I’m trying to get rid of my Google dependency and one of those steps was moving over to Protonmail. Now in the past few days i have been picking up signals that even Protonmail is not as clean as it might be.
Does this really impact the privacy of how i use email and so is moving to Protonmail a step forward from Google, or is Protonmail just as bad?
If so, what could be alternatives?
edit:
Some of the alternatives being mentioned in the comments are:
Email:
VPN:
edit 2 (2023):
There seems to be some new activity around this post. At the time of writing the post (2 years ago) there were some stories going as user @UnfortunateShort described in their comment. This made me question the best options available at that moment. Currently i am still a Proton user, using their Mail and Calendar service, and Mullvad for VPN.
For email I suggest getting your own domain name. That way you can easily change provider without having to tell all of your contacts to use a new email. I don’t know about all domain providers, but some provide email addresses for free with all the domains that you bought from them. It’s a really good and way to have an interesting email address, and not be dependant on any tech giant.
I personally gave up on the idea that my email will ever be secure, so I just try to use a provider that seems trustworthy, and avoid using it for anything critical. The email providers that tell you they encrypt your emails don’t really improve anything in terms of security, given that they have access to the clear text email before they encrypt it. It’s even worse if they offer a web client, they could steal your keys anytime.
There are solutions (PGP), but they are really niche and don’t provide some critical security aspects like Forward Secrecy. If you want your communications to be truly secure, use a system that was built for that (Signal, Matrix, etc… all provide pretty decent security way ahead of whatever you’ll get with email).
I like the idea of using a custom domain and changing providers if needed. Going to take that into consideration.
It’s not actually that expensive, most domains can be bought for less than 20€/year. If the registrar provides free email with it, it’s often cheaper than using a paying email service.
Or they could try to support this draft of PFS for OpenPGP.
I don’t really understand how that does anything to actually add Forward Secrecy. If someone captures all the (encrypted) emails, and then has access to the private key of the receiver, they can decypher the one time key and then decypher the message.
I looked for that before posting the first comment, and found this draft and a few discussion it. But I didn’t mention it because it’s just a draft, and because of what I said above.
Edit: I noticed it’s actually a draft from 2001
Yes, first versions are from 2001 and last from 2002. Old as you see.