have this set up and use it daily with Ageis authorizing app.
https://protonmail.com/support/knowledge-base/two-factor-authentication/
13) Publishes regular Transparency Reports
https://darkweblink.com/transparency-report-protonmail/
(Tracing is NOT the same as storing)
14) Dissoled their relations with the Venture Capitalists and made other important decision-making moves-
https://protonmail.com/blog/crv-investment-other-news/
Removing the cons above:
1) ProtonMail does not encrypt email subject lines
Yes and this is also included in my cons. However, I hope they take CTemplars version of this and impliment this ability as it has bren shown to work and while using PGP.
https://nettodays.com/ctemplar-review-a-new-secure-email-with-pros-and-cons/
(Look for the statements on subject lines).
But if this is worrisome…leave it blank.
However, being open source a programmer can take it and help them code this to do just that. Just check with them first since I am no lawyer.
2) Sometimes requires personal information for verification of new accounts
https://protonmail.com/support/knowledge-base/human-verification/
Yes, but there is a great article here: https://restoreprivacy.com/email/temporary-disposable/
3) Confusing and expensive pricing
This should not be a con. It is very straight forward.
Free/5/8/30. Then you can add more space/users/aliases for the fee right below.
https://protonmail.com/pricing
4) Incredibly long beta test cycles
As the oft used statement goes: We have fast, cheap, good- you can only have two.
Personally, I want cheap and good so please take the time to make it right and work the first time.
Now cost. PM isnot necessarily cheap, granted, and some have said make a middle price point between free and plus level. Ok. That would be good.
But please remember, those who pay know they are subsidising the free to help out.
My Cons: here is where I feel the true cons are and #2 may or may not be here but I don’t use Apple, just a degoogled phone.
1) No desktop app
Paid users only can use the bridge. But I do wish they made a stand alone desk app not dependent on Thunderbird.
Why they don’t, I am not sure. You can get an unofficial desktop app, but then the risks go up from there and I don’t recommend this as a solution.
https://www.softpedia.com/get/Internet/E-mail/E-mail-Clients/ProtonMail-Desktop.shtml
Many have asked for this but as of yet, no go.
2) Apple calendar Unknown
I don’t use Apple, but from what I see, it is still in development.
3) Small free storage
True it is small. For some, this is a problem. For me, I have less than 50 MB worth of storage (including my Drive) and have over 30 GB of space available. I don’t use a lot but YMMV.
4) Parts of contacts accessable.
Here is another and maybe the primary con I have.
I know why this is like this, but it still doesn’t make it comfortable.
You can read the report here: https://protonmail.com/support/knowledge-base/encrypted-contacts/
5) non encrypted subject lines
As I said, it can be, in theory (CTemplar) but maybe more is going on behind the scenes.
I believe that if this is an issue, one solution is to just leave it blank. But again, YMMV.
Well, here is my review. Now disclaimers:
1) I am no lawyer, programmer or expert. Do your own research and check your own risk factors. You alone are responsible, no one or no system can take the place of your personal awareness. Also, I am not giving legal advice and what you do is on you. I am not responsible for lost info, identity or data breaches. I am just simply showing options.
2) For the sake of full disclosure, I use, recommend, and love PM. I was objective in my assessments to the best as I can and if the facts (such as memos or contacts) lead me to see potential issues, then that is what they are. But for me, PM hits all the right notes and as you can see, the Pros vastly outnumber the cons. However, one size does not fit all and YMMV.
Thanks for the helpful feedback, J.M.
@Sven,
Welcome.
@J.M. Good lord. The acronym TLDR fits perfectly your comment.
Well, that is up to you but reading is a fundamental skill that will allow those who practice and muse on what is said to be further ahead of those who don’t.
The world has shifted from a society that had the ability to read and think to a world that cannot go more than 300 charectures without losing focus.
Hence TOS, Privacy Policies, and big businesses and gov can get away with a lot of stuff because very few can piece together more than a tweet worth of statements and hence it shows in society.
It has been said that successful people read at least 5 books a year.
Depending on my books, I try to do a book a month, except my present book is about 900 pages.
Two quotes and I end:
“The advancement and diffusion of knowledge is the only guardian of true liberty.” James Madison
“Once you learn to read, you will be forever free.” —Frederick Douglass
Hi, I read your blog for a few days and I really loved it. Good job, this privacy topic is really important. Unfortunately, most of the people can’t see it.
I have to ask, will you write about Google Assistant alternatives for privacy? I was searching for a few weeks but I’m not good at it.
Thanks.
I think the very idea of these “assistants” is not privacy-friendly, simply because it feeds data in to some AI bot and the corporation behind it. So I’d just recommend ditching assistants in general.
Hmm, I see.
Thank you for your reply.
Guerrilla Mail seems to be most privacy friendly one out of all these, and what most it is based on open source project (of their own)
Guerilla mail never works when I need it to do. It’s been this way for many months now. ever since they had a huge outage lasting more than a week.
One more question, how is the pricing confusing?
https://protonmail.com/pricing
Lot easier than Tutanota’s for sure.
“For those who want maximum security with full encryption of subject lines and strong data security, or simply faster delivery of new features, Tutanota might be a better fit.”
I am a little lost here. Yes they roll things out quicker but WARNING! Don’t expect that you will actually GET the services promised. So how do you know they will actually give you your full account benefits? You can’t.
Second, sure they are secure…if you don’t mind dealing with the week long (slight sarcasm but not by much) drops in server availability, access and function. Their service is not worth even being in comparison.
Third, yeah, I get the funding question…but nothing was mentioned about the deveatments they made. I linked to this below.
Fourth, yes, beta takes a while, but the beta works, is secure and again, I am getting what I am paying for. Not having it pulled out from under me when it leaves beta and then have them try to cover it up.
I fear this review is not taking into account the links given in the comments and missing the work many contribute by sharing links.
Forgot to add, how do you know Tutanota is implementing thir stuff rightly?
You can’t, and what good is security when they are in 14 eye nation, eu oversight, and can’t even keep their services running.
J.M. if you have found issues with Tutanota, then posting those under the Tutanota would be the best place for that discussion.
@Sven,
I think I am just responding to this article’s conclusion.
It raises Tutanota, I believe, to an unsafe level and makes several illogical statements such as the pricing confusion. It is really straight forward and if someone just uses this site, they could be confused.
As far as issues, I am no programmer and will readily admit that. Therefore I lean on those who do know.
One of these type people has very clearly pointed out the lack of assurance the implimentation of the codes because it is self rolled.
But then, and even more questionable, is the 14 eye nation, the constant server drops and offline issues, the lack of integrity, and the inability to actually help and work directly with potential customers.
Each of these has been documented under their review and has been discussed.
Fair enough J.M., but I’m still using a test Tutanota account and the server outages have gotten better, although they do still happen occasionally due to DDoS attacks. I concur with most of Heinrich’s points here, so we may just need to agree to disagree. Like ProtonMail, Tutanota is also open source. Feel free to add your two cents to the Tutanota review based on your own experience and research.
@Sven,
I understand and live with the fact we disagree. That isn’t my issue.
We disagree, and that is fine as it allows healthy discussion. I respect that.
However, under Tutanota, these issues should be under cons and yet they keep being avoided.
Then there are questions of funding. I had posted the devestment of the VC but that isn’t here either.
I am not angry but just a little curious how after our conversation below and how PM has come up in your estimation, got to only two negatives, and now back to fourish?
If warrented, nail them for sure! But these negatives here seem, to me, to be stretching for something or anything to try and bolster up the competitors.
Please know I am not angry and rather enjoy a good discussion but lets be open about this.
I have posted my experiences below Tutanota, but going beyond just me, there is still the down time, the changing historical records to try and hide changes, the fact they are being pressured to have back doors, and a couple of others that I cannot remember right now.
Why are those not in the cons? This is not an attack and I respect your work here, but I think it is somewhat incomplete to quickly increase cons for a service not as liked, and then disregard issues over on Tutanota that are, in my mind, much more serious in nature.
This is where my shock came from on these recent updates. Again, not angry or mad, but trying to just figure out why things are done as they are when there seems to be biases?
Those commenting are afforded that luxury. I appreciate the site here because, for the most part, I am with you on this stuff.
But, when these preceived biases are shown, at least let people know your exact services you prefer and use so we can take that into consideration and it is a little more “above board” if that would be a right way to phrase this?
This is not saying you are trying to deceive but I know you prefer Firefox over Brave, Tutanota or Mailfence over ProtonMail, Nord or Express VPN over the others. But I have been here long enough to pick up on those things. Someone new may wonder and may take a difference to you and the site for slighting their preferred service.
I’m not and won’t because we are wanting the same thing, just using different ways to get there.
Again, not disrespecting but just trying to see the gears and nuts and bolts of why and how these reviews are made and how pros and cons are decided.
So, again, not angry, just wondering.
Heinrich did this review update, not me. While Heinrich works on updating old content, I’m working on website admin, replying to comments, and also updates. His Pros and Cons are explained in the review.
This string of comments and all of your points about Tutanota are off topic to the ProtonMail review. Rather than quibbling with the conclusions of Heinrich’s review, please use the comments to share your experience about ProtonMail, or the comments in the Tutanota review to share your experience and thoughts about Tutanota.
@Sven,
I know he did. That is fine.
Fair enough. I will not bring up Tutanota in this string again.
Yeah – and finally you can be assured that Protonmail would release the date and timestamp of your email to the public if it’s suits their political agenda. /s
They can of course NOT read your e-mail (cough). lol
They are truly idiots at protonmail. Release time and date on emails to the public doesn’t make them private. Furthermore they hack people and brag about it on twitter.
J.M.
I’ve tried Tutanota for a while, had a limit on sending out emails to groups and had other issues so I gave up. Switched over to Protonmail and so far so good, lately while using their app I’ve had an issue that looks like a power surge or a shutter that opens and closes really fast only when using the app on my phone. Nothing else is effected? Seems kinda strange waiting on a reply from ProtonMail about this.
Impressed! “This makes it a good target for criticism, as we have also seen with NordVPN, the largest VPN provider.” and more like that. That sort of digging deep is SO RARE on net reviews, that I felt I was the only one.
Really enjoyed your detailed review of Protonmail. Came via DDG searching for “do proton emails have good deliverability” (which isn’t addressed though, DDG is better than google but far from great).
Will now check your tutanota review, never heard of that.
Will try to email you my said question, as I imagine you won’t see it here. It’s: “Which quality email provider does business accounts (with our custom domain name ideally) AND has top deliverability?”
(because our current has the worst: always hearing “no, haven’t received your email”…)
David,
Yes, check out Tutanota, but do be aware, I used to use both free level services and now pay for ProtonMail.
I would really look at the comments as well.
One of my biggest hangups was the server down time. Everything else just really irked me and then one event with setup was the straw that broke the camel’s back.
Maybe they are what you are needing, and if so, go with it. But just wanted to give you an opinion.
As far as deliverability, i use a custom domain and have never had an email bounced back to me. All mine have gone through.
I send a bit out and so far, so good. Hope this helps (I am a Visionary user).
I was Thrilled with Proton’s Encrypted ProtonMail so much so that I spent over $139 to Upgrade to their Plus Plan and ProtonVPN as well. Started migrating my Digital World over to ProtonMail addresses & Phone App. ProtonVPN worked great on my Router, & Phone. Thought Proton was Great!
Until…
Two days later I ‘Replied’ to an email I received that sent out 6 emails to other addresses.
Best I can figure, Proton’s System identified this as a ‘Spam’ Mail and ‘Violated Proton’s Policy Agreement’ and IMMEDIATELY SUSPENDED my whole account.
NO ACCESS! NO EMAIL!! NO VPN!!! NO SUPPORT!!!! NO WARNING!!!!!
Had to Uninstall their VPN App off my phone just to get Internet again because it wasn’t possible to Log On and turn the VPN Off. I sent 3 emails over two days to Proton’s Support but No Response. Had to file a Dispute with my Credit Card Company to Cancel Service with Proton. I offered them the opportunity to ‘make this right’ but No Response. Very Disappointing because they Do have High Reviews.
If Replying to an email can cause this disruption of Proton Service and my Digital Life, then this should be considered before signing up. The fact that they Don’t have a Chat Option, or Phone Option, and have Not returned my email requests, should be of concern for their Paid Customer Support. This was a Huge waste of time and disruption to my Self and Business Communications.
Be Careful. If you want Privacy and to get away from ‘Cancel Culture’, in MY Experience, Proton Technologies may Not be the best choice.
Good points Craig. You are not the first person I’ve heard from that complains about Proton suspending services without warning, and then not being available to offer an explanation or help after these actions. We will take that into consideration when we update our rankings this year.
Craig,
I was going to not engage with this as I have seen this posted around.
However, digging deeper, in most of those cases, reasons were given and explinations provided.
In places where there may have been a mistake, the Proton Team has tried to reach out.
Here, you posted the same thing, not only here, but on the ProtonMail page on this site, but also here:
https://www.trustpliot.com/review/protonmail.com
If you look at the response (third one down), the support team is reaching out to you.
Did you respond? How did that turn out?
Will you update on this site? The one linked to? I am curious.
No service is perfect but comparatively, they are really good.
I am wondering if more is happening or going on.
Thanks.
Hi,
I don’t have any “dangerous” written correspondence–(no acute fear of being targeted for political matters)–I just want basic privacy for myself and intellectual property. No headlines would raise suspicion. Would protonmail be enough? I’m thinking about generally migrating over from gmail as much as possible.
Hi D.A. Yes, it would certainly be adequate, but may lack the features you need. For a fully-featured alternative, you could check out our Mailfence review.
Protonmail is the worst email service. These thugs have posed themselves as secure, so they can build a honeypot for detectives and hackers to buy data from. My email account was hacked outright, I doubt there is any encryption whatsoever. The backup email was deleted and hacker is in full control of the account.
After 2 responses, where Protonmail tried to extract what emails I had sent to which user, gaining exact details of email addresses and subject line, their second response is to gather more data from me, bh asking me if I used the VPN and whether I have more emails where I could be contacted.
Here is the snippet,
This is the second email sent by ProtonMail, after extracting the users I communicated with on a separate email.
——-‐———————————————-
Hello,
Thank you for the follow-up.
Could you please provide us with a precise number date for when you last logged in? Please do your best to provide us with an estimate in the following format: 08-Jan-2020 – if browser history is not available. (I had already provided that)
Please take your time with the date as it is key.
We are also including additional security questions, these are not meant to substitute for the date:
-Is your account using One password or Two password mode?
-Did you enable 2FA (two factor authentication) on this account?
-Do you have a short pm.me address added to the account?
-Have you used the ProtonVPN service with this account?( this is to sell go hackers)
-Did you subscribe to any other services or websites using this account? If so, which ones?
(Also to sell to hackers)
Looking forward to your reply.
Best Regards,
The ProtonMail Team
—
https://twitter.com/ProtonMail
https://facebook.com/ProtonMail
https://www.reddit.com/r/ProtonMail/
Want to support ProtonMail? You can upgrade or donate!
In my opinion, they are trying to verify the information you provide with the logs they maintain and probably will ask the “hacker” who’s currently in control of your email some questions as well and try figure things out. Secured email providers generally know the email traffic but can’t see what’s in the email itself cause of encryption.
Hey, @Sven,
I posted this article elsewhere but also find I should post and comment here.
This article removes the negative as far as funding, from what I see. Thoughts?
https://protonmail.com/blog/crv-investment-other-news/
Thanks.
Hi J.M. Yes I think it’s good news when a sketchy investment firm in Boston is no longer a shareholder in your privacy company. So I guess this is a positive development…
Charles River is a highly reputable venture capital investor. Key is whether you believe Protonmail is really telling the truth about CR’s exit or whether CR didn’t like PM strategy and walked away.
True.
At this point I do trust PM as everything I have read, seen, and talked through matches.
So whether they walked or were pushed out, I just see they are gone.
I believe that there are many more secure Tor browser alternatives. And as far as I know, the use of this browser is prohibited in some countries. The simplest, of course, is protonmail, and I also want to add another one to the list. Utopia p2p [https://utopia-ecosystem.com/] is a secure decentralized ecosystem with its own cryptocurrency, electronic wallet and a separate browser Idyl. Also, for registration in this ecosystem, the use of personal data is not required.
protonmail is safe ?
https://privacy-watchdog.io/protonmails-creation-with-cia-nsa/
I addressed this website already.
If you look down to October 12, 2020, my comments are there.
I redirect your thought to this fact:
If ProtonMail, the reportedly #1 secure email in the world, were to violate that trust with millions of users, why is there only a couple of posts and one blog site that is saying this?
I assure you, if PM was indeed in violation of this, they WOULD be found out and the noise of that splash would be web wide.
Duh gag orders exist, and there’s only one Ed Snowden who was saying what he was saying, too. It doesn’t mean the problems stated in a minority’s report don’t exist as stated. It doesn’t mean they do, either… but how many users of Protonmail understand the math behind the cryptography used, for example?
In my jurisdiction, the intel gathering methods the police or security services use are hidden from the court for ‘national security’ purposes, so we’d never find out this way if Protonmail collaborated with them, for example.
Anyway thanks for trying, this whole thing is severely cat-and-mouse, isn’t it?!
Agree. However, a target as high as PM would be still a MAJOR hit on news if it did fail.
Second, unlike the EU and USA, CH has several laws in place that are really good.
Here are a few links that I found:
https://secureswissdata.com/switzerland-privacy-data-protection-laws/
https://www.cloudwards.net/swiss-privacy-laws/
https://protonmail.com/blog/switzerland/
https://protonmail.com/blog/switzerland/
https://www.lexology.com/library/detail.aspx?g=292c3925-8663-4fdb-8f1c-2eaf4b262634
This gives a good start. There should be here the coverage of MLAT treaties, Gag orders, and Assist papers.
Digging deeper I ran across many other links, but this is a good start.
The case you made about the secrecy, true, except if they do work on this, someone, somewhere will get that info out. The fact of silence gives me more comfort since they are the largest. Plus, PM has activly been working on strengthening Swiss laws for privacy.
My main arguments still stand. I say again, the very things the guy on that blog hits PM with, he absolutly ignores when it comes to Tutanota. Why?
Dealing with the math behind the encryption, your right. I don’t know. I am not there. But when the OpenPGP libraries are used across the net and credit given for maintaining these libraries (even from competitors such as CTemplar) and they have been “battle tested and hardened, I would trust that more than a self rolled encryption.
I have explained what a friend of who does security said about self rolled encryption…can you really trust the implementation?
In the end, it does all go back to trust. Which I agree, sometimes feels like going around in circles.
I guess we are just both trying and doing our best.
One more thought, the author uses Tutanota as his email.
Besides the inherint issues with them, I believe he may be biased.
I at least admit I am.
Protonmail does not seems safe for privacy !
“we cannot guarantee your safety against a powerful adversary.”
Nobody can or will “guarantee your safety against a powerful adversary.”
I am really impressed not only by your in-depth review but you obviously researched, in-depth, a question from a commenter. Well done Sven!!
I have recently created a Free PM account and have been satisfied overall. My only surprise and concern for my personal usage is the lack of the ability to create sub-folders. I have searched and searched and I am pretty sure sub-folders is not a feature. Perhaps on the paid version but there is no indication to that affect either. In fact, in the PM comment section it seems that this has been a concern of users since at least 2015.
In the big picture this is not a really big deal but it is one of the little nuisances that would inevitably continue to pop-up when trying to organize messages.
I cannot comprehend why this feature is not available and therefore believe it should have gotten a listing under the “Cons” list in your review.
So far I’ve only heard good things about Protonmail. I’ve really thought about actually using it. And this contributes heavily to it. Thanks for talking about this!
Has anyone tried to create a workspace on Android with Shelter and be able to have two email accounts for example Protonmail with two separate inboxes ?
I think Shelter is reliable as it is open source.
https://play.google.com/store/apps/details?id=net.typeblog.shelter&hl=en_US&gl=US
What do you think ?
Proton mail sucks. Deleted my accounts – no recourse (forget your BS recovery email – never worked!!)
Tech support must speak an alien dialect as several emails resulted in asking for info emailed in previous emails!!
Add that to stealing the information from 3 million Zoho users – I think Zoho is a dangerous place to tread!!!!
Beta calendar for android is now out for paid members!
https://protonmail.com/blog/calendar-android-beta/
Update:
Been playing with it for a few hours now, and so far the syncing between the app and the Beta Desktop is working flawlessly.
I am hoping to see a share calendar feature come out soon, but for now, it is really good.
Another brilliant feature for Basic, Plus, and Visionary users!
Really great item to have for there are many times I have found mistakes after I hit send.
https://protonmail.com/blog/undo-send/
@pega,
No, POP3 doesn’t work. You have to use the bridge.
The do have directions for setting it up. Here you go:https://protonmail.com/bridge/
The directions are pretty easy to follow but there are a few tricky points as well.
They are really good for CS so reach out to them if you need help.
Bye,
With Thunderbird can I download my Protonmail account mail using POP3?
Proton did a audit of their public keys to protect against batch GCD attacks. Here is their report. Links are in the article to more advanced stuff if you are interested.
https://protonmail.com/blog/batch-gcd/
Thanks for this thorough review!
As a complement, it would be very interesting to discuss some common opinions against ProtonMail, like e.g. https://privacy-watchdog.io/truth-about-protonmail/. How much sense do such negative claims make? How can we as end users understand what is real and relevant?
@Matt,
I read through the site and here are my thoughts:
1) I find it interesting that really the only company he goes after is ProtonMail. For being a “Watchdog” he is letting a whole lot slip by.
2) Please notice his contact email. Tutanota. While it may not be bad, there are some issues he doesn’t bring up (which, btw, he doesn’t allow for Proton).
3) The evidences he is “proving” is a lot of here-say. I will explain why in a minute.
4) he tries to bridge a chasim between the NSA and PM. Interesting leap.
I could go on, but let me share what I have discovered and asked.
First, I am not new to PM. been almost a year now using them. I have spent a lot of time asking questions and searching. Here are some notes.
1) He uses the report from a professor who neither had his report peer reviewed or tested. Lot of claims with no real substance.
2) the thrust of the letter deals with web apps and the risks. Yet Tutanota, interesting enough, uses web apps. Why no problem from him? Is he using the desktop client? Maybe. But that is buggy at best when I did. So, how safe is it?
3) JavaScript is active for the site (I kmow the risks here) however, upon logging in, JavaScript is disabled. I know because I emailed and asked.
4) Financially, yes, they did receive funding. The EU, Swiss Gov, and Venture Capitalists. Asking them to what degree they have a say, I was told, and I quote, “ProtonMail is owned by the employees. The outside revenue did not and never will give them a controlling voice.” What is further, let us turn the eye on Tutanota a minute. Secomd, the EU and swiss money was not just singled out to PM. It was to help develop a privacy service, if I remember how it was explained.
5) Unlike PM, Tutanota IS a member of the EU and is a member of the 14 eye nations. Have you looked at their retention laws? The author of the site neglects to point that out? As far as retention laws for PM, please see the link in my last post below.
6) Searching for more info regarding the other claims (reading messages, NSA, etc.) I wish to answer all of that in one thought. PM is the big name. They are going to be targeted by EVERYONE. Naturally, that is the name of the game. If, and I do mean if, PM compromised or was truly a spying org, would that not be a much BIGGER noise than a few out of the way people and blog sites? Yet crickets.
7) back to security, my question for the author is, did he make his own keyboard? How about monitor? Mouse? Cpu? Why? Let’s say Logitec desided to be maliciouse. Would they have to crack the encryption? Nope. They can program the firmware to capture keystrokes and report it. Well, there goes privacy.
The author really seems stuck on the NSA. They are bad charectors for sure, but don’t toss out this angle while letting the EU go free.
8) CIA? I don’t believe it. I am not going to say why I know this (and no, it has nothing to do with my position. I have said before I am with an NPO). But this is a stretch. Longer than the NSA angle.
9) MLAT? He does realize that EVERY Email providor is required to respond to a legal court order. Again, an email I sent asking about this was answered. They said, “An MLAT treaty has never been filed for us.”
It seems that he has a burr under his saddle, and he is taking a moment of fame.
But lets consider the security set up. PM is using tried and true standards. CTemplar uses the same and credits PM for the work they do. Tutanota rolls their own. Has it been set up correctly? We don’t know. How about the engineering? Maybe. But the real danger here is that someone may THINK they have security and because it is only tested with Tutanota, are we sure?
It all comes down to trust. We all most trust. I have my biases, and I am not a fan of Tutanota. Not even close. But even I am willing to say that if they work and do things right, give them credit. But the blog? I see anger and hatred and no ammount of objective looking at facts will change his mind.
Now, I will respond with two links of my own. But please know that I am not arguing or attacking. You had asked for a discussion and I am simply responding. If we don’t agree, no problem here. But I think that I laid my case out as well as I. Could at the presant time.
Here are the two links. I did not include the Reddit thread about this topic as. I don’t like them. However, it was an interesting discussion for sure.
https://protonmail.com/blog/cryptographic-architecture-response/
This next link is interesting. Please not what is said about both PM and Tutanota:
https://binsec.nl/email-security-privacy-concerns/
Hope these help.
I sent the article to Protonmail.
They sent me this reply. I forwarded a copy to Sven, so he can authenticate it.
On Tuesday, February 16, 2021 8:43 AM, ProtonMail wrote:
Hello,
Thank you for contacting us.
We have read the article that you linked carefully and we have to say that what they claim is truth is based on bunch of assumptions and mis-interpretations.
We will try to comment on the accusations in the same order as they are presented on the web page.
1. ProtonMail offers the users to log into their account through our Onion site due to privacy reasons. Some users simply prefer to use TOR and we allow them to access their accounts through our Onion site. The fact that we have an onion site does not automatically mean that we are linked to CIA. We are not related to CIA in any way, nor we have any backdoors that would allow anyone to access anyone’s messages. We also do not allow sign-ups from the Onion page as part of our anti-abuse measures.
2. The claim that we do not use end-to-end encryption is a lie, and in fact, the author of the article that you linked has also linked our explanation on this topic.
https://protonmail.com/blog/cryptographic-architecture-response/
ProtonMail uses zero-access encryption to store the user’s messages on our servers and we certainly use end-to-end encryption.
https://protonmail.com/support/knowledge-base/what-is-encrypted/
https://protonmail.com/blog/zero-access-encryption/
3 and 4:
Proton Technologies is majority owned by employees of the company, and is solely under Swiss jurisdiction. Information about the company and our directors are in public record, and can be found in the Swiss commercial register: http://ge.ch/hrcintapp/externalCompanyReport.action?companyOfrcId13=CH-660-1995014-1&ofrcLanguage=4
Regarding VMS, VMS is not an investment fund or investor. It’s part of MIT (http://vms.mit.edu), which is an university in Cambridge, Massachusetts. As a company heavily focused on cryptography research, we do share research with many of the world’s top research institutions, including CERN, MIT, ETH Zurich, and several other research institutes. This is actually a benefit as it ensures that our technology is thoroughly checked by others to be certain it is secure.
5. The present employer of people that used to work for us in the past does not mean anything.
6. If someone uses EML files, that cannot mean that they are automatically related to CIA. EML is a file extension that is used for an e-mail message saved to a file. EML files are widely adopted.
7. This is not correct, because we do not have access to our user’s messages, nor the means to decrypt them.
https://protonmail.com/blog/zero-access-encryption/
8. We have used Radware in the past for DDOS protection, but they never had any access to any data.
https://protonmail.com/blog/a-brief-update-regarding-ongoing-ddos-incidents/
https://protonmail.com/support/knowledge-base/email-ddos-protection/
9. This is not true and we don’t see how this claim is a security concern of any kind.
10. We are unable to comment on this.
11. See points 3 and 4
Also, you are welcome to review our terms and conditions, privacy policy and transparency reports.
https://protonmail.com/terms-and-conditions
https://protonmail.com/blog/transparency-report/
https://protonmail.com/privacy-policy
If there is anything else we can assist you with, let us know.
Best Regards,
The ProtonMail Team
—
https://twitter.com/ProtonMail
https://facebook.com/ProtonMail
https://www.instagram.com/ProtonMail/
https://www.reddit.com/r/ProtonMail/
Want to support ProtonMail? You can upgrade or donate!
I was sent a new article claiming that Protomail is compromised.
See: https://theconsciousresistance.com/protonmail-is-insecure/
reposted here:
https://healthimpactnews.com/2021/protonmail-is-inherently-insecure-your-emails-are-likely-compromised/
Unlike the Privacy Watchdog article mentioned above, this author identifies themselves and is not anonymous. Additionally, when I tried to email the Privacy Watchdog site, the email bounced, it seems defunct. The author of this new article is known within privacy circles.
I’d like to see people critically evaluate his claims.
A little late, I’m afraid, but the “new” article is a repeat of the old.
He brings forth the same arguments with the same tired paper.
He also fails, if he was right, to account for 2FA being used.
Because this is several months old, I won’t spend much more on this response.
Thanks for sharing though.
I’ve used ProtonMail for years now. I didn’t realize until I got a bounced email that ProtonMail appears to be heavily routed through and dependent on Chinese servers! Header excerpts below:
Reporting-MTA: dns; mail-41103.protonmail.ch
Authentication-Results: mail-41103.protonmail.ch;
Received from mail-02.mail-europe.com by mail-41103.protonmail.ch;
X-Spam-Checker-Version: SpamAssassin 3.4.4 on mailout.protonmail.ch
So, what gives? Is PM safe to use or not??
.ch is actually the Swiss top-level. .cn is China.
@Sven and all others,
Sven, please feel free to post the info on these links anywhere else on the site. It can go in so many areas and has a lot of impact.
Great info! One argument is the “6 mo retention law” that many say subjects ProtonMail.
Info on that as well as a law update: https://protonmail.com/blog/eu-data-collection-illegal/
Another good news for US people: https://protonmail.com/blog/congress-antitrust-report/
Good info, thanks J.M.!
Of course.
Fantastic website Sven. The world owes you! (unless this is all false info and your are one of ‘them’, but I doubt it).
Excellent in-depth Proton’ review here!
Not the most important issue but, I’ve never seen anyone comment on the fact that P’mail’s free tier is not supplied with spellcheck as standard (unless it is in v4). No issue, just use an open Word doc’, but its a pain.
On another note – they do respond directly to phishing concerns, thought can duplicate template auto-responses. Also, they went outside the box and helped me regain a password! Noteworthy.