@@Naokarma idk who told you that but carrier pigeons still exist... They mostly exist for showoff tho, people buy pigeons and breed them to get better pigeons each generation.
Email in general cannot ever be truly secure. If one needs that level of total privacy there are other tools for said communication. With email, at best it's the equivalent of locking our doors at night - enough to keep honest people honest, that's about it. Determined people, either individuals or government agents, will find a way to crack emails.
Why not? Email has transport encryption between servers and between clients, it can have content encryption via autocrypt (or other methods including the Signal protocol like criptext), it has DNSSEC, TLSA, DANE. Encryption at rest can be done as well, or messages can be removed from server when delivered. What security holes are still left after all of that?
@@adamz1977 It was explained on the video, if you don't use PGP yourself and send encrypted data, the gov can make the company server comply with encryption removal at rest for that specific users etc. Heck, proton if wanted can also push an logger script on the web so even PGP would not work if typed on the web app of them. The only way for email to be secure is to type it on a offline editor which is not related to the email comany and encrypt it with PGP there. Then send it through email.
@@adamz1977 You can always manually encrypt your own data with a cipher. The only reason why Enigma was cracked was because an entire nation was intercepting hundreds of messages, original Enigma machines, etc - and devoting thousands of man-hours to cracking it! If you make up your own encryption, the scale that you operate at will make it even harder for people to crack.
As someone who literally sets up servers and mail servers are one of them, I can agree at some degree that you CAN secure email. BUT, can you still call it an email? And, the more you make it secure, the more complex it becomes that its a nightmare to maintain or even use. In the end, emails should never be used for something that requires security. Never send account information over email. And never use email for 2FA.
Exactly. I don't fully trust in any e-mail service precisely for the reason you mentioned: the protocol itself. If you have something sensitive to share to anyone, e-mail is not the right medium.
Except, maybe, you and your intended recipient exchanged ciphers ahead. Preferably in a face-to-face real world meeting. In a place where there's not a single camera for miles away.
That's what PGP is designed to do. Problem is trying to explain the sender on how to use it is the problem in itself. ProtonMail supports it and they make it fairly easy to use. I generate my own PGP keys on my computer so I know there's no escrow key attached to it. My Thuderbird e-mail (Linux) client automatically attaches my PGP public key so they can use it to send me encrypted e-mails.
It also frustrates me when people refuse to communicate by e-mail or such because they consider it unsafe but then act like Telegram is totally rock-solid. Well, to begin with, it requires a contract-based global ID (phone number) attached to an account, and then Telegram is under jurisdictions, too. It is often better to use e-mail but have no smartphone than to use Telegram and a smartphone. But the 'popculture security sheeple' cannot be convinced after they already believe they are totally safe now with their cute little mass-used gimmick.
@@Dowlphin Or, even worse, Whatsapp, because it *allegedly* has E2E encryption enabled by default. But I have doubts if their 'encryption' doesn't have any backdoors, which can be used both 'legitimately' and illicitly.
Functionality and availability wise, google is also very good. It just works. Both of them, indeed. But privacy wise.... I will just say I try to not use anything coming from google. I am not there yet... but one day!
Yes, I absolutely agree with you. The 5 most evil corporations that make money from harvesting user data are Google, Apple, Faecesbook, Microsoft and Amazon. If you use any other service (including email) provider that isn't affiliated to those corporations or the CCP, then you are going to be more private than you were using services on any of them. Email isn't encrypted unless you use PGP, at which point the body of the email is encrypted but the headers and the metadata are not - so someone from the outside can see who you were communicating with and what times, and may be able to guess what you were discussing purely because of that relationship. And that's something you just can't change with email.
@@joaomaria2398 the issue is once you use it you already lost the privacy, and your id.. you can only stop them from continuing to collect current data to send personalization at you.
the only privacy i care about is being sold for ads, i knew from the start they have to give up info for warrants which is fully justified. i just don't want random workers and ad companys in my emails. proton is perfect for daily use.
@@YountFilmsure but honestly who is using email for anything other than signing up for things or sending colleagues or businesses a message to start a line of communication. Afterwards if security is a concern no one is using email…
@@YountFilmLaws dont just change by accident. At least in the US and Germany we ellect governments. I think we should try our best to fight this at the government level. There are lots of surveillance options way harder to circumvent like hardware backdoors, public cameras, other peoples digital devices etc.. So yeah, I'll definitely try to fight on that side. If this fight is ever lost, then yeah just ditch mail.
The people that don't care about pivacy at all "I have nothing to hide" should think what could happen if uncle adolf was in command with access to all this data.
Just tell them to give you all their passwords so you can read what they say on facebook or in their emails. If they have nothing to hide then they should be OK with it.
I have no illusions about Proton being a beacon of inviolable privacy against the evil forces of the world, I just like the service they provide. Not just the email but the entire ecosystem of services. It works really well for me in my situation.
@@rft253It's because of the legendary quote by Terry A Davis, on how "the CIA (hard R nwords) glow in the dark, and you can see them while you're driving". Look it up, it's kinda funny, to be honest
I switched to it after your email video, and I’ll use it because although they have shown they aren’t perfect, it is absolutely safer than Google Mail so switching to Proton was a net positive.
Exactly this. The people that kick and scream about protonmail to someone who's never heard of a VPN and have 1-3 Gmail accounts is really just missing the point. If they don't use proton they're probably just going to keep using Gmail, not open their own personal email server.
I've had caution to doing it for everything since some services are allergic to you using it. I guess if you wanted to be 99.9% private, you shouldn't be using the services that would have a problem with it in the first place. If anything, I'm getting very mad with other email services making account deactivation policies that are going to just get shorter and shorter until maintaining them becomes a chore and a risk of massive account lockouts... Edit: I read that Proton is doing the same thing... I guess it's neat you can pay for it once and cancel later and the account can remain active? But if they change the policy once, they'll do it again I guess...
@@AshnSilvercorp Oh yes, not just email services, but all internet services in general seem to be trying to prune anything they label as "dead". At this point in time, Proton is only resending any emails my Gmail gets, so nothing I use actually goes to Proton but rather Gmail, but I'll see what services in the future I can use Proton with natively.
@@AshnSilvercorp They were forced by the Swiss government to give his data, and unless you know the context, as I read this peasant what he wrote to the US government or somewhere, he threatened them and seriously, so I guess it's better after all to turn one man in than to have others commit su*cide from his false threats.... in short: it's one good thing, one bad thing that they ratted him out, because they broke their confidence a bit, but at the same time they helped catch the person through whom suic*des out of desperation could sprinkle
Plus Gmail now ask to add a phone number with out a choice, dont know how long or when that start it. But it wasn't a thing when a open account at Gmail, now i'll Try Proton Mail till they decide to also start asking for such verifications to verify.
If your hiding from the government you need to be using more secure communication anyways, if you just don’t want your email scanned and data sold then proton is pretty good
honestly this was the best Ad for Proton Mail, sensibly discussing the technology and history, flaws and benefits. i hope they pay you, because they probably got a few subscriptions bc of this video.
I will say doing verification with it isn't really well explained. I've tried to use it to verify Linux iso's a few times, and the process is never really well explained on the install pages.
@@AshnSilvercorp it's pretty easy. If you want a video guide for it, check out Mental Outlaw's new Tails guide- he explains the process of verifying the ISO there.
@@tedrice1026 Exactly. That's the only hard part of it. And although I agree that distros should at least link to a guide or something explaining how to verify ISOs, that's a general issue with all open source projects... the number of times I've tried to find a proper install guide for some github project is way too dang high.
Protonmail is good for what it is. Even hosting your own mailserver isn't 'fully secure' and if you are sharing sensitive data there are better protocols.
@@tedrice1026 I suspect she had insider help, although, admittedly, I have no evidence for this. Only the fact that I cannot, *cannot* imagine that the secret services did not know she was doing it. I suspect she or good or Billy had connections of some sort to help them set this up in the first place, and secondly, to prevent them from getting into serious legal trouble. If I were to suddenly run my own mail server or my own mail address and use it for work, my employer would have me booted from the company in no time. I do not believe for a second that nobody knew from the get go what she was doing.
As a CIA Agent I love Proton Mail, makes over throwing democratically elected governments the world over a breeze. All my friends, family and global espionage network connected in one place
this is actually a good reminder for me to go through my multiple emails and do some house cleaning, delete mails from services i am no longer using, delete emails that are a decade old and most importantly unsubscribe from all the email newsletters
I appreciate this explanation. I was completely unaware that Proton Mail was so divisive. No wonder I get weird looks when I give out my email address. I have nothing more than a standard account & I'm not sponsored in any way. But I've been quite happy with it. 👍🏻☕️
I agree, but I will also add that the person who wants to be invisible has to not only stop using email, but also reduce social connections to almost zero. Facebook was capable years ago of creating panthom profiles of people not on facebook, just by all the info he had on your friends and family. So if you have communications with people who are leaking data everywhere, they can still pin point you.
Facebook is for surveillance and never for privacy. Their logo is an evolved form of an freemason logo. I trust no tech companies at all that have their hands into survaillance,that is on the Stock Market that is owned by the evil 1% and that funds or funded the WEF.
@@azure4real if they are socializing with a non-existent avatar, are THEY socializing with you? are you socializing with them? I'd say not really, one of the joys of socializing is to get to open up about who you are. If not, is just glorified weather-talk.
No. Email is an ancient technology. Email will always use port 25, which is unencrypted. ProtonMail may encrypt your email, but port 25 will leave a rabbit trail directly to your contacts. You'll be discovered via your contacts. So, there is no privacy in email.
one thing you forgot to mention that even emails encrypted with TLS are not safe from a MITM, you can trivially downgrade to plaintext or even just straight out not present a valid certificate. The only way to have authenticated TLS connections safe from a MITM is to use a service that supports MTA-STS and DANE, which sadly isn't very widespread.
@@EricMurphyxyz No, that's an example of a security hole being fixed. The word "inherently" means permanently, but as @jacksoncremean1664 already said, those MITM attacks can be mitigated with up-to-date security best practices.
@@EricMurphyxyz Hey.. When I found out it was created by the Intel agency I deleted my free Proton app... It redownloaded onto my phone all by itself.. But it doesnt show up in my apps list... How the heck do I remove it ?
I got my first PGP key at a key party in Houston in the 1992 or so. A member of the Free Software Foundation or something similar was there with a laptop. We took a floppy diskette to the party where the guy with a laptop would generate our key for us. He was pretty busy at that, too. The real problem was that once I got back to the office with the diskette, I had no idea what to do with it.
@@Dryblack1 It was an event at a local bar where you could go to meet people and verify identities to sign each other's keys. And if you didn't have a key, you could take a floppy disk with you and someone there with a laptop could create a key for you and save it on your floppy disk. In our case, the guy with the laptop creating keys was a lawyer who was highly involved interested in the EFF (Electronic Frontier Foundation).
I think this feels like a similar situation to signal where all they could give was the ip address where they logged in from so I think as long as you pair protonmail with vpn there should not be a danger of leaking ip address
@@brunoterlingen2203 kind of. Even generating one random number and having you use that has this problem, unless each person you talk to finds you with a different unique number. Phone numbers are extra bad, because they are a common identity proxy in all facets of life. Signal is still very secure and pretty private, but it is not anonymous.
Yeah that's why I never understood people constantly advocating and trying to get me into telegram. Sure it's not discord. But telegram requires my phone number, constantly broadcasts the last time I even clicked on the desktop app or looked at the mobile app, and then there's the read receipts. It felt like the more someone was trying to convince me to use telegram, the more of a stalker they were.
Email used to be just sent and not stored in the server. If everyone were to do that, at least when any entity wants to snoop it they can only see mails in transmit, not seeing years of data.
You can absolutely verify the code running running in your browser, and therefore you can verify if your PGP/GPG key is generated client side and then only sent to Proton Mail in encrypted form.
Yes but you hit the nail on the head in your first sentence: You can absolutely verify the code running running *in your browser* I cannot easily deduce what happens on the backend/server side of things. On top of that, as someone else pointed out in the comments, even if you use an open source product (which Proton mail now is), how do you know that the code in the repo is the code that is running in your browser/front end/back end?
with messaging apps being more secure, I can't remember last time I actually wrote an email. I basically just have an email address for purchase receipts for online shopping and website sign ups
You're literally part of my pipeline to privacy-conscious in that image at the end LOL I use a hardened Firefox cuz of you (although I am having a severe memory leak issue with it that I have no idea what's causing it yet [EDIT; it was a CSS theme causing the leak LOL])
One thing I want to point out is that governments aren't the only party that one should want privacy and protection from. For each case of a government using online services and platforms to gain info on activists, whistleblowers, etc, there is one of corporate entities doing the same. Also in many cases, governments pursue whistleblowers, investigative reporters, etc on behalf of corporations, e.g. the Steven Donziger case.
I agree completely with your main point, but I don't know if it's fair to call a corrupted judicial system "government working on behalf of corporations", specifically the Donziger case. The line gets a bit blurry, but it's still corporations and their money corrupting the system. usually individual judges. I wouldn't call that "the government".
probably a good thing to note how web-based FOSS programs don't always have proof that you're using the version containing the code publicly available.
Proton seems like the happy medium between privacy and convenience, so long as your not the tallest nail or low hanging fruit your probably not worth the governments time.
People used to say that email was like a postcard, readable by anyone who handled it. Now, it's like a letter in an unsealed envelope. Super-secure email is like a letter in a sealed envelope: the people at the sorting office know how to steam it open without leaving a trace. Of course you can write your letter in code, so it's unintelligible to anyone who can open the envelope. But the envelope still has postmarks/franking, a return address, you've left your fingerprints all over it. You can wear gloves while handling the letter, use a remailing service, but can you be sure that you've covered all your bases? No, you probably can't. What matters is WHO you're trying to hide stuff from. If it's a nosey neighbour or jealous partner, they probably don't have the wherewithal to conduct a forensic analysis of your mail. But if it's a government or other serious organisation on your case... you should look into alternatives to the mail.
Honestly, PGP/GPG is _not_ difficult or complicated at all. It takes only a few moments with our friends Alice and Bob and you'll educate all but the most technologically challenged. The hard part is finding other people who'll use it, leading to a feedback loop where eventually even privacy/anonymity focused folks give up on it; and that's why if there's one thing I disagree with in this video, it's how Eric constantly refers to it as if it's monstrously complicated, thus dissuading people who might be inclined to give it a try from even looking into it. If you've sat down long enough to install Linux and even learned how to use it, you can figure this stuff out. Believe me.
You gain a subscriber, the way you explain / edit and the quality looks insane effort i wish you be one of the largest youtubers on tech and related topics ❤
I had complete forgot about the proton mail french activist thing, and i recently made an proton email for crypto just to seperate it for my other ones, im glad i found this after and watched all the way through, you explained it very well, good video
I'm trying to change my email provider to more safe/secure. I am not concerned about govt snooping, I am fearful of data breach access to my online emails that contain a lot of very sensitive info. Financial, etc.
I mainly use proton for the aliases so that when an alias of mine gets hacked, i can recover my accounts under that alias, switch those accounts to a new alias, and delete the old unsecure alias. My emails use to get hacked a lot so an alias attached to my main email just makes me feel more secure.
I think they have some. I don't know shady tactics for upselling and they also have some complications where if you try to downgrade from a paid account to a free account. The amount of horror stories I see of people that have a paid account and then want to switch back to a free account or they have a paid VPN but they don't want it anymore but they lose access to their free email account.
Kind funny that people expect companies to not comply with the government's requests. If they don't comply they can have their business shut down or go to jail.
even signal has the same problem of setting up your encryption for you. the app is open source but the desktop app updates like every day, are you really going to check the binaries match the open source version? Or do you trust google play to send you the right program and not spy on you? hopefully you could verify the binary of the open source vs local copy, but most people don't know how to do that. I mean that's still better than web apps but theres still a slight problem
One reason I changed from gmail was I noticed they would go through my emails and create calendar entries from them. A family member sent me their travel itinerary and I started getting calendar notifications for flight times. Confused, I went through and found the entries matched up with the flight times from their travel details. But I've now noticed that Proton is doing the same thing. Work emails come in and now there are calendar entries. I don't like this at all. Clearly their systems are going through the emails to some degree. Proton has also really slowed down for me over the last month or so too.
@@andre1987eph That's possible in other cases. In this case, it was emails sent to me. I had no browser history/searches/etc.. or notes. There really was nothing else apart from the emails as they weren't my flights and I had no idea about them.
Proton mail, as compared to google, Yahoo and or Outlook mail, is like a messiah is to a religion. Its the best you can get. But, as noted, it is only encoded end to end if you are sending proton mail to another proton mail address
Swiss laws for privacy are the strictest in the world. Only a Swiss court with a legitimate court order can do anything to Proton. This is why Swiss banks are the popular choice for the wealthiest on the planet. Which makes using Proton Mail the best choice as well. Swiss laws make it so no companies have to comply with outside jurisdictions. Proton doesnt have to comply with any request or any legal action that isnt from a Swiss court ... and Swiss courts dont listen to outside jurisdictions (unless something is a direct threat to the Swiss people).
@@zhang-boyuHaha, exactly.. "Neutral" Switzerland has implemented more sanctions against Russia than the EU itself but not a single sanction against Izrael. 🤔 Also, the world's most influential psychopaths meet every year in Davos to discuss how to proceed with their manipulation of world affairs, completely against all the democratic values and processes they claim to stand for while at home in their "sovereign" nation states.😏
I'm a security nerd. I used to run my own email server but you can't get people to use PGP. I've been a ProtonMail visionary supporter since the beginning. It's the only service I'll use now.
E-Mail is not inherently insecure, if you manage your own S/MIME or PGP keys, you have real end to end encryption. You can even use POP3 to collect your mail so it isn't permanently stored on the server. The advantage of Signal is that it is easier to use, so your peers bad security practice is less likely to get you into trouble.
I route Proton mail through my own domain name. When I set that up Proton required/suggested that I install a PGP key at the domain server via DKIM parameters. Your email will work without it, and its a pain to install at some domain providers, but it works, and Proton gives you a tool to test whether you've successfully set it up. I like that and that part of the pgp seems to work from that point forward. Yes if you send something to an email service owned by a company in silicon valley then, yes, there's probably a risk of getting cancelled depending on how based your beliefs are. If you're really worried, you can always use Proton's secure function which open's an email taken out in a protected environment using a separate password. Not an expert but that seems like a good solution for things like ssn's or your next great invention.
I am just now looking to start using Proton, and to be fair, Government should be able to ask to see data based on a a judge decion, not anythime they feel like. For me, I don't do anything illigal, so I am not necesarely afraid of a judges, but I do want an alternative to Google. I understand that if you want to be as secure as you can be, you need to run your own infrastructure, but for now I am looking basically to not depend on google for e-mail and storage.
With true client controlled end to end encryption (which CANNOT be the case for metadata with inter-provider email, except maybe if you are literally sending them just a webpage that decrypts the message client side) - as you explained earlier about pgp), no need to trust the provider. For any other case: If the provider is in one sort of country, they can be legally compelled to give what they have to law enforcement. In the other sort of country, you cannot legally compel the provider to adhere to what they promised you.
The problem is people are misled through lack of knowledge. They don't understand that mail in and out of protonmail is plain text to and from all others. This is where law enforcement waits. It doesn't go encrypted. Protonmail can't see it when the email has been encrypted or decrypted, but can before and after. The only time it is secure is when two users connect to the site and keep emails inside protonmail. There are so many that use their app and get caught. Protonmail is encryption to server, not encryption in transit.
Encrypt your text (hard as you wish). Convert birary to Base64. Paste into any email. Send. - Copy base 64 of the email. Convert base64 to binary Decrypt the binary. Read. - Just encrypt it by yourself. Send you public keys, protocols, and decryptors in "creative and secure ways."
See man I wouldn't mind switching over to any mail service as long as it lasts, that why I willingly use gmail or outlook because I know it will be there even years after, how many third party mail services have lasted 10+ years and still update with new features?
It's one thing to mistrust a service or a provider if they really encrypt how they say. But at least with a commercial provider you've got a mutual binding contract and that helds someone liable to encrypt your email. On the other hand, you still got to prove they didn't in case of a breach. Buy when you said "it's convenient" what most people really want by paying someone besides convenienceis liability.
my only gripe with protonmail is that they keep trying to charge me for service i cancelled years ago. i don't have an opinion of their service one way or another, i just want them to stop trying to take money from me when i haven't used it in almost 5 years now rofl
Thanks for the video. I only want to use it for advertising trackers. I get ads inside Google email and when using Chrome it's just a treasure trove of targeted promotions. If I can avoid most of that I feel it's worth the money.
Write message in notepad, Zip it and password protect it, then email it as attachment. Then send a hand written letter to the recipient with the password. Easy!
Hello again, I am a computer service tech with thirty years of experience upgrading, fixing, and using PCs. a couple months ago, I began using Proton Email, along with their free VPN. Still thinking of upgrading to Nord VPN, because I have known about them for years. I find your vids to be entertaining, Informative, and well worth the time. Subbed...
I think nothing is private, if the government take interest in you then say goodby to your supposed privacy, they can outlaw and force provider to spill any info about you one way or another, true anonimity is boil down to just make sure you leave a little as digital footprint as possible, and dont be outspoken ot worse, record yourself.
Showed your bias from the start, had a clear primary point to make supported by a multitude of secondary points and logical conclusions which you even described some potential outliers for. I genuinely appreciate the no bullshit perspective of the video and found it to be incredibly informative and grounded. I am now even more convinced than I was before that Protonmail is right for me, and I now feel properly informed about the strengths weaknesses of the particular company, and the general service as a whole. Thank you.
came here for comments like these to be honest. so called "privacy experts" are just shitting on proton for no real reason other than that it was a small company that got big. I trust proton with my data no matter how sensitive. the only downside is that you have to pay up lol
@@shishibone yeah, the cost is unfortunate. Though I am glad they have options to pay for just the services you want. I'm finding I quite like their password manager.
@@d34ddud3 i agree. I first was sceptical about password managers as i just didn’t use them and it was weird coming from Firefox default login saves. But since I started using it (included in my visionary plan) i think it’s really neat to have my passwords synced between my phone and computer. As i tend to forget some logins quite often
Honestly, I do most of my work on my iPhone and iPad and I just want an email service that isn’t Gmail or Outlook and has better functionality than Apple email. I didn’t like Spark or Canary, yahoo is a joke, I’m not making my own server.. Proton checked off the boxes of what I want and them being more private than the others is a plus.
Hey Murphy ! I found myself recently wondering a lot about my privacy and the future of all of ours. It's pretty great what you do, and the shout out to Snowden won me over, cheers.
If u want a secure email service rent a server and domain and make ur own email server in thus I mean you dont want someone to give away ur info we'll they can't if they don't have it
@nsoolo And even if the traffic is encrypted... They can just seize your hardware. Or just, simply look at the other person's email and see what they sent you/you sent them. Email is a two sided thing. Doesn't matter how much encryption in the world you're using if the person you're sending it to uses none.
This is what I understood, correct me if I'm wrong. Email was never meant to be private and messages are encrypted during transit but google for example stores emails in plaintext. PGP can solve this by enabling 'end to end' encryption. I'm not sure how Whatsapp achieves its end-to-end encryption but despite PGP being a solution, it's a pain to setup and use by yourself. Luckily, protonmail enables PGP between proton accounts but if a gmail account sends you an email, proton scans the contents for spam and THEN encrypts it, which means they can read it. There was one case where proton revealed an IP address to the government which ended up in someone getting arrested. One IP isn't much which is good, but there's always a risk from the government with any email provider. Signal was meant to be encrypted from its foundation which I'll learn about soon probably from your channel (edit, you haven't made a video on signal, pls do one). So, proton is more convenient than alternatives and seems trustworthy but it can't be trusted 100%. Note: I haven't seen your emails video yet.
This is an excellent overview. I tink I'll buy a few pigeons. Or no, crows, training them like pigeons. I just hope they won't read my secret messages, crows are too clever. But nobody would suspect crows delivering secret mssages, right?
OWASP principle: don't trust service providers or "trust but verify". It's out there on a manual. It is simply not logical to think of service providers as invulnerable.
Technically you're correct but it comes under the broader banner of "zero trust" across an entire environment, not just within the bounds of application security. For example, it's estimated that around 80% of cyberattacks come from within an organisation through normal users of the system - and therefore zero trust treats users as equal to outsiders in terms of the security model you deploy to control what they do.
I honestly don't think that the country it's located in is that big of a deal. They all have to comply with the government, so I care more about how much (or how little) data they collect that they can actually hand over.
Another (imo bigger) issue with ProtonMail you don't mention is that it does not support mail clients and only allows you to use their own client in your web browser. This means that they can make immediate chnages to it whenever they want, which includes the ability to send malicious JavaScript to read and save your decrypted emails, and you wouldn't even know because it simply is infeasible to read all the JavaScript in the HTML every time you load the website. Another problem resulting from this is that you don't have control over your data as files; ProtonMail does, and you can only access it through a web browser.
I also think another issue about this that someone brought to the attention of me. You also have to trust that mail client to not weaken your security. Its a risk still.
What motivation would they have to send malicious JavaScript??? On the contrary, they have motivation to keep any mail that is routinely accessed by users safe. They have a reputation to keep up. On linux there is both an Import-Export app to "make offline backups with the Import-Export app", and for paying users, Proton Mailbridge. (BTW the arch/Majaro/Endeavor version is from the community and not directly Proton AG) You can immediately make backups and delete what's on their server. "Only access it through a web browser" is totally wrong.
@@notafbihoneypot8487 If ProtonMail allowed you to use a mail client, then *you* can choose a mail client you trust, even read it's source code, and update it only when you want. Since it doesn't, you do not have a choice but to place your trust on ProtonMail.
you guys use e-mail services? pfff i always count on my pigeon george. trust me he never speaks a thing about me
real mfs send letters manually
Funfact: Carrier pigeons were a distinct species, and one that went extinct due to over-hunting.
@@Naokarma idk who told you that but carrier pigeons still exist...
They mostly exist for showoff tho, people buy pigeons and breed them to get better pigeons each generation.
Wait until your avian carrier gets intercepted by feds' falcon. This is VERY unlikely to happen, unless you're Osama kind of guy.
@@a-_-a men of culture rfc 1149 is the future
Email in general cannot ever be truly secure. If one needs that level of total privacy there are other tools for said communication. With email, at best it's the equivalent of locking our doors at night - enough to keep honest people honest, that's about it. Determined people, either individuals or government agents, will find a way to crack emails.
Why not? Email has transport encryption between servers and between clients, it can have content encryption via autocrypt (or other methods including the Signal protocol like criptext), it has DNSSEC, TLSA, DANE. Encryption at rest can be done as well, or messages can be removed from server when delivered. What security holes are still left after all of that?
@@adamz1977 It was explained on the video, if you don't use PGP yourself and send encrypted data, the gov can make the company server comply with encryption removal at rest for that specific users etc.
Heck, proton if wanted can also push an logger script on the web so even PGP would not work if typed on the web app of them.
The only way for email to be secure is to type it on a offline editor which is not related to the email comany and encrypt it with PGP there. Then send it through email.
I.T. guy here; I hope I'm not witnessing someone defending faxes right now 😏
@@adamz1977 You can always manually encrypt your own data with a cipher. The only reason why Enigma was cracked was because an entire nation was intercepting hundreds of messages, original Enigma machines, etc - and devoting thousands of man-hours to cracking it! If you make up your own encryption, the scale that you operate at will make it even harder for people to crack.
As someone who literally sets up servers and mail servers are one of them, I can agree at some degree that you CAN secure email. BUT, can you still call it an email? And, the more you make it secure, the more complex it becomes that its a nightmare to maintain or even use. In the end, emails should never be used for something that requires security. Never send account information over email. And never use email for 2FA.
Exactly. I don't fully trust in any e-mail service precisely for the reason you mentioned: the protocol itself. If you have something sensitive to share to anyone, e-mail is not the right medium.
Same for SMS text messaging.
Except, maybe, you and your intended recipient exchanged ciphers ahead. Preferably in a face-to-face real world meeting. In a place where there's not a single camera for miles away.
That's what PGP is designed to do. Problem is trying to explain the sender on how to use it is the problem in itself. ProtonMail supports it and they make it fairly easy to use. I generate my own PGP keys on my computer so I know there's no escrow key attached to it. My Thuderbird e-mail (Linux) client automatically attaches my PGP public key so they can use it to send me encrypted e-mails.
It also frustrates me when people refuse to communicate by e-mail or such because they consider it unsafe but then act like Telegram is totally rock-solid. Well, to begin with, it requires a contract-based global ID (phone number) attached to an account, and then Telegram is under jurisdictions, too.
It is often better to use e-mail but have no smartphone than to use Telegram and a smartphone. But the 'popculture security sheeple' cannot be convinced after they already believe they are totally safe now with their cute little mass-used gimmick.
@@Dowlphin Or, even worse, Whatsapp, because it *allegedly* has E2E encryption enabled by default. But I have doubts if their 'encryption' doesn't have any backdoors, which can be used both 'legitimately' and illicitly.
ProtonMail is just a better alternative to gmail. That is it.
It isn't the holy savior of the mail privacy.
It's pretty good but I agree, it's neither the holy savior or the devil, it's just a good option if you don't trust Google
Functionality and availability wise, google is also very good. It just works. Both of them, indeed.
But privacy wise.... I will just say I try to not use anything coming from google. I am not there yet... but one day!
Yes, I absolutely agree with you.
The 5 most evil corporations that make money from harvesting user data are Google, Apple, Faecesbook, Microsoft and Amazon.
If you use any other service (including email) provider that isn't affiliated to those corporations or the CCP, then you are going to be more private than you were using services on any of them.
Email isn't encrypted unless you use PGP, at which point the body of the email is encrypted but the headers and the metadata are not - so someone from the outside can see who you were communicating with and what times, and may be able to guess what you were discussing purely because of that relationship. And that's something you just can't change with email.
@@joaomaria2398 the issue is once you use it you already lost the privacy, and your id.. you can only stop them from continuing to collect current data to send personalization at you.
I'd rephrase that: pm is not as bad as Gmail. Only in algebra is "not as bad" the same as "better".
the only privacy i care about is being sold for ads, i knew from the start they have to give up info for warrants which is fully justified. i just don't want random workers and ad companys in my emails. proton is perfect for daily use.
It's "fully justified"... until the laws keep changing and the warrant is for "suspicion of collecting rainwater in barrels on your own property."
@@YountFilmsure but honestly who is using email for anything other than signing up for things or sending colleagues or businesses a message to start a line of communication. Afterwards if security is a concern no one is using email…
@@YountFilmLaws dont just change by accident. At least in the US and Germany we ellect governments. I think we should try our best to fight this at the government level. There are lots of surveillance options way harder to circumvent like hardware backdoors, public cameras, other peoples digital devices etc.. So yeah, I'll definitely try to fight on that side. If this fight is ever lost, then yeah just ditch mail.
It seems to me that covering your tracks because the cops are after you is probably (hopefully!) more privacy than the average person needs.
The people that don't care about pivacy at all "I have nothing to hide" should think what could happen if uncle adolf was in command with access to all this data.
Just tell them to give you all their passwords so you can read what they say on facebook or in their emails. If they have nothing to hide then they should be OK with it.
😂😂😂
Plot twist: uncle KLAUS is in command with all the datas
The reality is that the people in charge are just as bad if not worse than him.
I wonder how many of those who have nothing to hide would let anybody put a camera in their house just to watch.
I have no illusions about Proton being a beacon of inviolable privacy against the evil forces of the world, I just like the service they provide. Not just the email but the entire ecosystem of services. It works really well for me in my situation.
As a fellow glowing fed I approve this message
@@rft253 Because the greatest programmer who ever lived told us so.
@@rft253It's because of the legendary quote by Terry A Davis, on how "the CIA (hard R nwords) glow in the dark, and you can see them while you're driving". Look it up, it's kinda funny, to be honest
@@rft253cause they're feds
@@rft253do NOT look up terry davis
CIA n*gg*rs glow in the dark @@rft253 Why? Probably the nanotech in their blood, luciferase, graphene oxide... who knows...
I switched to it after your email video, and I’ll use it because although they have shown they aren’t perfect, it is absolutely safer than Google Mail so switching to Proton was a net positive.
Exactly this. The people that kick and scream about protonmail to someone who's never heard of a VPN and have 1-3 Gmail accounts is really just missing the point. If they don't use proton they're probably just going to keep using Gmail, not open their own personal email server.
I've had caution to doing it for everything since some services are allergic to you using it. I guess if you wanted to be 99.9% private, you shouldn't be using the services that would have a problem with it in the first place.
If anything, I'm getting very mad with other email services making account deactivation policies that are going to just get shorter and shorter until maintaining them becomes a chore and a risk of massive account lockouts...
Edit: I read that Proton is doing the same thing... I guess it's neat you can pay for it once and cancel later and the account can remain active? But if they change the policy once, they'll do it again I guess...
@@AshnSilvercorp Oh yes, not just email services, but all internet services in general seem to be trying to prune anything they label as "dead". At this point in time, Proton is only resending any emails my Gmail gets, so nothing I use actually goes to Proton but rather Gmail, but I'll see what services in the future I can use Proton with natively.
@@AshnSilvercorp They were forced by the Swiss government to give his data, and unless you know the context, as I read this peasant what he wrote to the US government or somewhere, he threatened them and seriously, so I guess it's better after all to turn one man in than to have others commit su*cide from his false threats.... in short: it's one good thing, one bad thing that they ratted him out, because they broke their confidence a bit, but at the same time they helped catch the person through whom suic*des out of desperation could sprinkle
Plus Gmail now ask to add a phone number with out a choice, dont know how long or when that start it. But it wasn't a thing when a open account at Gmail, now i'll Try Proton Mail till they decide to also start asking for such verifications to verify.
If your hiding from the government you need to be using more secure communication anyways, if you just don’t want your email scanned and data sold then proton is pretty good
I'm new to internet security. What would you use for such a situation?
@@TheBlackStrangerEmail is fine if you PGP encrypt the contents
@@TheBlackStrangeror maybe signal?
@@TheBlackStranger Signal or Telegram
exactly, that's the main reason I use proton...
honestly this was the best Ad for Proton Mail, sensibly discussing the technology and history, flaws and benefits. i hope they pay you, because they probably got a few subscriptions bc of this video.
PGP is actually easy to use, but it's a pain to maintain a list of public keys for all your friends
I will say doing verification with it isn't really well explained. I've tried to use it to verify Linux iso's a few times, and the process is never really well explained on the install pages.
@@AshnSilvercorp it's pretty easy. If you want a video guide for it, check out Mental Outlaw's new Tails guide- he explains the process of verifying the ISO there.
You're contradicting yourself.
Try getting anyone else to use it!
@@tedrice1026 Exactly. That's the only hard part of it. And although I agree that distros should at least link to a guide or something explaining how to verify ISOs, that's a general issue with all open source projects... the number of times I've tried to find a proper install guide for some github project is way too dang high.
Protonmail is good for what it is. Even hosting your own mailserver isn't 'fully secure' and if you are sharing sensitive data there are better protocols.
I don't know - it seemed to work well for Hillary! Just keep a big hammer on hand.
She's got democrat privilege, that's what you're forgetting@@tedrice1026
@@tedrice1026 I suspect she had insider help, although, admittedly, I have no evidence for this. Only the fact that I cannot, *cannot* imagine that the secret services did not know she was doing it.
I suspect she or good or Billy had connections of some sort to help them set this up in the first place, and secondly, to prevent them from getting into serious legal trouble.
If I were to suddenly run my own mail server or my own mail address and use it for work, my employer would have me booted from the company in no time. I do not believe for a second that nobody knew from the get go what she was doing.
@@tedrice1026😂😂 fair enough
As a CIA Agent I love Proton Mail, makes over throwing democratically elected governments the world over a breeze. All my friends, family and global espionage network connected in one place
Tim what did we talk about you telling people you're a CIA agent.
@@notafbihoneypot8487 let me guess, you wear a white coat and offer people a temporary place to stay? 😉
@@notafbihoneypot8487 😅
Oh snaps! 🤣
Please report to sound proof conference room for "remedial" training regarding the release of internal operational procedures.
PGP isn't really confusing, it's just kinda a pain adding extra steps
This
Have you tried the autocrypt standard though? There's zero friction using that with clients that support it fully (like Delta Chat).
I find it funny. PGP was great. BUT then Symantec bought it and wtf happened? It’s still around but what a shit show. I miss the PGP desktop.
Pgp I have still not had it work out and i tried it all so what are u talking about its impossible
What is ur opinion about OpenPGP as in Thunderbird available?
this is actually a good reminder for me to go through my multiple emails and do some house cleaning, delete mails from services i am no longer using, delete emails that are a decade old and most importantly unsubscribe from all the email newsletters
Proton + SimpleLoguin
Rules for Life .
1. Do not trust any Device , system or service , ever .
2. Never forget Rule 1.
Then what's the point of technology? Might as well trust something.
@@nightowl425 Good luck with that .
@@nightowl425 you use it cautiously. Just because you use it doesn't mean you have to trust it.
I appreciate this explanation. I was completely unaware that Proton Mail was so divisive. No wonder I get weird looks when I give out my email address. I have nothing more than a standard account & I'm not sponsored in any way. But I've been quite happy with it. 👍🏻☕️
I agree, but I will also add that the person who wants to be invisible has to not only stop using email, but also reduce social connections to almost zero.
Facebook was capable years ago of creating panthom profiles of people not on facebook, just by all the info he had on your friends and family. So if you have communications with people who are leaking data everywhere, they can still pin point you.
Facebook is for surveillance and never for privacy.
Their logo is an evolved form of an freemason logo.
I trust no tech companies at all that have their hands into survaillance,that is on the Stock Market that is owned by the evil 1% and that funds or funded the WEF.
You do not have disown socializing with others.
You just have to avoid being so honest with others about who you are.
@@azure4real if they are socializing with a non-existent avatar, are THEY socializing with you? are you socializing with them?
I'd say not really, one of the joys of socializing is to get to open up about who you are. If not, is just glorified weather-talk.
No. Email is an ancient technology. Email will always use port 25, which is unencrypted. ProtonMail may encrypt your email, but port 25 will leave a rabbit trail directly to your contacts. You'll be discovered via your contacts. So, there is no privacy in email.
one thing you forgot to mention that even emails encrypted with TLS are not safe from a MITM, you can trivially downgrade to plaintext or even just straight out not present a valid certificate. The only way to have authenticated TLS connections safe from a MITM is to use a service that supports MTA-STS and DANE, which sadly isn't very widespread.
True. Another example of email being inherently insecure.
@@EricMurphyxyz No, that's an example of a security hole being fixed. The word "inherently" means permanently, but as @jacksoncremean1664 already said, those MITM attacks can be mitigated with up-to-date security best practices.
@@EricMurphyxyz
Hey..
When I found out it was created by the Intel agency
I deleted my free Proton app...
It redownloaded onto my phone all by itself..
But it doesnt show up in my apps list...
How the heck do I remove it ?
There is no way around coding your own e2e solution if you want peace and freedom.
@@braddockbrawler
Hi.
Can you please tell me if you get this?
I got my first PGP key at a key party in Houston in the 1992 or so.
A member of the Free Software Foundation or something similar was there with a laptop. We took a floppy diskette to the party where the guy with a laptop would generate our key for us. He was pretty busy at that, too.
The real problem was that once I got back to the office with the diskette, I had no idea what to do with it.
I must know what a key party is
@@Dryblack1 It was an event at a local bar where you could go to meet people and verify identities to sign each other's keys. And if you didn't have a key, you could take a floppy disk with you and someone there with a laptop could create a key for you and save it on your floppy disk.
In our case, the guy with the laptop creating keys was a lawyer who was highly involved interested in the EFF (Electronic Frontier Foundation).
@@ej2953 Fascinating, thanks for sharing!
I think this feels like a similar situation to signal where all they could give was the ip address where they logged in from
so I think as long as you pair protonmail with vpn there should not be a danger of leaking ip address
It is hard to teach the use of PGP/GPG to people who do not know what a file is.
Signal still uses a public identifier (phone number) and so can still be used to find your identity. One needs to compartmentalize one's contacts.
Thus Signal is shit re privacy by having to give your phone number- it totally negates so called benefits.
@@brunoterlingen2203 kind of. Even generating one random number and having you use that has this problem, unless each person you talk to finds you with a different unique number.
Phone numbers are extra bad, because they are a common identity proxy in all facets of life.
Signal is still very secure and pretty private, but it is not anonymous.
Yeah that's why I never understood people constantly advocating and trying to get me into telegram.
Sure it's not discord. But telegram requires my phone number, constantly broadcasts the last time I even clicked on the desktop app or looked at the mobile app, and then there's the read receipts. It felt like the more someone was trying to convince me to use telegram, the more of a stalker they were.
Protip; if you're a drug dealer, don't do business over public email
Or online at all
Email used to be just sent and not stored in the server. If everyone were to do that, at least when any entity wants to snoop it they can only see mails in transmit, not seeing years of data.
You can absolutely verify the code running running in your browser, and therefore you can verify if your PGP/GPG key is generated client side and then only sent to Proton Mail in encrypted form.
Yeah, that seems obvious, I was wondering if he meant something else but then I'm not sure what that something else might be?
Yes but you hit the nail on the head in your first sentence:
You can absolutely verify the code running running *in your browser*
I cannot easily deduce what happens on the backend/server side of things. On top of that, as someone else pointed out in the comments, even if you use an open source product (which Proton mail now is), how do you know that the code in the repo is the code that is running in your browser/front end/back end?
@@masterTigress96 Well if it's not backend you could just compare the open source code and the stuff you got
Love your channel and how honest you are! Please make more videos like this!
with messaging apps being more secure, I can't remember last time I actually wrote an email. I basically just have an email address for purchase receipts for online shopping and website sign ups
Very nice endorsement Eric, your badge and money payment will be at the standard dead drop.
You're literally part of my pipeline to privacy-conscious in that image at the end LOL I use a hardened Firefox cuz of you (although I am having a severe memory leak issue with it that I have no idea what's causing it yet [EDIT; it was a CSS theme causing the leak LOL])
Librewolf?
@@SomeRandomPiggo no I would've said a branch if I was using that
@@Zippy_Zolton They're not asking if you use Librewolf. They're suggesting to use it.
Waterfox is better in that regard. Operates on the same code stack as well so you can still use the same plugins.
@@cjmoss51I'm sure it is, but I am currently sticking with Nightly Firefox
One thing I want to point out is that governments aren't the only party that one should want privacy and protection from. For each case of a government using online services and platforms to gain info on activists, whistleblowers, etc, there is one of corporate entities doing the same. Also in many cases, governments pursue whistleblowers, investigative reporters, etc on behalf of corporations, e.g. the Steven Donziger case.
I agree completely with your main point, but I don't know if it's fair to call a corrupted judicial system "government working on behalf of corporations", specifically the Donziger case. The line gets a bit blurry, but it's still corporations and their money corrupting the system. usually individual judges. I wouldn't call that "the government".
@@squirlmy Yeah true, I was typing "governments" while thinking "states" there.
@@squirlmyWhat? Government isn't government when it's local and corrupt?
probably a good thing to note how web-based FOSS programs don't always have proof that you're using the version containing the code publicly available.
I didn't think about that before, thanks, now I have another thing in my list to worry about lol.
You're definitely not simping for Microsoft, you didn't even cover Hotmail, Live or Office 365, which is bizarre.
He did in his original video, it was the first or the one after it
Proton seems like the happy medium between privacy and convenience, so long as your not the tallest nail or low hanging fruit your probably not worth the governments time.
People used to say that email was like a postcard, readable by anyone who handled it. Now, it's like a letter in an unsealed envelope. Super-secure email is like a letter in a sealed envelope: the people at the sorting office know how to steam it open without leaving a trace.
Of course you can write your letter in code, so it's unintelligible to anyone who can open the envelope. But the envelope still has postmarks/franking, a return address, you've left your fingerprints all over it. You can wear gloves while handling the letter, use a remailing service, but can you be sure that you've covered all your bases? No, you probably can't.
What matters is WHO you're trying to hide stuff from. If it's a nosey neighbour or jealous partner, they probably don't have the wherewithal to conduct a forensic analysis of your mail. But if it's a government or other serious organisation on your case... you should look into alternatives to the mail.
Honestly, PGP/GPG is _not_ difficult or complicated at all. It takes only a few moments with our friends Alice and Bob and you'll educate all but the most technologically challenged. The hard part is finding other people who'll use it, leading to a feedback loop where eventually even privacy/anonymity focused folks give up on it; and that's why if there's one thing I disagree with in this video, it's how Eric constantly refers to it as if it's monstrously complicated, thus dissuading people who might be inclined to give it a try from even looking into it. If you've sat down long enough to install Linux and even learned how to use it, you can figure this stuff out. Believe me.
You gain a subscriber, the way you explain / edit and the quality looks insane effort i wish you be one of the largest youtubers on tech and related topics ❤
I had complete forgot about the proton mail french activist thing, and i recently made an proton email for crypto just to seperate it for my other ones, im glad i found this after and watched all the way through, you explained it very well, good video
I'm trying to change my email provider to more safe/secure. I am not concerned about govt snooping, I am fearful of data breach access to my online emails that contain a lot of very sensitive info. Financial, etc.
I mainly use proton for the aliases so that when an alias of mine gets hacked, i can recover my accounts under that alias, switch those accounts to a new alias, and delete the old unsecure alias. My emails use to get hacked a lot so an alias attached to my main email just makes me feel more secure.
I think they have some. I don't know shady tactics for upselling and they also have some complications where if you try to downgrade from a paid account to a free account. The amount of horror stories I see of people that have a paid account and then want to switch back to a free account or they have a paid VPN but they don't want it anymore but they lose access to their free email account.
You talk with a similar inflection to my childhood best friend’s mom. It’s oddly comforting.
Excellent subject matter explainer, top class!
Really appreciate it!
how you are verified with so low subs
@@sguptzz it's a stupid Google+ thing from 2011.
GPG doesn't need to be CLI only. There are GUI apps like Kleopatra that make it really easy 🎉
Lol I once reccomended Kleopatra to someone and he wasn't able to figure it out
@@Antek1234l lol yeah I mean it's not for everybody, but it makes 'the thing' easy for anyone invested
True, I agree, it's much easier than cli version
@@Antek1234lI actually found kleopatra more confusing than cli lol, the gnome one is good, but I use kde so gtk apps look worse, I'll stick with cli.
Yeah, everyone has different preferences, some programs are just better as a cli tbh
11:01 Actually Thunderbird supports PGP so you can set it up on that without a lot of work or needing the command line.
I'm loving Proton email and calendar right now.
My issue with proton is that it's very expensive for personal use if you want a custom domain for your family, this is the sole reason I don't use it.
Please, make a video about tempest search engine and browser.
Even i have never heard of that.
I used PGP many years ago, and I recall how difficult it was to set up and get going.
Read the bible kid, even if you don't like candy it's useful to learn it
It has gotten alot better these days. Thunderbird automatically handles the keys without installing some add on.
It's all about TRUST... everywhere!
Kind funny that people expect companies to not comply with the government's requests. If they don't comply they can have their business shut down or go to jail.
Thanks for the thoroughness and the provided context
even signal has the same problem of setting up your encryption for you. the app is open source but the desktop app updates like every day, are you really going to check the binaries match the open source version? Or do you trust google play to send you the right program and not spy on you? hopefully you could verify the binary of the open source vs local copy, but most people don't know how to do that. I mean that's still better than web apps but theres still a slight problem
One reason I changed from gmail was I noticed they would go through my emails and create calendar entries from them. A family member sent me their travel itinerary and I started getting calendar notifications for flight times. Confused, I went through and found the entries matched up with the flight times from their travel details.
But I've now noticed that Proton is doing the same thing. Work emails come in and now there are calendar entries. I don't like this at all. Clearly their systems are going through the emails to some degree.
Proton has also really slowed down for me over the last month or so too.
Google is probably getting the flight info from other apps on your phone such as your browser search website activity etc. Even your "Notes" App.
@@andre1987eph That's possible in other cases. In this case, it was emails sent to me. I had no browser history/searches/etc.. or notes. There really was nothing else apart from the emails as they weren't my flights and I had no idea about them.
nothing is safe online
My email been compromised before I was even born.
Proton mail, as compared to google, Yahoo and or Outlook mail, is like a messiah is to a religion. Its the best you can get. But, as noted, it is only encoded end to end if you are sending proton mail to another proton mail address
Swiss laws for privacy are the strictest in the world. Only a Swiss court with a legitimate court order can do anything to Proton. This is why Swiss banks are the popular choice for the wealthiest on the planet. Which makes using Proton Mail the best choice as well. Swiss laws make it so no companies have to comply with outside jurisdictions. Proton doesnt have to comply with any request or any legal action that isnt from a Swiss court ... and Swiss courts dont listen to outside jurisdictions (unless something is a direct threat to the Swiss people).
*a direct threat to the Swiss people* - like Russians😂
@@zhang-boyuHaha, exactly.. "Neutral" Switzerland has implemented more sanctions against Russia than the EU itself but not a single sanction against Izrael. 🤔
Also, the world's most influential psychopaths meet every year in Davos to discuss how to proceed with their manipulation of world affairs, completely against all the democratic values and processes they claim to stand for while at home in their "sovereign" nation states.😏
I'm a security nerd. I used to run my own email server but you can't get people to use PGP. I've been a ProtonMail visionary supporter since the beginning. It's the only service I'll use now.
Govt goes to email providers asking for a criminals inbox. Finds spam and password reset forms. Lol.
E-Mail is not inherently insecure, if you manage your own S/MIME or PGP keys, you have real end to end encryption. You can even use POP3 to collect your mail so it isn't permanently stored on the server.
The advantage of Signal is that it is easier to use, so your peers bad security practice is less likely to get you into trouble.
You mean IMAP, not POP3
No, he meant exactly pop3 and not imap.
I route Proton mail through my own domain name. When I set that up Proton required/suggested that I install a PGP key at the domain server via DKIM parameters. Your email will work without it, and its a pain to install at some domain providers, but it works, and Proton gives you a tool to test whether you've successfully set it up. I like that and that part of the pgp seems to work from that point forward. Yes if you send something to an email service owned by a company in silicon valley then, yes, there's probably a risk of getting cancelled depending on how based your beliefs are.
If you're really worried, you can always use Proton's secure function which open's an email taken out in a protected environment using a separate password.
Not an expert but that seems like a good solution for things like ssn's or your next great invention.
I am just now looking to start using Proton, and to be fair, Government should be able to ask to see data based on a a judge decion, not anythime they feel like. For me, I don't do anything illigal, so I am not necesarely afraid of a judges, but I do want an alternative to Google. I understand that if you want to be as secure as you can be, you need to run your own infrastructure, but for now I am looking basically to not depend on google for e-mail and storage.
Cool. I’m glad Kermit found a voice-over gig. Nice.
With true client controlled end to end encryption (which CANNOT be the case for metadata with inter-provider email, except maybe if you are literally sending them just a webpage that decrypts the message client side) - as you explained earlier about pgp), no need to trust the provider. For any other case: If the provider is in one sort of country, they can be legally compelled to give what they have to law enforcement. In the other sort of country, you cannot legally compel the provider to adhere to what they promised you.
The problem is people are misled through lack of knowledge. They don't understand that mail in and out of protonmail is plain text to and from all others. This is where law enforcement waits.
It doesn't go encrypted. Protonmail can't see it when the email has been encrypted or decrypted, but can before and after.
The only time it is secure is when two users connect to the site and keep emails inside protonmail.
There are so many that use their app and get caught.
Protonmail is encryption to server, not encryption in transit.
Thank you so much for your channel..
What are your thoughts about Calyx Institute and Hotspots?
Encrypt your text (hard as you wish).
Convert birary to Base64.
Paste into any email.
Send.
-
Copy base 64 of the email.
Convert base64 to binary
Decrypt the binary.
Read.
-
Just encrypt it by yourself. Send you public keys, protocols, and decryptors in "creative and secure ways."
I use mail fence if anyone has read about it
See man I wouldn't mind switching over to any mail service as long as it lasts, that why I willingly use gmail or outlook because I know it will be there even years after, how many third party mail services have lasted 10+ years and still update with new features?
It's one thing to mistrust a service or a provider if they really encrypt how they say. But at least with a commercial provider you've got a mutual binding contract and that helds someone liable to encrypt your email. On the other hand, you still got to prove they didn't in case of a breach. Buy when you said "it's convenient" what most people really want by paying someone besides convenienceis liability.
6:53 oh deamn, what an ABSOLUTE CHAD
This guy is to the point and secretly has ASMR energy.
It actually simple. Companies advertising privacy need only have as much integrity as Lavabit showed.
Not true - Lavabit had your keys they could hand over - proton does not. So much disinformation about proton.
Actually wasn't saying anything bad about proton, from what I've seen they are good people who keep their users safety at heart..
my only gripe with protonmail is that they keep trying to charge me for service i cancelled years ago. i don't have an opinion of their service one way or another, i just want them to stop trying to take money from me when i haven't used it in almost 5 years now rofl
Damn, that one news you flashed on the screen is more than enough to make me NOT make a protonmail account 😂💀
Thanks for the video. I only want to use it for advertising trackers. I get ads inside Google email and when using Chrome it's just a treasure trove of targeted promotions. If I can avoid most of that I feel it's worth the money.
Write message in notepad, Zip it and password protect it, then email it as attachment. Then send a hand written letter to the recipient with the password. Easy!
Hello again, I am a computer service tech with thirty years of experience upgrading, fixing, and using PCs. a couple months ago, I began using Proton Email, along with their free VPN. Still thinking of upgrading to Nord VPN, because I have known about them for years. I find your vids to be entertaining, Informative, and well worth the time. Subbed...
> Trashes on Proton Mail, but uses an Android or iOS smartphone everyday, not questioning it's privacy.
Haha
Couldn’t be me…
Or windows
Better discard all electronics and live in a cave
but Apple triple pinky promised to never give stuff to the feds (publicly)
I think nothing is private, if the government take interest in you then say goodby to your supposed privacy, they can outlaw and force provider to spill any info about you one way or another, true anonimity is boil down to just make sure you leave a little as digital footprint as possible, and dont be outspoken ot worse, record yourself.
Watch your tongue, I will not allow anyone to take even a single one of my dank memes.
Showed your bias from the start, had a clear primary point to make supported by a multitude of secondary points and logical conclusions which you even described some potential outliers for. I genuinely appreciate the no bullshit perspective of the video and found it to be incredibly informative and grounded. I am now even more convinced than I was before that Protonmail is right for me, and I now feel properly informed about the strengths weaknesses of the particular company, and the general service as a whole. Thank you.
came here for comments like these to be honest. so called "privacy experts" are just shitting on proton for no real reason other than that it was a small company that got big. I trust proton with my data no matter how sensitive. the only downside is that you have to pay up lol
@@shishibone yeah, the cost is unfortunate. Though I am glad they have options to pay for just the services you want. I'm finding I quite like their password manager.
@@d34ddud3 i agree. I first was sceptical about password managers as i just didn’t use them and it was weird coming from Firefox default login saves. But since I started using it (included in my visionary plan) i think it’s really neat to have my passwords synced between my phone and computer. As i tend to forget some logins quite often
Honestly, I do most of my work on my iPhone and iPad and I just want an email service that isn’t Gmail or Outlook and has better functionality than Apple email. I didn’t like Spark or Canary, yahoo is a joke, I’m not making my own server.. Proton checked off the boxes of what I want and them being more private than the others is a plus.
I didn't watch the video yet. Answer:
No you can't. They will randomly close your account and you are SOL. They are unreliable
Hey Murphy !
I found myself recently wondering a lot about my privacy and the future of all of ours.
It's pretty great what you do, and the shout out to Snowden won me over, cheers.
If u want a secure email service rent a server and domain and make ur own email server in thus I mean you dont want someone to give away ur info we'll they can't if they don't have it
@nsoolo And even if the traffic is encrypted... They can just seize your hardware. Or just, simply look at the other person's email and see what they sent you/you sent them.
Email is a two sided thing. Doesn't matter how much encryption in the world you're using if the person you're sending it to uses none.
This is what I understood, correct me if I'm wrong. Email was never meant to be private and messages are encrypted during transit but google for example stores emails in plaintext. PGP can solve this by enabling 'end to end' encryption. I'm not sure how Whatsapp achieves its end-to-end encryption but despite PGP being a solution, it's a pain to setup and use by yourself. Luckily, protonmail enables PGP between proton accounts but if a gmail account sends you an email, proton scans the contents for spam and THEN encrypts it, which means they can read it. There was one case where proton revealed an IP address to the government which ended up in someone getting arrested. One IP isn't much which is good, but there's always a risk from the government with any email provider. Signal was meant to be encrypted from its foundation which I'll learn about soon probably from your channel (edit, you haven't made a video on signal, pls do one). So, proton is more convenient than alternatives and seems trustworthy but it can't be trusted 100%. Note: I haven't seen your emails video yet.
I LOVE PROTONMAIL!!! Better then google and live accounts.
This is an excellent overview. I tink I'll buy a few pigeons. Or no, crows, training them like pigeons. I just hope they won't read my secret messages, crows are too clever. But nobody would suspect crows delivering secret mssages, right?
OWASP principle: don't trust service providers or "trust but verify". It's out there on a manual. It is simply not logical to think of service providers as invulnerable.
Technically you're correct but it comes under the broader banner of "zero trust" across an entire environment, not just within the bounds of application security.
For example, it's estimated that around 80% of cyberattacks come from within an organisation through normal users of the system - and therefore zero trust treats users as equal to outsiders in terms of the security model you deploy to control what they do.
Surprised you didn't call out Skiff being US based
I honestly don't think that the country it's located in is that big of a deal. They all have to comply with the government, so I care more about how much (or how little) data they collect that they can actually hand over.
Honestly I’d prefer a service that is completely honest about these things, telling you: we can’t make it perfect but these are the things we can do
Another (imo bigger) issue with ProtonMail you don't mention is that it does not support mail clients and only allows you to use their own client in your web browser. This means that they can make immediate chnages to it whenever they want, which includes the ability to send malicious JavaScript to read and save your decrypted emails, and you wouldn't even know because it simply is infeasible to read all the JavaScript in the HTML every time you load the website. Another problem resulting from this is that you don't have control over your data as files; ProtonMail does, and you can only access it through a web browser.
That only applies to the free plan. You can use regular clients on the premium plans
I also think another issue about this that someone brought to the attention of me.
You also have to trust that mail client to not weaken your security. Its a risk still.
What motivation would they have to send malicious JavaScript??? On the contrary, they have motivation to keep any mail that is routinely accessed by users safe. They have a reputation to keep up. On linux there is both an Import-Export app to "make offline backups with the Import-Export app", and for paying users, Proton Mailbridge. (BTW the arch/Majaro/Endeavor version is from the community and not directly Proton AG) You can immediately make backups and delete what's on their server. "Only access it through a web browser" is totally wrong.
@@daliareds Such a basic feature is behind a paywall? That's even more sus
@@notafbihoneypot8487 If ProtonMail allowed you to use a mail client, then *you* can choose a mail client you trust, even read it's source code, and update it only when you want. Since it doesn't, you do not have a choice but to place your trust on ProtonMail.
A similar video about proton VPN would be great!
Can you do a comparison between proton suits of products vs skiff products?
it is better eating suspicious food than eating rotten food
Good video, thank you. Good graphic at 16:35