
ProtonMail Hits 5M Accounts - wind_of_pain
https://www.inverse.com/article/49041-protonmail-ceo-andy-yen-interview
======
krn
ProtonMail is a joke. It doesn't report security vulnerabilities to the users,
when researchers discover them[1]. It publicly boasts about hacking a phishing
site, when claims the journalist's report is based on "unsubstantiated
rumors"[2]. It outsources a free VPN service to a data mining company[3], when
claims it used it only as "an office space provider"[4].

[1]
[https://www.theregister.co.uk/2014/07/07/protonmail_fail_jav...](https://www.theregister.co.uk/2014/07/07/protonmail_fail_javascript/)

[2] [https://motherboard.vice.com/en_us/article/qvvke7/email-
prov...](https://motherboard.vice.com/en_us/article/qvvke7/email-provider-
protonmail-says-it-hacked-back-then-walks-claim-back)

[3] [http://litigation.maxval-
ip.com/Litigation/DetailView?CaseID...](http://litigation.maxval-
ip.com/Litigation/DetailView?CaseID=Epee88Womxg%3D&logstat=false&Party=Luminati%20Networks%20Ltd.%20v.%20UAB%20Tesonet)

[4]
[https://news.ycombinator.com/item?id=17775554](https://news.ycombinator.com/item?id=17775554)

~~~
martincmartin
What's a better alternative?

~~~
krn
Mailbox.org and Posteo.de are currently the best ranked privacy-focused email
providers[1]. Both are based in Berlin, and are extremely low-profile.
Mailbox.org supports custom domains, Posteo.de doesn't.

[1] [https://dismail.de/serverlist.html](https://dismail.de/serverlist.html)

------
rootusrootus
There are two reasons I'm still with Google for mail at this point: Inertia,
and cost. The former is pretty easy to understand. The latter has more to do
with the fact that I have a private domain for our family and I've been using
Google Apps since the days when it was free. If I want to convert to another
service like ProtonMail then I'm either going to tell a bunch of people in my
family to pay up (with all the accompanying annoyances), or I pay $50+/year on
their behalf out of my own pocket. And in either case I probably get to move
their email for them. It's hard to get up the enthusiasm to do any of that,
even if I do have a growing desire to disconnect from Google.

I haven't done any thorough searching recently, but if I could find a
reputable provider that had a reasonable family-priced solution that would be
ideal. The per-account pricing adds up relatively quickly.

~~~
notyourday
I'm pretty speechless. $50/year is twenty seven point oh two (27.02) cups of
startbucks small coffee a _year_ for a _family_.

Do people truly think that's expensive for email hosting?! Honestly, no wonder
Facebook and Google keep trampling with the so called "rights" of people
successfully by peddling "free stuff" \-- even those in tech paid six figure
salaries think fifty dollars for essential communication for a year for
multiple people is expensive.

~~~
rqs
> Facebook and Google keep trampling with the so called "rights" of people
> successfully by peddling "free stuff"

I don't think you get this correctly.

Many people use Gmail is because it's stable and came with Google Account, so
they sign up conveniently.

Plus, not many people still using email as their _main_ day to day
communication method these days. After all, there are many specialized tools
out there to pick (For example, some people may use Slack for work, and
Facebook for friends etc).

So, I think it's not because $50/year is expensive, rather, it's because many
people don't care anymore.

~~~
notyourday
The person to whom I replied said it was $50 that mattered to him. That's the
person who spends time on HN, is in tech and I'm guessing well paid.

I'm going to also make an educated guess that someone who meets the "Spends
time on HN, is in tech and is well paid" is likely to be someone who is
concerned about "privacy" as well as leaks of PI.

How can I possibly reconcile those positions with $50 per person per year is
_too expensive_?

------
ricardbejarano
So they want users to ditch one centralized service provider with another?

I have no Google/Microsoft/iCloud account, ProtonMail has been covering my
(pretty basic) email needs for well over three years now, and now I'm leaving
them.

Proton has been talking about adding calendar for years (unreleased), then
they started working on ProtonDrive (unreleased), now they talk about an
office suite... Then then flirted with the idea of doing an ICO to fund
themselves, at which point I decided to leave. I don't want to be in a ship
that sails in circles and doesn't have a clear direction.

ProtonMail free has 500MB, no IMAP, and max of 3 folders and 150 emails a day,
versus Google's free, familiar, full-featured set of well-integrated services.
Will they convince the average Google user to leave productivity behind, and
pay in the process?

And again, they are a for-profit. What will happen the day they realize they
can't pay the bills at the Alps with free users?

They can promise whatever they want, Google's motto was "Don't be evil".

------
russdpale
I found proton to be a bit expensive, I really like tutanota.com (meaning
secure note in spanish). Only about $1 per month and doesnt come with things I
dont need like a VPN. Plus, believe it or not, employers raise the eye at the
.io, in a good way like what they did when gmail.com was new and cool.

~~~
blfr
Yeah, ProtonMail is about 150% the price of G Suite with weird limits on
things like number of aliases or domains. And while I understand that the
selling point is privacy, it's not that expensive to maintain one more record
in your database while not violating your users' privacy.

OTOH, €8/mo is peanuts anyway.

~~~
wink
I don't know, I pay about 10 EUR per month for my mail server, which services
N users. So then it's suddenly not peanuts anymore.

So yeah, I probably don't fall into the normal category here, a handful of
friends & family users and a ton of domains. Protonmail/Fastmail would cost me
at least 40 EUR per month, and that's a rough estimate, could easily be 80.

~~~
vitalique
Can you describe your setup please? I've been thinking about moving the family
members off Gmail a lot lately.

~~~
wink
Sorry for the late reply, but it's a pretty standard (imo) setup with postfix,
dovecot, spamassassin, postfixadmin.

I'm planning to redo this soon (been a few years) and I'm as of yet undecided
if I just do it manually again (like I do every 3-5 years) or if I'll use some
template ala sovereign, mailinabox, mailcow, modoboa.

Also check this thread from last year:
[https://news.ycombinator.com/item?id=16238937](https://news.ycombinator.com/item?id=16238937)

~~~
vitalique
Thank you for all the details and suggestions!

------
totoglazer
Anyone have thoughts on ProtonMail vs FastMail, as a gmail successor?

~~~
elquimico
In the past 3 months I have setup accounts on all three of FastMail, HushMail,
and ProtonMail. I was mainly interested in having an account with a custom
domain. I used the domains I got through Amazon AWS Route53. ProtonMail was
the only one I could not setup custom domain on. It would get stuck in the TXT
field verification step. I contacted their support and they were not
interested in helping me figure out what's going on. They just told me that
was AWS problem and I needed to contact AWS support. I cancelled that account.
I only used it for about 3 weeks, and my impression is that it was least
polished (web UI and iOS app-wise) of the 3. FastMail was the best.

~~~
delbel
I got stuck with a custom domain on ProtonMail and opened a ticket, and they
responded within 45 minutes to help me. That sucks you had issues.

------
IdontRememberIt
We had so many scammers using this provider that we require a SMS verification
if they use this email address for account creation. Sad. :(

~~~
autotune
> SMS verification

I am sure the scammers are not deterred lol.

~~~
adrr
It stops most of them. You can buy data on the number to see if its VOIP, or a
legitimate cell phone. There are even some data providers that tell you about
the subscriber like how long they had service, if its prepaid, or recently
forwarded/ported.

~~~
huhtenberg
Can you give any pointers? On both the number info and the subcriber's
details.

~~~
adrr
Twilio has some of the basic APIs that will tell you the carrier and whether
its VOIP or Mobile. Sometimes it will return you the name on the account.
Subscriber stuff you'll need to find a data provider that partners with the
carriers. Its pricey from what I heard.

------
mattkevan
ProtonMail was a bit expensive for me, so recently switched from Gmail to
Soverin [0]. Based in the Netherlands, costs less than $4 per month for 25gb
storage on a custom domain.

Also have a Roundcube web interface, but smtp is fine.

[0] [http://www.soverin.net](http://www.soverin.net)

~~~
move-on-by
Doesn't look like they have Zero-access encryption. My guess is that they can
save money on storage though mass marketing emails that share the same
contents, attachements, etc.

------
sramsay
I'm seeing lots of posts full of frustration about cost, clients, support,
protocols, direction of the company, whatever . . .

I don't care about any of that. Okay, I do. But mainly, I need the thing to be
secure (zero knowledge, encrypted between clients), and I'll pay a high
premium for it. People are suggesting other providers. Are there other
providers that have a better product _in terms of security?_

I'm not saying there aren't; I'm just having trouble figuring out which
providers are judged to be better in terms of security.

------
move-on-by
I like ProtonMail. It does what I need it to within the free option. I have a
domain name that I forward to my ProtonMail, so I'm not really worried about
lock-in. I have slowly been moving my accounts over away from Google Inbox.
Now that Inbox is going away, I'm about to kick the transfer into high-gear. I
don't care to re-learn the 'new' Gmail when I was already invested in Inbox.

------
rossdavidh
So, just curious, how does filtering out spam work, if the email provider does
not have access to the contents? Not saying it's not possible, but I wonder if
any current users of ProtonMail could comment on this? If you use ProtonMail,
are you mostly just on your own in regards to spam filtering?

~~~
Alex3917
> So, just curious, how does filtering out spam work, if the email provider
> does not have access to the contents?

Much (most?) of spam filtering is done using DKIM/SPF/DMARC/ARC, domain
reputation, and IP reputation, none of which require access to the contents.

I'm not saying that you should go and make all your email subjects "Free
herbal viagra" or whatever, but modern spam filtering algorithms revolve
somewhat less around those kinds of trigger phrases than they used to.

Also, spam is by definition sent in bulk, so as long as the emails are hitting
either some accounts on other email providers or else are hitting some
honeypots on ProtonMail then you still get the benefit of being able to have
the sender blacklisted based on the contents.

------
cs702
If ProtonMail manages to offer (a) seamless calendar and contacts syncing and
(b) decent office suite functionality, I would consider switching all my
accounts.

Let's hope Andy Yen and his team at ProtonMail can it pull off!

~~~
nunobrito
Calendar support would already make a big difference.

------
mdhen
Protonmail would be great with some usability and feature improvements. Right
now it has limited support for imap, smtp, pop3. You're basically limited to
the biggest desktop clients. The desktop web client is okay.

But the biggest drawback right now that I can see, is mobile. Their app does
not support threaded conversations or any of the newer features that we've
come to expect because of Gmail. You also can't use a third party app like k9.
So for me at least, it's not good enough yet to use as my primary account.
Really wish it was though.

~~~
ornel
I just signed up for the Linux trial version of the ProtonMail bridge and
installed it on my Mint box. Now I get mail via IMAP on Thunderbird totally
transparently and couldn't be happier. My only complaint right now is the
inability to forward mail automatically (which I understand, they can't
decrypt my mail in order to forward it), and also that I can't sign up my wife
on my custom domain without getting a significantly more expensive business
plan, but otherwise I'm very happy and getting closer to ditching Gmail
altogether.

------
wpdev_63
I am surprised nobody mentioned lavabit. It was relaunched with the
inauguration of dt and looks like a solid option.

------
randie63
I have switched to mail.tutanota.com and I love it. All the features I need
are there. Super fast backend (really instand email delivery). The all new
webapp is nice (only the phone UX can be improved a bit)

------
ben_utzer
Read half the article and then get blocked by their Login popup...

------
nopacience
It is important to pay for email services and support the diversity of email
companies.

Paid services tend to have good support and care for their users.

Users of free email service that hit a problem (ie. password lost), are
essentially screwed. The free email service (gmail/yahoo/outlook) will not
give proper "manual" support to solve that problem. They are so big and this
fact essentially makes the users of free email services just another user
(worth nothing). The big brands that provide free services will not care about
your problem when you go in trouble.

Users that only have free email services, should really consider testing paid
email services. And slowly move all their emails into a paid email service.
But dont forget, it is _very important_ to use purchase your-domain.com and
use that in signups. Never use your-user@gmail/yahoo/hotmail/outlook.com to
signup. Because when the user uses @gmail/yahoo/etc they get locked in and it
gets hard to move out of the free email services after a while (because all
the friends, family and websites will only know your free services email).

Another important point to note is, the only secure encryption is end-to-end
encryption that the user has control of. For example openpgp. Users that care
so much about encryption should rely on openpgp. If encryption is so
important, dont belive the servers and use openpgp. No matter what, when the
email is sent, its sent in plain text. So openpgp is the only way to send it
in plaintext encrypted.

Paid services will care more about the user than free services.

Start with one of these:

runbox.com fastmail.com hushmail.com protonmail.com tutanota.com lavabit.com
mailfence.com posteo.com

and ditch:

gmail.com yahoo.com hotmail.com outlook.com

Spread the word to make your friends and family aware and also make the move
to paid email services.

And never forget to purchase a domain and _use that to receive email_. That is
the only way to not get locked in the email service provider.

~~~
krn
> Start with one of these:

You are probably joking.

> hushmail.com

"Hushmail supplied cleartext copies of private email messages associated with
several addresses at the request of law enforcement agencies under a Mutual
Legal Assistance Treaty with the United States.; e.g. in the case of U.S. v.
Tyler Stumbo. In addition, the contents of emails between Hushmail addresses
were analyzed, and 12 CDs were supplied to U.S. authorities."

[https://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_...](https://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_privacy)

> lavabit.com

"The court records show that the FBI sought Lavabit's Transport Layer Security
(TLS/SSL) private key. Levison objected, saying that the key would allow the
government to access communications by all 400,000 customers of Lavabit. He
also offered to add code to his servers that would provide the information
required just for the target of the order. The court rejected this offer
because it would require the government to trust Levison and stated that just
because the government could access all customers' communication did not mean
they would be legally permitted to do so. Lavabit was ordered to provide the
SSL key in machine readable format."

[https://en.wikipedia.org/wiki/Lavabit#Suspension_and_gag_ord...](https://en.wikipedia.org/wiki/Lavabit#Suspension_and_gag_order)

> protonmail.com

[https://news.ycombinator.com/item?id=18010648](https://news.ycombinator.com/item?id=18010648)

~~~
ta76567656
Parent doesn't seem to be arguing that these providers are anonymous, just
that you get what you pay for in customer service. They explicitly say that
end to end encryption (ie client side PGP) is required for privacy.

~~~
krn
Then his argument is even more flawed, because one can just as well pay for
Gmail or Outlook and use PGP with them, without exposing himself to
vulnerabilities of smaller email providers.

~~~
andyroid
Would love to hear more about this Gmail customer service I can pay for.

~~~
krn
You are not paying for customer service, you are just becoming a paid
customer[1]. And then you can compare which email provider treats its paid
customers best. For me, the best treatment is when a product is so well
thought-through, that I never need to contact anyone about it.

[1]
[https://drive.google.com/settings/storage](https://drive.google.com/settings/storage)

~~~
araxhiel
But there you are just paying for additional storage, not for email service

~~~
krn
ProtonMail also offers a free inbox with a way to pay for additional
storage[1]. Would you also think, that by upgrading your ProtonMail storage
you are not paying for email service? The only difference is, that Gmail
doesn't limit its features for the free users. It's just a different business
model.

[1] [https://protonmail.com/pricing](https://protonmail.com/pricing)

