
More people are searching for an inbox that protects their privacy - caution
https://protonmail.com/blog/searches-increase-for-email-privacy/
======
calvinmorrison
At the core, google and other companies sell your data for advertisements, at
best, at worst they're sending it all the NSA or some other black box.

I recommend everyone BUY A DOMAIN. Then switch providers. you can always
switch with your own domain.

The select a provider based on thier offering be it protonmail, fastmail
(shameless plug), or others

~~~
TedDoesntTalk
The only thing preventing me from leaving Gmail is that they have awesome
clients (web, android, iphone). And all of them sync well. Does anyone else
have this?

~~~
innocenat
I don't know about Proton, but right now I cannot think of anything missing
from FastMail that exist in Gmail -- they even support label now. The clients
are better than Gmail, IMO.

~~~
TedDoesntTalk
What about search capabilities? the search power of gmail is awesome:

[https://support.google.com/mail/answer/7190?hl=en](https://support.google.com/mail/answer/7190?hl=en)

~~~
nmjenkins
Fastmail supports basically all of that, plus some extra capabilities:
[https://www.fastmail.com/help/receive/search.html](https://www.fastmail.com/help/receive/search.html)

------
nostromo
On a related note, DuckDuckGo's growth trajectory is amazing:

[https://duckduckgo.com/traffic](https://duckduckgo.com/traffic)

Maybe a desire for privacy is driving this. Or maybe Google's increasing bias,
or ad saturation, or AMP, or something else...

~~~
paul7986
I'd wish DDG would either provide their own email service or create a front-
end for your choice of mail providers (i.e. iCloud, Protonmail, etc).

I'd love to move away from everything Google (further support a company who is
pro-consumer) to a company in which i trust and whose business model/ethos is
privacy.

~~~
gabruoy
I just want Duckduckgo browser on desktop. Obviously its just chromium with a
"delete history" shortcut built in, but the way their mobile browser inverts
the way you think about privacy really helps. It inverts your browsing
experience from "We will save all your cookies, history and data unless you
clear it" to "We will delete your cookies and history constantly all the time
unless you specify the websites you want to have your stuff saved on."

------
pmoriarty
I don't trust Proton Mail.

There's nothing stopping them from sending your browser Javascript that
completely compromises your keys.

They've admitted as much when I asked them about this years ago.

~~~
bitdizzy
I use proton mail just for the privacy guarantees enforced by social pressure
on their brand. They hold your PGP keys (you can't give them a subkey of your
own private master key) so there's no reasonable security there. In general, I
don't think PGP encrypted emails provide much security anyway. If I need to
send a message securely, something like Signal provides better cryptographic
properties like forward secrecy.

All I know is, I would hear about it very quickly as soon as Proton Mail is
discovered to violate my privacy, and that's all I can expect of email. To be
honest, the fact that their API is not open sourced and I have to use their
web client or mediocre IMAP bridge would make me seek alternatives if I were
to reconsider email providers. It would have to be one that has as strong of a
privacy-conscious brand, or self-hosting.

~~~
pmoriarty
_" I use proton mail just for the privacy guarantees enforced by social
pressure on their brand."_

There are no such guarantees. Social pressure on their brand did not stop
Enron or Madoff from committing fraud. Nor did it stop millions of others from
committing various crimes, atrocities, and other unethical acts throughout
history.

In the realm of email providers, the case of Hushmail[1] serves as an
instructive example.

Hushmail is an email provider that provides a service similar to ProtonMail,
but:

 _" Developments in November 2007 led to doubts, amongst security-conscious
users, about Hushmail's security, specifically, concern over a backdoor. The
issue originated with the non-Java version of the Hush system. It performed
the encrypt/decrypt steps on Hush's servers, and then used SSL to transmit the
data to the user. The data is available as cleartext during this small window
of time; the passphrase can be captured at this point, facilitating the
decryption of all stored messages and future messages using this passphrase.
Hushmail stated that the Java version is also vulnerable, in that they may be
compelled to deliver a compromised java applet to a user."_

and

 _" Hushmail supplied cleartext copies of private email messages associated
with several addresses at the request of law enforcement agencies under a
Mutual Legal Assistance Treaty with the United States.; e.g. in the case of
United States v. Stumbo. In addition, the contents of emails between Hushmail
addresses were analyzed, and 12 CDs were supplied to U.S. authorities."_

Incidentally, despite all this, and what you'd expect to be "damage to their
brand", Hushmail is still around, and I'd expect many of their users have
never even heard of any of this.

[1] -
[https://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_...](https://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_privacy)

~~~
bitdizzy
To be clear, I am connected enough to security-conscious social media that I
think I would hear about it if someone found it out. I agree with you that
someone who isn't at least a little bit diligent would miss news like this.

Let me also reemphasize that I don't consider email to be a secure or
confidential medium of communication at all, even with PGP. I only want that
my inbox is not sold to advertisers and the security practices of my provider
aren't utter garbage. Maybe the fact that they're in Switzerland helps me in
some ways, but if I had a state adversary I wouldn't bet on it.

~~~
pmoriarty
The problem is that ProtonMail could violate your privacy by sending you
Javascript that gave them your keys and you'd never know about it.

Relying on hearing about compromises in the news only sort-of works when:

1 - such compromises are revealed

2 - they're big enough to make news in the first place

3 - your own data hasn't yet been stolen, so you have time to change services
after you hear about the compromise

None of these is guaranteed to happen ever.

And even if you did hear about some compromise in the news, it could be far
too late for you, as your data (the data ProtonMail is supposed to protect)
could already be in somebody else's hands.

~~~
bitdizzy
> The problem is that ProtonMail could violate your privacy by sending you
> Javascript that gave them your keys and you'd never know about it.

I think we don't agree on how proton mail works. As I understand it, they
already have my keys. You can't even give them just a subkey, it only works if
you upload a set of PGP keys including the master secret key. What is your
understanding of how it works?

As for your other concerns, unless I am conversing only with myself, the
attack vector for my data is the entire e-mail ecosystem. Even if I _only_
talk to people who use encrypted email, they are also part of my threat model,
even if I don't trust a provider with my keypair. e-mail is simply not secure.
It wasn't meant to be secure; security cannot be bolted on top.

What is your threat model and how do other providers or self hosting achieve
your desired level of security?

~~~
pmoriarty
_" As I understand it, they already have my keys."_

From: [https://protonmail.com/security-
details](https://protonmail.com/security-details)

 _" ProtonMail's zero access architecture means that your data is encrypted in
a way that makes it inaccessible to us. Data is encrypted on the client side
using an encryption key that we do not have access to."_

~~~
bitdizzy
That is a very interesting claim on their part considering that they hold the
private PGP keys used by their service. I'll have to figure out what they mean
by this.

Edit: Ok I see. They store the PGP keys encrypted with your password. Like you
said, they could just as well inject javascript to phish your password from
your session.

But this does seem to mean that if one uses their API directly it would be
possible to securely use their service. Thanks for the heads up. There _is_ a
third party open source bridge that reverse engineers their API. I think I
will look into it to see how authentication is done.

[https://github.com/emersion/hydroxide](https://github.com/emersion/hydroxide)

------
dvduval
I see people discussing different alternatives, but for me there are very few
viable solutions that would be nearly as good as gmail. And actually I don't
like it this way. I hate to use the m word here, but it's kind of monopolistic
for me.

And seriously, this is an email period it was invented how many decades ago?
It should be easy to have something that works very well with offerings from
multiple providers.

As you dig deeper, there are a lot of little details that give Google the
advantage. I'm not expert enough to describe all of them in detail, but
certainly part of it is we have big players who are dominant on Android and
Apple making it difficult for small players to catch up. We also have, as one
person pointed out, blacklists and not being easy to get around that with
other providers because Google is so dominant in this space too.

------
jakobdabo
There is one rather ugly privacy threat that I seldom see discussed even on
HN.

The spam fighting services. First of all, I'm not sure whether they are being
run locally on the mail servers or maybe the mail servers forward our emails
body to a third party anti-spam service to get a "spam score".

And secondly, after being assigned a "spam score" a part of your email may end
up in the headers as "X-something" where the anti-spam service describes why
it didn't like your email. And we know that many 3-letter agencies collect as
much email metadata (e.g. headers) as they can sniff out. So, you should know
that the first X bytes of your unencrypted emails are less private than the
remaining part, because they can be part of the metadata.

~~~
arghwhat
Spam detection is run locally on the receiving mail server, and adds the
result information to the email as the "X-something" header fields you are
referring to as part of the receive pipeline. See e.g. rspamd.

Should you forward the email with these header fields intact, then all it does
is reveal a bit about your mail providers' infrastructure, which is already
entirely public information.

~~~
jakobdabo
I've seen small parts of my email body in the "X-something" headers inserted
there by the anti-spam service. I can try to find an example later when I get
to my desktop.

~~~
arghwhat
I don't have memory of such behavior, but even then, this is in _your_ receive
pipeline, reading plain-text, publicly readable email meant for you and
appending something to its plain-text, publicly readable header meant for you,
all in order for the server to present this information to you/your mail
agent.

I don't see why any of this would lead to any amount of concern, but feel free
to present the header field you refer to.

------
ed25519FUUU
I see that Lavabit also reopened as an email service (they famously shut down
rather than release the SSL keys for Snowden to US intelligence agencies[1]).

[https://en.wikipedia.org/wiki/Lavabit#Connection_to_Edward_S...](https://en.wikipedia.org/wiki/Lavabit#Connection_to_Edward_Snowden)

~~~
ColanR
Do we know if it's the same guy?

~~~
Nicksil
> On January 20, 2017, Lavabit owner Ladar Levison relaunched the service.

It's right there in the link you're replying to.

------
ogre_codes
> The number of Google searches in all languages for privacy-focused Gmail
> alternatives

The irony here. I wonder if the number of people searching for Google search
alternatives on Google is up as well?

~~~
jmnicolas
Yes and even if Linux was a true alternative on phones you would still leak a
lot to your ISP (they can triangulate your position using cell towers and
unless you use a VPN they know every websites you connect to).

------
justanotheranon
anyone in a FVEYs, or 14EYs, or 22EYs country should use Yandex mail. hosted
in Moscow.

FBI cant issue an NSL to read every email you sent or received to construct
your patterns of life to more easily parellel construct you or
blackmail/coerce you into compliance.

even NSA has to tread lightly, and cant just casually feed your emails into
XKEYSCORE, because if they get caught, then Yandex with the assistance of FSB
will kick out NSA and/or hack back or retaliate with active measures. so NSA
would only risk blowing their Yandex collection for very high National
Priority targets. not you.

in a sense, the smartest surveillance evasion tactic is to hide in the fog of
cyber war between the Nation States. if you're not Baghdadi or Carter Page,
you wont have to worry as much.

plus, Yandex mail is better than gmail. Yandex is what gmail was 10 years ago
--simple UI, no bloat, no ads, no spam, no BS. Yandex has a mobile email app
too. better, you can host your private DNS on Yandex, then use Yandex for your
private domain's emails.

and unlike Google, who is probably selling your info about you from your
emails to an ecosystems of ad spammers and "database of ruin" analytics spy
companies, Yandex is not. thanks to US sanctions on Russia, your data is
effectively siloed off from the US market.

finally, consider the Shadowbroker hacker used Yandex to leak the stolen NSA
EQGRP files. has the Shadowbroker been caught? nope. Yandex security looks
better than anyone else's.

we live in interesting times, when Russia is now a safer place to store your
data than the US. the world has gone mad.

~~~
jpeeler
Do you know if Yandex mail has a friendly API? One of the things that keeps me
on Gmail is that they have an API with many language bindings that I have used
on occasion.

Also, I see that they have their own browser??
[https://browser.yandex.com/](https://browser.yandex.com/) I assume it's just
a rebrand.

~~~
justanotheranon
i highly recommend Yandex browser. it is a Chrome fork, but it appear to be
heavily modified with extra security features added. Such as DNSSEC pointing
to Yandex's own DNS servers. I presume everything that phones home to Google
has been ripped out of Yandex browser, much like Ungoogled Chromium. I like
Yandex browser mainly because it puts the URL bar at the bottom. Google
removed that feature years ago. Yandex browser also integrates with all of
Yandex's services, like Mail and Disk.

and yes, Yandex has an API for everything. You don't need language bindings as
long as your language speaks HTTPS.

------
r29vzg2
My problem with ProtonMail is their requirement to use their bridge software
for 3rd party mail apps and their requirement to use only their mobile
application.

I get the limitation because of the encryption, but I wish I can just turn off
the encryption for specific apps. I don’t need my mail encrypted in flight, I
just don’t want it sitting on Google servers. For that ProtonMail is overkill.

------
michaelmrose
I wasted a good bit of time looking through their page to see if ProtonMail
bridge would work with arbitrary tools like offlineimap and found it nowhere
there so for anyone else with the same question. It appears it does.

[https://spaceandtim.es/code/protonmail_mutt/](https://spaceandtim.es/code/protonmail_mutt/)

------
scandox
What is the real appetite for privacy? It's talked about a lot and I believe
in it personally. Everyone I talk to says it is important to them but are
totally uninterested even in modifying settings with existing providers let
alone changing. There is a very strong disconnect between what people say and
do on privacy.

~~~
pier25
I think most people simply don't care, regardless of what they say.
Convenience really rules the world.

------
avmich
Unfortunately it's rather hard to open an account on Proton Mail, probably for
reasons of fighting spam, but it still doesn't help. They e.g. require already
existing email, which defeats part of the purpose.

~~~
tjpnz
>They e.g. require already existing email, which defeats part of the purpose.

That's optional.

~~~
notRobot
It is optional now, but used to not be until very recently.

~~~
searchableguy
Only if you are using their vpn or other free ones. If not, you can create an
account with captcha option. Seems fair to me.

------
jug
This is really just an ad for Proton Mail.

------
criddell
Services like Proton do a good job of keeping the body of the email private,
but is there anything they can do about protecting the header information?

Metadata can reveal a great deal.

~~~
Drip33
There's a lot they can do, but then it makes it impossible to search your
inbox for old emails by subject, from, to etc fields.

You can reduce what an adversary sees by not including anything useful in the
subject line and the only thing you can't protect is who you're speaking to
and when.

~~~
gruez
The third party doctrine[1] allows the government to access your call records
(and other metadata) without a warrant, but I don't think anyone's fine with
that.

[1]
[https://en.wikipedia.org/wiki/Smith_v._Maryland](https://en.wikipedia.org/wiki/Smith_v._Maryland)

------
ryandrake
Mine has been working out well for the past, I don't know, close to 10 years:
exim4 + dovecot running on Debian. I'm the only one with access to the OS,
software, and data, and TLS works, so I'm pretty confident that it's at least
as or more private than any hosted solution. It feels weird that self-hosting
is seen as such an outlier case these days, but it's not difficult to set up
and maintain.

------
jasonv
I barely use email anymore, and I don't really use any chat apps.

I think about moving off Gmail, but 99% of my emails are from retailers I shop
with.

Newsletters are now RSS, email with humans.. doesn't happen much, etc etc.

Business emails are not very interesting -- we use secure methods to share
info when needed.

Email is.. to me personally, not very important anymore.

(I show up to my accountant's office to sign things.. I keep looking for
something that I need to secure.)

------
CryDeTaan
Perhaps a bit off topic, but I created a service that at least hides your real
email address when signing up to services.

Its not a new idea, but I wanted to build something mostly for myself. So it
is rudimental, but works.

[https://mailphantom.com/](https://mailphantom.com/)

------
timwis
Unfortunately with encrypted mail like ProtonMail you can't setup email
filters that act on the contents of the email; only the headers. This makes it
harder to keep organised and fight unwanted mail so I've gone with fastmail

------
dataminded
Is someone at Firefox listening? This is a service you can monetize right now.

------
hankchinaski
even if you use protonmail and your correspondence use google the “privacy”
claim is pointless...

------
johnghanks
no they aren't

------
mcraiha
I am looking for a world where email does not exist.

