Suggestions needed for new email provider

[adisib]

Anyone know what that Protonmail thing does with emails you send to non-Protonmail members if you don't want to send them end to end encrypted? It's pretty clear that when one sends something end to end encrypted, what is actually happening is that the user on the non-Protonmail end of things is getting an email with a link to the real email. But if it's set up to not be encrypted, will the written email just show up in someone's Gmail box as an email with what you've written inside? Or is it also a link that just requires the recipient to do less to read it?

It only sends it in a link form if you encrypt it or make it self-destructing. Otherwise it is just like any other email they will receive.

Also, one part of the site says they don't keep track of your IP addresses, and another part shows a screen where you can review which IP addresses have accessed your account to guard against unauthorized access by people trying to take the thing over and send out spam? Which is it?

IP address logging is on by default, showing whether it was a successful login or not, as well as logouts. These logs can be downloaded, cleared, and completely disabled if you don't want your IP's stuck in their server somewhere.

Third question would be: There's some hint that there's a free account tier and a paid account tier. What features are missing from the free account tier?

I think the paid tier is currently not implemented. But all it will be for is additional storage (you currently only get 500 MB, but they want to increase it), nothing that would cause any features to be detracted from the free tier. They want their service to be completely free, forever. They are limited in the storage only due to being a completely free service, and they only give additional storage to paying users because that payment allows them to provide that extra storage they otherwise can't afford.

[CharmCityCrab]

It only sends it in a link form if you encrypt it or make it self-destructing. Otherwise it is just like any other email they will receive.

IP address logging is on by default, showing whether it was a successful login or not, as well as logouts. These logs can be downloaded, cleared, and completely disabled if you don't want your IP's stuck in their server somewhere.

That sounds pretty good. I prefer the functionality of being able to check and see whether some hacker has gotten into my accounts and is using it to send requests for contacts to wire money because "I'm" stuck at a conference in the Philippines when I am in fact sitting in my apartment in the good US of A, by having a list of recent IP addresses, to them not keeping IP addresses. I use that example because two people I know have had people take control of their email accounts and send out exactly that email to me. And I can always clear it every so often after I look at it if I want to. I guess I generally prefer functionality to privacy, with the caveat that privacy features are nice when they don't compromise functionality. It sounds like the few privacy features here that might compromise functionality (like the links thing) can be turned off in the options panel in favor of traditional unencrypted email.

I know my preference for functionality over privacy makes me an odd potential user for a service like this, but if they do it right, the functionality won't be compromised. In fact, just having an Android app with no ads is *better* functionality as far as I'm concerned (Well, will be, when it comes out of beta, assuming they stick to the no ads thing). That Yahoo stopped working Android's default mail app (At least for me) and I now have to look at ads using Yahoo's app everytime I check my email from my phone really annoys me.

I think the paid tier is currently not implemented. But all it will be for is additional storage (you currently only get 500 MB, but they want to increase it), nothing that would cause any features to be detracted from the free tier. They want their service to be completely free, forever. They are limited in the storage only due to being a completely free service, and they only give additional to paying users because that payment allows them to provide that extra storage.

That sounds alright. I am not one to save my email until the end of time. I do have a custom folder that I transfer a few emails that are special to me or receipts for online purchases and that kind of stuff to, but I basically delete my inbox and outbox regularly, and even check my custom folder for stuff that I no longer want to keep. I'm a not a digital hoarder when it comes to email (Arguably I am when it comes to music, though. ). I'll have to check on my usage with Yahoo to see if 500MB is enough for me, but it probably is.

[CharmCityCrab]

One issue with Proton Mail is that you need to enter a user name and password, then click something, then enter a second password for the encryption, and then click something again EVERY SINGLE TIME YOU USE IT. Like, if one checks the mail, navigates over here to say to you guys, and then navigates back, that second double-password log-in is required again. A lot of people check their email a zillion times a day- which means carpal tunnel style repetition of typing the same stuff over and over again.

It looks nice, but it's useability factor is low. I'm not James Bond, you know? Privacy and security are pluses, but not worth the kind of hassle the above entails for a regular guy. They badly need a "Remember me on this device" check-box option when logging in that leaves you logged in for, say, a week on your username and first password, and 24 hours on the encryption password- put it in options so the people are really paranoid don't have to use it, but normally human beings can. If you don't want it to remember you on a device, don't check the box when you log in.

Also, they need to get their Android app out there- it's in beta and only available to people who donate to the project, so, if you use mail on your phone a lot, you kind of need that feature. They don't have POP3 or IMAP access either

But the interface looks nice.

Right now it's not going to do it for me, but maybe they will branch out later. If they don't want to be a niche product, they are going to have to work on useability. But maybe they do want to be a niche product. One guy on their feedback site said he talked to them about the password stuff and they were just not going to even implement the option because they want to be secure. But it's an option that's an acceptable risk to most people, and to those for whom it isn't, they could opt out. Not having it there is just... Well, I hesitate to say stupid. But it's stupid if they want to build a relatively mainstream userbase and not just people who really, really have a need for privacy and security or who have really, really strong convictions about it.

I guess I'll keep my account and see what they do, but I am sticking with my regular email provider for now for, you know, sending and receiving email. The PM thing will probably just sit there and I'll check in and see if they add a "Remember Me" option or something. It'd drive me nuts trying to use it on a regular basis without one.

Like the original poster, I'm sort of dissatisfied with my email provider, Yahoo, but I can't find anything out there that's better for the way I use email, and the way I want to use email, so, you know, I'm kind of stuck with it. For now.

[Weishaupt]

One issue with Proton Mail is that you need to enter a user name and password, then click something, then enter a second password for the encryption, and then click something again EVERY SINGLE TIME YOU USE IT. Like, if one checks the mail, navigates over here to say to you guys, and then navigates back, that second double-password log-in is required again. A lot of people check their email a zillion times a day- which means carpal tunnel style repetition of typing the same stuff over and over again.

It looks nice, but it's useability factor is low. I'm not James Bond, you know? Privacy and security are pluses, but not worth the kind of hassle the above entails for a regular guy. They badly need a "Remember me on this device" check-box option when logging in that leaves you logged in for, say, a week on your username and first password, and 24 hours on the encryption password- put it in options so the people are really paranoid don't have to use it, but normally human beings can. If you don't want it to remember you on a device, don't check the box when you log in.

Also, they need to get their Android app out there- it's in beta and only available to people who donate to the project, so, if you use mail on your phone a lot, you kind of need that feature.

The "remember me" option is available in the Android app. I'm using it and I've logged in only once (when I was setting it up). Also, the beta is not available only for the donators. I'm not a donator, I applied for the beta, and got an invite. Took me a month or so I think.

Currently, the only major downside for the Android app is that it requires Google Services to run. Like for example, on my Nexus 7 (which has CyanogenMod and no Google bloatware), I can only check my inbox and read my mail. I hope they fix it soon. Works totally fine on my phone with stock Android though.

[CharmCityCrab]

The "remember me" option is available in the Android app. I'm using it and I've logged in only once (when I was setting it up).

Cool. That's something, at least.

Also, the beta is not available only for the donators. I'm not a donator, I applied for the beta, and got an invite. Took me a month or so I think.

"If you like to get early access to the ProtonMail iOS and Android mobile apps, you can make a $29 donation through our donation page here: https://protonmail.ch/mobile-invite" - https://blog.protonmail.ch/protonmail-a ... -app-beta/

"To join the ProtonMail mobile beta for iOS or Android, please provide your ProtonMail username and select a donation option below." - https://protonmail.ch/mobile-invite

Maybe they weren't initially requiring a donation and now they are?

Or is there a sort of backdoor that allows you to join without donating?

I noticed they mentioned free beta invites for the press, but I am not a member of the press, so...

[Weishaupt]

At one point they offered a limited amount of invites to regulars, can't remember the details. But I'm sure it'll become available to the general public sooner rather than later. You can always e-mail them and ask for an invite, see what happens.

Using Protonmail with the app is exactly like using any other e-mail service in terms of convenience.

[CharmCityCrab]

You can always e-mail them and ask for an invite, see what happens.

That was my first email, aside from test emails back and forth with myself from my usual email account to vertify that everything was working, after my account was activated for web access.

No response yet, but that was only yesterday.

Using Protonmail with the app is exactly like using any other e-mail service in terms of convenience.

Cool. Hopefully they will get that level of convenience on their web interface as well. The security argument for no "Remember Me" option on desktop browsers really falls apart if they are going to be less restrictive on phones. They as might as well give users the choice to go with the less restrictive options on PCs if they have less restrictive options for Android. And they can keep a preference available to not be remembered on a particular machine or anywhere for those who need it, or people signing in from the library or something.

[hackerman1]

Outlook.com / Hotmail (Microsoft) ?

[CharmCityCrab]

Outlook.com / Hotmail (Microsoft) ?

Believe it or not, I ran into a problem with them where they created an email account I didn't want while cofiguring something with my Microsoft Account, and by getting rid of it, I now have it registered to send email from my Yahoo address (Which it doesn't- it bounces if tried) and can't sign up for an email address from them. In any event, I think a lot of the frustrations I have with Yahoo would be the same with Hotmail even if I could get an account running. The original poster might find Hotmail useful, though.

[LmaoZedong]

I recommend you to move to protonmail.ch or to ghostmail.com, both are based in Switzerland and seem to care about privacy, and both have what you ask for: EULA and encryption. They are probably your best free bets.

[Weishaupt]

I think Tutanota is worth mentioning as well.

[LimboSlam]

Wow! Just in time, I was recently hacked (somehow inserted a virus/malware of some sort in my Gmail account and compromised my whole PC), of course this was partly my fault for being on open WIFI, anyways I'm now looking for a new email provider, actually I'm already a register user on OpenMailBox.org and I'm liking it more than Gmail. It seems to be faster at loading and does not show you ads or sniff UA, plus it gots a cool UI.

Two questions though, would I be better off with a webmail based email provider or a separate email program for desktop, like which is harder to hack?? And is there usually a delay before seeing new email, for example I changed my email in this forum (others as well) and so it had to be verified first, but it took like 2-5 minutes to get there? Is that good/normal??

[dark_moon]

Using a email programm like Fossa Mail is easy for you and give you more control. You can for example create a spam filter.
So yes, in my opinion its better to use a mail programm. You didn't need then to open the provider site.

The delay is normal and with every provider different. You can of cource try to reload the scan every seconds but the server didn't like that and some get you a message that you need to wait X minutes.
But if you set the scan to check every 2 or 5 minutes then you didn't get any problems and for emails thats enough.

[Falna]

Using a email programm like Fossa Mail is easy for you and give you more control. You can for example create a spam filter.
So yes, in my opinion its better to use a mail programm. You didn't need then to open the provider site.

I'd agree with that.

I'd also suggest that, if you can afford the modest annual cost involved, consider investing in a domain name and email hosting so that you 'own' your email addresses. That way you can avoid the trauma of changing email addresses across all your accounts when changing providers (and avoid feeding the advertisers). I learned that the hard way when my first email provider shut down with 24 hours notice, taking my email accounts with them.

[Vultural]

I actually use Hotmail - still.
Virtru is installed as a Firefox add-on and it encrypts all email.
It also restricts forwarding of email, and I can set an expiration date for mail.

As reffed above, the extension is on my Firefox, which I really do not like using,
but I cannot work out how to add it to Pale Moon.

Any suggestions?

[Antonius32]

Another email provider that is worth mentioning is digitalEnvelopes. Home page: https://digitalenvelopes.email/

[NotFunny]

One issue with Proton Mail is that you need to enter a user name and password, then click something, then enter a second password for the encryption, and then click something again EVERY SINGLE TIME YOU USE IT.

Erm..it's called security, that's the whole point of Proton Mail, even our corporate Outlook requires the same when accessing from outside the collective.
The main problem ATM (duly noted by them and they're working on it.) is that it's not yet possible to import one's Gmail stuff....

[CharmCityCrab]

One issue with Proton Mail is that you need to enter a user name and password, then click something, then enter a second password for the encryption, and then click something again EVERY SINGLE TIME YOU USE IT.

Erm..it's called security, that's the whole point of Proton Mail, even our corporate Outlook requires the same when accessing from outside the collective.

Proton Mail's beta Android client allows you to sign in once and have it remember you. Other than when having to uninstall and reinstall due to technical errors (It is a beta, after all), where obviously I need to tell it my user name and passwords again, I've never had to enter my password more than once the entire time I've been using it. Why is allowing me to do something similar on my PC any less secure than allowing me to do it on my phone? Once they do the one, they as might as well make it consistent across platforms and increase user convenience, because it's no longer really adding security.

Also, they could leave the choice in the hands of the users. Those who want the perceived extra security of having Proton Mail mail automatically log out the second you navigate away from the site could simply not click the "Remember Me" box, and those who do could click the box. Then you could have deeper stuff under settings that allows you to set a duration for how long "Remember Me" should last before prompting for a password, and make sure when the box is unchecked, it is even more rigorous than other email providers about not leaving anything, even a cookie, and logging people out the second the browser closes or they navigate away from the website.

I think ultimately the carpal tunnel inducing reentry of three fields every time one wants to check one's email will prevent it from being my regular email, and prevent it from being a lot of people's regular email, if they don't add in a way for users who want to change it to stay persistently logged in. I mean, I almost automatically surf to my preexisting mailbox online between tasks and stuff. I check it a lot. Since I'm not James Bond, the inconvenience of entering all three fields every time a gazillion times a day outweighs any security advantages it gains me.

That's what I think some developers of stuff like Proton Mail forget. People *do* want stuff like open-sourced, more secure, more private, communications, and whatnot, but not badly enough that they are willing to endure a ton of inconvenience. Fair or not, to really get a mainstream audience, the developers of such a project need to make it as convenient or nearly as convenient as it's more mainstream alternatives.

Also, I think there could be potentially be many users who choose the browser for reasons other than security or privacy- for example, that it is ad-free and supported by donations, that it's open-sourced software, that it has an interesting domain name, that is not owned by a large corporation, and so on and so forth. Those people are going to be even less willing to deal with not being able to have their regular browser on their home computer remember their log-in information.

I think that- and the thing coming out of beta, are the main reasons I haven't switched yet. They need to be as convenient as my existing email, with a remember me feature, and then I'll go. If they never get there, I'll probably stick with my Yahoo account until something better comes along.

The main problem ATM (duly noted by them and they're working on it.) is that it's not yet possible to import one's Gmail stuff....

Interesting. Are we just talking contacts? Because I was able to export a file from Yahoo and import it to Proton Mail and transfer all that over. I'm surprised that Gmail doesn't have a similar export feature that is readable by Proton Mail.

If you have an Android phone and are can get an invite to the Android beta, you might be able to get it to import your Google contacts automatically into that, perhaps triggering their appearance on the desktop client contact list.

If you want to actually import old emails because you keep deep archives, you'd probably run into Proton Mail's 500MB per mailbox storage limit. I don't mind that limit because I tend to clean out most of my old emails every few months, with a few exceptions.

[Antonius32]

I just noticed that ProtonMail has changed the top-level domain for their website, including the login page and the webmail environment, to .com, and I can't say I'm happy about that.

Quoting from ProtonMail's Knowledge Base:

Starting from version 1.14, ProtonMail allows all users to send and receive email from both protonmail.com and protonmail.ch. Previous versions of ProtonMail only supported protonmail.ch. (...)

With the introduction of protonmail.com, there have been some concerns from users regarding the prudence of introducing the .com top level domain (TLD) since .com is under the control of the US government (more specifically, the .com TLD is managed by VeriSign which is a US company under US jurisdiction).

The primary risk is domain name seizure which can occur if the US government bypasses the Swiss court system and directly seizes protonmail.com by serving a court order directly to VeriSign. In this case, ProtonMail could lose control of protonmail.com and the US could gain access to emails sent to protonmail.com after the seizure through directing all email sent to protonmail.com to a different server.

This risk exists for any .com domain. At this time, we gauge this risk to be quite low because ProtonMail is operating in compliance with international laws and regulations which protect the right to encrypt data. Encryption is legal, even in the US and there can be no just cause for seizing our .com domain name.

However, at ProtonMail, our goal is to provide maximum privacy and security under all possible scenarios so for this reason, we will continue to provide the added security of the .ch domain. (...)

Now, the [username]@protonmail.com email alias was optional, but the new domain name for the login page and the webmail environment is not..

[Tharn]

You can't have both convenience and security. Meaningful security measures will usually introduce a stopgap into a workflow. UAC does this, Windows login password does this, Palemoon master password does this. If you're serious about wanting a secure service with encrypted e-mails that the service provider cannot decrypt, then you are going to need a password that is separate from your login credentials. So you suck it up and use two. If this becomes so inconvenient that you won't use their service, then I assume you didn't really need it in the first place.

And I'm talking about the hypothetical you here, not you personally CharmCityCrab. Because a lot of people think along those same lines. People want security but they don't want to invest anything to get it. That's not security, that's willfully and lazily placing your trust in someone else.