I've been following this on X/Twitter and I think one of the most egregious things that's important to point out is that folks from Phrack reached out to Proton in private multiple times, and Proton ghosted them. Proton only engaged with them and then reinstated the accounts after Phrack went public and their X/Twitter post went viral.
It also looks like one of the writers filed an appeal with Proton and Proton denied the appeal, so they manually investigated the incident and refused to reinstate the account and then only did after this got attention on X/Twitter.
So make no mistake about it: Proton didn't just disable the accounts after whatever CERT complained, which would have been bad enough - they also didn't do anything about it until this started getting lots of eyes on social media.
Proton does not require a shred of proof that you are a real human being either, fyi. I'm not actually attacking them for this specifically, because I feel that we need privacy focused tools, however the fact that I was able to create a few hundred proton email addresses in seconds by injecting usernames/passwords was scary, even to me. I'm surprised they aren't on spam block lists worldwide. Their captcha is child's play that a script can defeat with simple image examination. i encourage them to buff up their spam controls, just a bit, and decrease moderation by a lot unless they can promptly deal with cases such as this.
I dropped Proton when a ton of services (all the major A and B tier cloud providers I tried for starters) could not/would not activate an account with a proton email.
Email is a critical infrastructure these days. Most people have neither the time nor the will to deal with emails failing to send and/or be delivered. (Send or receive)
Their controls are buffed up: all of those accounts are linked due to having been created with the same IP address. If one is blocked, they all are. If you try to circumvent this with a well-known proxy (such as Tor or a V"P""N") you will find that captcha activation will not exist as an option.
That definitely doesn't look good for privacy POV. If they do not want abuse, they ought to use other means. They should not associate IPs with account creation. That is kind of scary. In fact, if what you have said is true, then one's account can be blocked by someone else's mischief on the same IP, which is not very uncommon at all i.e sharing the IP.
I'll go out on a limb and say it: it's an American cybersecurity agency. Proton's CEO/Proton[1] loves the current US admin. I wouldn't be surprised if they comply now and ask questions later, if at all.
1. According to the now-deleted Reddit comment from the official Proton account glazing Republicans, so I assume they were speaking on behalf of all of Proton. https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru.... I have zero evidence except for the CEOs questionable public statements, but I wouldn't be surprised if Proton turned out to be the 21st century Crypto AG.
So clear that you can present the least evidence for it aside from the CEO's saying a thing or two that doesn't automatically spit on the current administration?
> Proton's CEO/Proton[1] loves the current US admin
The CEO once expressed support for Gail Slater as head of antitrust and subsequently criticized lack of effective work towards tech regulation on the Democratic side in the same social media thread.
Calling that "love for the current US admin" (which hadn't even taken office when those statements were made) is pure disinformation.
Half the American tech landscape is either running toward Trumps bed or bending right down and making all the right mating signals in hopes of some interest, but a few pro-republican comments from the Proton CEO should be held as immediately and deeply suspect of this company being a honeypot?
People of all kinds can say certain positive things about the Republican Party for different reasons in specific contexts and not be fanatics you know. That's how using actual reasoning and nuanced discourse works in the world of not throwing your brain in the garbage through ideological rigidity.
Why should there be fallout from supporting the current admin? Tech companies colluded with the government during the biden administration to censor American citizens.
I never saw any outrage. Only memory holing and denial
> Why should there be fallout from supporting the current admin?
Well, why or why not doesn't matter; there _was_ backlash. And to my recollection, he made some rather bizarre defensive posts on Reddit that were later deleted and replaced with a corpo response.
Ideological rigidity or not, I'll bet dollars to donuts that Proton disabled the accounts at the behest of an American agency. All the highfalutin talk is missing my main point.
Sadly, Proton was, until now, a serious and perhaps leading contender for where I might migrate my email as I reduce my dependence on Google. They felt more credible then Tutanova, and less mainstream corporate than Fastmail. Not sure where to look now.
They say: "Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels."
You'll note that Proton's PR only mentions the second date - " last one on Sep 6 with a 48-hour deadline."
Proton doesn't mention that the first email from Phrack which Proton ignored was weeks prior to that, which is what led to the second email in the first place.
You'll also note that Proton doesn't mention that their Abuse Team refused to re-anable the account after the article author did the appeals process, as per Phrack's timeline at the top of their article.
That's a great point. I guess at this point it'd be ideal for them to treat this an incident and do a proper postmortem with timelines and decision calculus.
But that would be contrary to their clear intention thus far: to sweep this under the rug. /s
I had previously liked Proton. I started seeing bits and pieces of info about their security being lackluster over the past year or so, causing doubt about their credibility. I'm definitely done with them after this.
This is honestly sad to see. I use Proton and advocate it to others. This does make me rethink my position somewhat - although I’d argue it’s still better than Google / Microsoft-owned email services.
To be honest, I've found Proton's public customer service representatives to be very duplicitous, so it's hard to take their word at face value. It's pretty ridiculous to see their response to legitimate concerns start with: "That doesn't sound right..." 80-90% of the time.
The whole "we have only received two emails" is a classic move of every company caught with their pants down. Considering Proton's history, they don't get the benefit of the doubt on this one.
As for the "company size excuse" sorry but considering the business you claim to be in (the private and secure email), having an on-call skeleton crew legal team available over the weekend for urgent requests is a bare minimum (and I'm pretty sure they have people available to hand over everything the cops request if "the proper process is followed").
Remember that they have turned over information in less than 24 hours before (for what they call an extreme case of course). So the "size" excuse doesn't hold. Doesn't matter how urgent it is, if they are the small bean they claim they are, there is no chance they can have a turnaround of less than 24 hours.
Again, it's not what they did that's the biggest issue, it's the coverup. Just like last time they got in hot water. Because the coverup raises a lot more questions.
If you don't have enough people to run your business you're doing it wrong. If you don't have enough money to hire people for your business, it's not a viable business.
> having an on-call skeleton crew legal team available over the weekend for urgent requests is a bare minimum
I don't know about Switzerland, but in Germany, no company will be available "over the weekend". Almost everything on the internet in DE is Mo-Fr 9-17.
The true value of a company can be measured by our ability to communicate with them. If we can't communicate except after public outrage, then what does that say about the company?
Here's a genuine question: is Proton Mail the least shitty of companies that provide email services?
I self-host email and will continue until I die. But for others who need a company to do this for them, is Proton Mail the least shitty of options? Does this change the evaluation? I'm genuinely curious about the opinion of others here.
I self hosted for 20 years, worked flawlessly, gave up because of security concerns. I would like to go back to it.
Question: How do you manage the security on such a box? Is there any simplification I missed?
I couldn’t keep up with it. So many patches, unrelated to mail, broke something in the stack, bringing the server into a critical state. Often, I had to lock down everything before going up again, consuming a day’s effort or two. These were two days without mail.
To answer your question, from my limited experience: no.
There are better or less shitty companies like Fastmail, Runbox (tried them), even Purelymail (but 1 or 2 people setup), Mailbox (shitty support, solid setup; I am a customer), Migadu (good name, I have never used them), there's Tuta (but somehow they seem off to me; like Proton they also do not allow IMAP/POP - Proton allows with some circus), MXRoute has good name at places like LET forum. There's even Zoho if you just a mail service (but then if you use Zoho then only reason to not use Google or MSFT will be cost or just the middle finger :D) … and many more.
So there are options.
PS. as per self hosting email - I can't self host my seedbox properly on a VPS, I don't think I should even try email :)
Not allowing IMAP/POP isn’t just for the lulz, it’s not compatible with the encryption architecture Proton uses, which is kind of the selling point of the product. You can either have your emails encrypted at rest with your key OR you can have plain IMAP/POP without a bridge client, you can’t have both.
I never really understood the point of that. If you are exchanging emails with someone using one of the most popular email services that together make 99% of the marketshare, their server retains your email unencrypted anyway. So the only time that encryption will really matter is when emailing someone who is also using Proton.
forget about self hosting email... I tried it for years, and even if you get it working (needs months), it will eventually stop working again. The problem is that in order to get the big boys to accept you as an email provider, you have to jump through infinite hoops, and be treated like a criminal and/or scammer in the meantime (or at best a business that is trying to send newsletters). You will never get a human to talk to, it's just an infinite loop of automated processes.
Anyway, the problem is "trust" which boils down to IP reputation. And since we are all still on ipv4, your IP was reused. Which means you need to spend months cleaning it. And you won't have a guarantee that you won't lose this IP in the future.
> I tried it for years, and even if you get it working (needs months), it will eventually stop working again.
I've been self-hosting for decades and have never, ever seen the sort of problems you suggest. Once its working, its working.
When people have a problem, its usually because they are trying to either:
(a) host off a home internet connection; or
(b) host off a less than reputable hosting provider.
Both of which should frankly come to no surprise to anyone with a modicum of technical know-how.
Hosting off a home internet connection, assuming the ISP will even open the ports in the first place, has been something to avoid since, well, basically forever ... certainly anywhere after the late 90's.
Hosting off a less than reputable provider is the same. I'm not going to name names, but certain providers are well known for originating spam or not responding to abuse@ messages.
I too have self-hosted for decades, there was a brief period of annoyance where I had to set up SPF records long ago, but since then it hasn't been problematic AFAIK (not that I'm in constant contact with people on all the major providers).
However, a close friend and fellow ex-sysadmin who also has self-hosted since the 90s, has had some headaches in recent years. He upgraded his dedicated server at the same US provider I use, without attempting to preserve his original IP addresses.
He hosts email for his wife's small business, and with the new IP addresses has come a lot of problems.
Her billing is performed primarily via email, when the emails get blocked, her income is directly affected. It's so bad sometimes I'd say it's straining their marriage.
This isn't at a disreputable hosting company. It's simply the reality of provisioning new systems receiving new ipv4 addresses inherently from a pool outside the pre-spamers-and-scammers-everywhere era, these addresses have passed through a dumpster fire of abusers.
At this point I'll never retire my dedicated server just to hang onto its IP address with a clean history I've controlled since the 1990s. Even if the machine becomes nothing more than an overpriced reverse proxy to somewhere else I run the real back-end on... the address has become the primary value.
So when advising people begin self-hosting, at least consider the reality of available ipv4 addresses they're likely to end up with. Even the reputable vendors have been used by malicious actors buying hosting with stolen credit cards and fake identities. We can't have nice things.
Not who you asked, but I self-host some non-critical mail domains using Mailu[0], which is a set of docker containers. It's been fairly low maintenance. Ease of setup depends on your technical knowledge, but if I can do it, and you're on HN asking the question, you'll probably manage.
I've been self hosting my email for a couple years. Currently using mox https://github.com/mjl-/mox
I'd avoid popular server providers like Hetzner or DO. Lots of abuse there so you might get dropped.
https://www.eth-services.de sponsors mailcow and has been pretty reliable
So, now you have to worry about your VPS/Internet provider deplatforming you. Or about your domain name being seized. And spam filtration, backups, redundancy...
I'm not saying email self hosting should not be done, I just say a bit of planning should be done.
DNS seems like the most annoying part, it is SPoF by design. The problem can be mitigated, but seems like cannot be solved. For example, owning multiple domain names in multiple jurisdictions. And round-robin them. You cannot eliminate SPoF for any one specific service you want to login using email. But you won't lose access to everything at once.
Edit:
P.s. At the same time, owning your domain for mail seems to be one of the most impactful things to do to reduce digital serfdom. Banned at *mail? Just switch those MX records and go on.
OpenSMTPd + Dovecot is extremely easy to setup and maintain.
For my parents, I registered a domain on OVH and they use the free email accounts they come with. So that's an independent, ready to migrate, email account for about 8 euros per year.
No, Proton did not knowingly block journalists’ email accounts. Our support for journalists and those working in the public interest has been demonstrated time and again through actions, not just words.
In this case, we were alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service. This led to a cluster of accounts being disabled.
Because of our zero-access architecture, we cannot see the content of accounts and therefore cannot always know when anti-abuse measures may inadvertently affect legitimate activism.
Our team has reviewed these cases individually to determine if any can be restored. We have now reinstated 2 accounts, but there are other accounts we cannot reinstate due to clear ToS violations.
Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels.
The situation has unfortunately been blown out of proportion without giving us a fair chance to respond to the initial outreach.
I don't follow. They can't tell if their terms of service have been violated so they took CERT's word for it? How did they decide to restore two accounts then?
This makes the situation even worse for me. CERTs lack any legal authority to compel action or enforce compliance. Without a thorough and fast post mortem analysis, this incident is deeply concerning for anyone who relies on Proton as their primary email provider. I guess getting trigger happy just comes as soon as you get a bigger user base but that's exactly when you get caught slipping. Like they did with the false positives it honestly reads like:
"We have good relationships and trust this CERT so we carpet bombed all accounts they send us without even looking at them."
I wonder what would have happened to accounts or users without the reach on socials.
they didnt do it because CERT said they legally had to - they did it presumably because they pay CERT to catch abuse and misuse and take action based on their findings
This doesn't change my statement, even if they take the word of the CERTs as gospel. This represents a significant attack vector for denial-of-service attacks, as demonstrated by what happened here, and for a service like Proton, such a vulnerability is nearly inexcusable.
Proton dropped from the top spot on my list of “user-first email platforms” when they announced they’ll be deleting accounts that haven’t logged into their service in some arbitrary amount of time. If I can’t rely on my email / messaging / phone / communications provider to keep an open line for as long as I need it – whether that’s one year or two years or twenty years, then I’m not going to use it. And if they require payment in exchange for providing that service, then it better accept privacy-preserving payment, but even then, I’m probably not going to use it.
Proton had a great thing going where their VPN service and business service funded the cost of maintaining free accounts. The fact that they chose to destroy years of trust by announcing a deletion policy, indicated to me that they no longer care about their users more than they care about running a business.
I’m not even asking for something unreasonable. It’d be one thing if they didn’t want to maintain free accounts with no activity but hundreds of gigabytes of storage. But they haven’t stratified the limit by storage usage. If you’ve got a free account consuming a few megabytes of storage, maybe an email you setup for the government service you interact with every few years… well you better make sure you remember to do the arbitrary chore of logging into that account every year, or Proton will just delete it, no questions asked.
Maybe they’ll send you some reminders if you gave them a “recovery” email, but that defeats the point of signing up to a privacy-preserving email service and calls into question the premise that they even are one.
(In related news, I need to text myself on Google Voice every few months or they’re gonna delete the number I use for 2FA on critical services… and this is an account that has $4 of credit loaded into it from ten years ago…)
> Proton dropped from the top spot on my list of “user-first email platforms” when they announced they’ll be deleting accounts that haven’t logged into their service in some arbitrary amount of time.
... for free accounts only, after 12-24 months of not having logged in at all.
> And if they require payment in exchange for providing that service, then it better accept privacy-preserving payment, but even then, I’m probably not going to use it.
They allow you to physically send in cash.
> I’m not even asking for something unreasonable
I don't disagree in principle, but the way you're asking for these things does in fact make you come across as an unreasonable customer.
I've had multiple proton accounts and can vouch for (pure anecdote of course) two of those working fine despite me forgetting to use them completely for at least four years. So not sure how true what you say is. These are both free accounts btw.
The amount of hate that Proton gets here for the above still ambiguous situation (and in many other comment threads) is bizarre and oddly hive-minded.. The company is far from perfect but compared to the overtly parasitical openly done deep scanning of your email content and utter disregard for any responsiveness to user complaints from any major American tech company's email service, Proton is positively saintly by comparison. Id' suggest growing and regularly watering a bit of perspective.
EDIT: I see a number of comments about Proton's "jankiness" and service unreliability here too. I haven't experienced any of that either on desktop or mobile.
I've need a paying subscriber to Proton since 2018, but I recently canceled my subscription (which ends in November). I just got fed up with the constant bugginess and jankiness of their offerings.
Any suggestions for mail hosting and VPN? I hear good things about Fastmail and mailbox.org (I see they very recently rebranded to just mailbox and revamped their offering).
Also, I've been a heavy user of the SimpleLogin alias service. Any suggestions for easily porting all those accounts to a new provider? Manually changing each and every account to a new email seems painful.
Fastmail is fine. It's somewhat limited in its UX, but technically speaking, everything works, and it's snappy. Very few outages. I really like their integrations with calendars, contacts, and mail for 3rd party sites/services. Not a ton of features or deals re: custom domains or multiple users, but it's fine if it's just for yourself. edit They literally -JUST- turned on Offline support for their app and web interface, so my only real complaint is gone. Go with Fastmail.
For a VPN, what do you need it to do? For tinfoil hat privacy stuff, get a VPS in Estonia or something. If you just want a secure tunnel while working remote, get a WiFi access point with Wireguard and Dynamic DNS at your home (it's free plus you probably have more bandwidth).
Hey, what's the trick of keeping your VPS OS/etc updated and upgraded without having to nuke (or replace or copy to elsewhere and "paste" back) the current setup on that VPS? In all my self hosting attempts it works butter smooth until I try to update/upgrade my VPS OS or hell even the app I am using like a VPN, or a seedbox, a notes app etc etc. I mean it's been really painful. Sometimes I have used the VPS w/o updating for 3-4 years - no security/OS update - none. The moment I do that - bam! Everything broken or gone :(
1) Use your VPS OS's native software upgrade mechanism
2) Build, test, and deploy immutable images
For 1), you configure your OS (Ubuntu LTS let's say) to do automatic unattended upgrades only for security updates (check documentation for instructions). They're designed to be backwards compatible so this is safe and automatic. May require you to periodically reboot the box. When that version of Ubuntu is eventually end-of-life, they usually provide a manual upgrade procedure to upgrade in-place to a newer version of Ubuntu. A couple manual steps over an hour or two and you're set until the new version goes EOL (many years for Ubuntu LTS).
For 2), you would build either a container or a disk image with your OS, preferred software, configs, etc. Build the image (Packer for disk image, Docker for container), write a simple test to run it and make sure it's working. Now you can install that new container or disk image onto your VPS, and you know it'll work. This is more work, but the resulting image is guaranteed to work the same way every time. So every time you upgrade, you just build a new image. If the new image doesn't work for some reason, just go back to the last image that did work. Set all this up on a CI/CD platform (GitHub Actions, CircleCI, etc) and you can just keep using that setup forever, no need to get it set up on your laptop again if you reinstall your laptop OS.
For either of these, it helps to use only software that is packaged for your OS, rather than installing custom software. There will be less extra work to perform to get the software to work and configured, and upgrade steps will be smoother.
Most providers will hand you a new IP if you suspend then restart your instance. That at least spreads you pool of IPs across their AS (or some subset of it). For the price of a "reputable" VPN service, you could run 2 or 3 low end VPSes from different providers. A bit of Ansible, Python (or language of your choice), and perhaps some browser automation if the cheap VPN provider doesn't have a usable API - should allow you to automate provisioning VPN endpoints and rotating IP addresses.
That would at least move your needle around a lot, even if it isn't bringing along the haystack of all the other VPN customers sharing their endpoint IP addresses. You couldn't consider this sufficient protection against TLAs or Mossad. Or disgruntled Magic The Gathering players burnt by MtGox...
Not the parent but you can set up Dynamic DNS at home and Wireguard in your router and later use the Wireguard connection to connect to your home network and have a safe tunnel.
Yep! And TP-Link, Asus, GL.iNet, MicroTik, and other consumer routers also have Wireguard/OpenVPN servers and Dynamic DNS clients.
For the parent commenter: you set up an account at a Dynamic DNS service, and configure your router so when it's online, a dynamic DNS hostname will always point at your router's IP. Then you set up a Wireguard or OpenVPN server on your wifi AP. Then set up your phone, laptop, etc to connect to that server at the dynamic dns hostname. Now you have a VPN server running on your home wifi AP. Connect when you're away from home, and your traffic will go securely through your home ISP connection.
That's classic Mailbox. Deny there's a problem, or just don't ever respond. Hell, my tickets, when I face an issue, don't get responded to for weeks sometimes, and when it gets responded to, often it's a one-liner accompanied by closure of ticket :D
I'm using Fastmail and Mullvad. Both seem to work pretty well and are reasonably priced. You could also host your own on VPSs if you're feeling adventurous.
I've been on Zoho for my (and my partner's) email for 4+ years and it has been great. Chose them because there is no per-domain charge, so I have like 12 domains on it.
The configurability is extensive in both web app and ios email app. Service has been fast and stable. They rarely change anything in the UI (no random tinkering is what I mean) so it is predictable and easy to use.
I wanted to use them. But they had a bug in SMS sending and it's been a few weeks (or more) and they have not fixed it or been able to fix it. Also, it was not clear whether they use the same setup for recovery/alert SMS (I asked, received no reply). I tried following up with their support for a few days (it's a one-person setup; recently a support person was hired who responds on Discord and is apparently swamped), but it didn't happen. I just tried now and the issue still exists. That seemed like not a good sign. Also - ownership has changed few months ago.
I wouldn't trust Zoho. More than 10 years ago, they shadowbanned (can not be shared or publicly viewed) my documents because it criticized Chinese communist party.
My experience is the apps are missing very fundamental features. Which would be fine... If you could use other clients. But you can't, except for email, kind of.
Like, the calendar on mobile doesnt even have a search function. What if I want to know when an event is happening? I just have to scroll and scroll until I find it? Come on now. Also no storage backup in proton drive??? What??? That's, like, 90% of the purpose of proton drive!
For me the jank is in their billing and the plans I can purchase. I can either have a Business Mail Essentials plan or a Business Password plan, but if i want both at the same time I have to buy a plan that's three times as expensive or drop my custom domain name.
I've never hit any of the major bugs, but the iOS app is quite glitchy. The unread count never updates if the mailbox is externally modified (e.g. via the web app), sometimes it goes to zero or one. Sometimes my messages simply don't show up.
There was also that whole IMAP data loss issue. Unsure if that ever got resolved.
Proton seems to have a lot of cheerleaders that come
out of the woodwork when anyone complains. I'm happy that somehow their code is magically bug free for you, since you've somehow never encountered any bugs whatsoever in their code (despite their release notes mentioning literal bugs they've fixed).
I'm glad it works for you, but their offering is frequently buggy and broken for me.
The person I was responding to literally said they were "a paying user for a very long time" and "never encountered a bug". No software is bug free. I can't think of a single software service I've used for as long as Proton (7 years now) where I haven't encountered a single issue over that time. I take their statement to be so incredibly unlikely as to be facetious or intentionally duplicitous.
So I responded in kind, because I've definitely seen company cheerleaders, and I'll have no part of it. I'm glad you all are happy with Proton. I'm not telling you to leave.
And if you really want to see complaints, you don't have to look far. Read the other comments on this thread. I don't have to spell everything out for you.
Idk what to tell you. Email is mostly a solved problem for most cases, and object storage is mostly the same. Password manager is one of the best I've found in any platform, at least for the individual-user use case.
The VPN has always just worked, too.
If you're using desktop apps for things, really can't help you there as I have no experience with any proton offerings for that piece.
Idk what to tell you. Email is mostly a solved problem for most cases
Idk what to tell you. Considering email is mostly a solved problem, Proton must be extra incompetent for inadvertently deleting people's emails due to multiple different bugs in their code that took them far too long to address (multiple years in some cases).
(The temerity of the customer service response on that last one, saying they have no clue about the bug being asked about is galling, but par for the course for them).
BTW, make flippant responses, get responses in kind. Normally I'd ignore this idiocy, but today was your lucky day. Anyway, it's clear you're just a troll and I've indulged you enough.
For mail hosting, take a look at Posteo.de (no custom domains though), mailbox.org, runbox.com, mailfence, migadu, and cranemail. All these are cheaper and a lot more affordable than something like Fastmail. All of them support IMAP, using which you can move your email elsewhere (or easily backup/have local copies).
I am a Fastmail customer. Absolutely horrible customer support but pretty solid email. Do not even think about using the "suit" they offer alongside email.
The rebranding and "revamp" is limited to the logo and colour changes :D everything under the hood is still the same good old OX inferiority. Hell, you may never want to use their webmail either (my 99.9999% mail usage is via IMAP clients). They are fine other than that.
Fastmail is pretty good if their price and offerings are not an overkill for you. You should check Runbox as well - really good.
Simple Login alt: addy.io? Fastmail and Mailbox (auto-deletes in 30 days unless you "touch" it :D) also have disposable email as part of email offerings. Don't know about Runbox.
Similar case, I recently migrated from @mozmail to SimpleLogin and wondered if I made the right choice.
I heard using your own domains solves the migration issue but that makes your email pretty identifiable just by looking at your domain.
I wonder whats a suitable replacement candidate after Mozmail and Simple Login? One of the reasons I migrated away from Mozmail to Simple Login was that you can't initiate a email sending, which made it difficult to contact support if needed. Plus Mozmail are on Amazon SES.
You mean Firefox Replay right? It has been in beta for a long time (I mean anything other than the basic free plan). Did you get in via some invite or so?
Agreed. I have also stopped abusing the catch-all of my domains. It became a pain very soon. Not only privacy issues but I couldn't possibly block those emails/spam that were coming on usernames like sales and many more.
Fastmail has an open source API they call jmap. You could probably find or write something that could help convert to the fastmail masked email. I was able to setup an integration with a local llm to read my email and act on it in about an hour.
I like fastmail they seem to have a move slow and don't break things mentality that I like from my email.
I moved from Proton to Fastmail (and Mullvad for VPN).
I was a a founding paying member of Proton Mail. I loved them and evangelised them for years. But after a decade, the quality of the offering, especially the mail and calendar, is almost a joke, and the company seems very distracted chasing the next big thing (the half baked password manager being one).
Comparing Fastmail’s UI and feature set with Proton, you quickly realise they are leagues apart.
And no Fastmail doesn’t provide e2e encryption. For that I use Signal, and for the few occasions where I need e2e encryption in email, I use PGP.
My only wish is that there was more client support for JMAP protocol. Even thunderbird doesn’t support it, and I can’t go back to IMAP because I like labels. Thankfully Fastmail’s own web interface is so good it is not a big issue.
The one thing I don’t like about both Proton and Tuta is that they don’t support IMAP. Users of these platforms would find it a bit more difficult to move their emails out of the system if they wish to.
I've used Migadu since their free plan days. Even though I had trouble in the transition (partly due to my fault) it was handled decently and I stayed on. Been friction less since. I must also mention Edison e-mail, which makes such a great client!
Fastmail is a good product with technical chops, contributes to open source and cares generally about being good members of the international email space, standards etc.
Fastmails interface is very plain, and it works very fast and works well.
They support a plethora of ways to do mail and have many advanced users so their mail support is very good, maybe close to running your own mail server without having to deal with rbls and getting spamlisted
I use Fastmail and I’m mostly happy with it. Their design team is thoughtless so their web and mobile offerings are disappointing. The mail hosting itself seems to be excellent though.
Can proton even win here? The obvious solution would be "we don't take down unless there's a court order", but then you'd get exposé pieces saying how protonmail is a den for drug dealers/pedophiles/doxxers/cyber criminals.
> The obvious solution would be "we don't take down unless there's a court order", but then you'd get exposé pieces saying how protonmail is a den for drug dealers/pedophiles/doxxers/cyber criminals
I think it'd be crazy to make a service worse because of worry over potential hit pieces that might whine about a perfectly reasonable policy. It isn't as if Proton Mail hasn't been accused of those things before anyway (along with accusations of being a honeypot and not private enough).
It's better to have integrity and fight for your users than to cave just to avoid click bait articles by people with irrational views.
I suspect there's a few email providers where the marketing and reputation management teams are hurriedly adding "check the user and the user's affiliated social media reach before suspending this account, and before responding to any support requests from the user."
My new elevator pitch: We proactively research all of our customer's users and new signups to assign them a social media reach score. We then automate escalating external account action requests or user support calls for highly ranked users to senior staff and providing details and evidence of their social reach and industry affiliations. While we generate revenue from these customers, our primary revenue stream is the aggregated data we acquire while doing this, and selling access to that data to law enforcement, the insurance industry, and Nation State intelligence organisations across the globe.
Ladar Levison and Lavabit certainly earned themselves credibility there a dozen years or so back.
Sadly https://lavabit.com/ currently just says "We are not accepting new users at this time. Mail services remain online, while we work on improving our website code. "
PSA: Proton deletes “unused” accounts after one year, and defines unused in some opaque sense where receiving but not sending emails is “unused” so I’m in a nasty position of my iCloud account being unrecoverable. Going to have to spend nontrivial time off boarding my account.
> defines unused in some opaque sense where receiving but not sending emails is “unused”
"You are considered active if you log in and use our services once a year. Simply logging in to any Proton service on our web, desktop, or mobile apps at least once a year is enough."
Do they still use that old shady billing? You could get "credits" from coupon to upgrade your plan, and once it ends, it automatically subscribes and your account bill goes to negative. Unless you pay that, your account is locked. Happened to me some long time ago and haven't used Proton since.
And this is why I host my own email server, even if I am not a journalist investigating governments or anything of the sort. It's a matter of control over my computing.
Also, how do you mask your identity if you self-host? I can have as many mailboxes as I want but they're all trivial to correlate because they share a domain that isn't providing email accounts to large amounts of users. And then there's the matter of a VPS not actually being under my control. It's a VM running in a datacenter. I could run the mail server locally, but then I'd still need to relay through a VPS to mask my IP address. And that's still only protecting from a casual adversary...
The common folklore is just FUD. The main issue is deliverability to the likes of Google, Microsoft, Yahoo, etc. You need a clean fixed IP in non-residential block and a sufficiently aged domain or your mail will be flagged as spam or rejected. Alternatively, you can use a relay service for outbound email. Besides the deliverability issue, hosting email is fairly trivial from a technical standpoint; on Linux, the standard utilities are Postfix, Dovecot and OpenDKIM. The server is for my own use, so I don't even bother with spam and AV filters.
Even if you can't send email at all (unlikely if you use an outbound relay), there are very significant privacy benefits to having your own server. I send very few emails relative to the number I receive. You couldn't pay me enough to go back to one of big commercial providers.
> You need a clean fixed IP in non-residential block
Feels like that's carrying a lot of load there?
Where do you get those? I doubt any inexpensive VPS provider has any clean IP addresses? AWS charge you $5/month for an elastic IP address, and I bet you'd need to cycle through their pool of those looking for one that hasn't been blacklisted recently?
There's another thing to consider here too. I was selfhosting my own mail, but back in 2013/14 I investigated all my mail, and even though I'd avoided Google/Microsoft,Yahoo et al. - over 80% of my personal email was on their servers because that's where my correspondents were. I pretty much gave up maintaining my own (slightly over complicated) stuff and gave in and chose to accept the "Do no evil" company at face value. 4 or 5 years later that company no longer existed, even though they continue with the same name today.
As far as I can remember, you don't even get IMAP access on the Proton free tier. For me, that's a non-starter. The privacy claims are also mostly marketing, as it is basically impossible to verify what Proton actually does when approached by a three-letter agency. I wouldn't use email anyway if I had something to hide, the email protocol wasn't designed with secrecy of communications in mind. For that, Signal seems far better, or perhaps a self-hosted, encrypted Matrix room.
No company is gonna seriously refuse when their jurisdiction's equivalent of the FBI or NSA turn up with a court authorised order. As James Mikkens said: "YOU'RE STILL GONNA BE MOSSAD’ED UPON"
But it'd be nice to be able to expect your email provider to not cave in to a request from some other counties CERT organisation without pushing back for evidence and some sort of proper judicial authority behind the request.
not all heroes wear capes, much less releases personal AI assistant to navigate your own data while the MAIL CLIENT AND CALENDAR APP is on beta on Linux for YEARS
I'm worried and surprised to see the many comments here that, contrary to what I'm used to reading here, nobody seems to have dug deeper, looked critically at the evidence. Quite a lot of just ad hominem and insinuations.
This looks like brigading to me. Which is the only way for govs to fight against protonmail: spreading doubt.
Hence I am reinforced to continue being a strong supporter of Proton.
You can disable an account without knowing who owns it, although they do have credit card/payment information now, and I don't think new accounts get encryption services unless they pay.
That said, if your inbox is encrypted, protonmail does so on the client side with a second password. They can maybe delete the account, but proton mail doesn't know what the encrypted data is. What happens to new emails sent to a disabled address is anyone's guess though. Honestly I think they're doing the best they can given the circumstances
I thought I made a new account a while ago (as the front end for an OSS project) and it wasn't encrypted, and then when I checked encryption was moved to the paid membership. It looks like I may have just been confused though, because you're right it looks like it's still part of the free tier
You are trusting them. They control the client, how the keys are created/stored, etc. Javascript, etc. If they were to suddenly turn one day, they could.
It is very possible for them to inject custom JS to a specific user.
You are the bosses at Protonmail, do you want police at 6 am shaking your kids, seize all your devices, loose all agreements with PayPal and Visa/MasterCard, because you want to protect a guy who distributes child pornography or plans a terrorist attack ?
No way, so you tap on the shoulder of the CTO and ask him to push a temporary update or turn on a feature flags, in order to collect the missing information.
This is true for all companies who control the client.
From what we (at least I) know, this wasn't the police in Switzerland waking up senior management.
t was - without anyone admitting to it - probably KrCERT who requested the account suspension. KrCERT don't seem to have any legal jurisdiction in Switzerland.
I'd like to think if they 'tapped on the shoulder of the CTO ' of a company headquartered in Switzerland, he'd say "maybe, come back with an order from a relevant court or security agency in Switzerland and I'll get my team right on that".
Trusting them is almost guaranteed, but it doesn't have to be, sort of. The clients are opensource so you literally clone, audit, and run the clients locally.
Full disclosure, I use Proton and overall trust them so unless I see strong evidence of abuse or lies on their part I'm inclined to post contextualizing comments on stuff like this, b/c well I don't wanna host my own mail server, at least not in prod.
As if disabling the issue tracker and stonewalling pull requests wasn't bad enough, seeing how it is built out of multiple layers that communicate via gRPC was what made me instantly lose all trust in Proton. I don't know who's been doing their hiring but just from one look at that kludge it's evident they've lost the plot altogether.
(There's a third-party alternative called Hydroxide, but it's experimental. Haven't been able to send emails through it from Thunderbird yet, though I've only looked into this for a few hours recently.)
>But last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency
Last time I checked, hacking was still a crime in most jurisdictions - even if the target is considered a geopolitical adversary. This sort of activity is also against the Proton ToS. Once KrCERT and Proton were alerted to this activity, they would have been legally obligated to act.
That's not to say I feel any sympathy to the target - who by all counts has done a fair bit of damage. But this sort of hacktivism / vigilantism simply isn't helpful. There's a high likelihood that one or more nation states / law enforcement agencies may have had active operations directed against this threat actor derailed by such activity.
tl;dr - If you're going to conduct such activities, practice proper OPSEC. And don't let your desire for attention / recognition take priority over staying on the right side of the law.
It's because the journalists were covering the professor-student rape scandal at UIUC Champaign that was covered up by Champaign and other governing bodies.
Hmm going to wait and see how this plays out, maybe it's time to look at alternatives, assuming that my custom domain email isn't somehow locked to them.
So, is this a case where Random Cybersecurity/Tech Group mistakes responsible disclosure for hacking, and then reported it to Proton, which took their word for it and disabled the account?
From the Proton/X discussion in the Intercept article
"Big Tech CEOs are tripping over themselves to kiss the ring precisely because Trump represents an unprecedented challenge to their monopolistic dominance.”
They don't know how this is going, from what I see Trump threatens something not to change something, but to get something. If there is any anti-trust drive it's there to shake the tree, not to break up big tech. Trump loves big US corporations, like those in the 50s and 60s, those pre-Bell-breakup.
Side note regarding proton that it seems that people are mentioning the fact that ip is being tracked with user creation in proton mail?
So if someone downloads proton vpn and uses it that way, then I always considered it to be the best vpn (even better than mullvad) but I guess I was wrong...
I would still use protonvpn but I will try to migrate towards quite frankly more services from now on.. Email should just be a way to discuss what should be your matrix account or xmpp or even signal...
Another thing that I want to point out is that I had once went into network permissions etc. in proton docs and tried to write a comment and write stuff etc. and I am not sure about the writing stuff but although these do feel "encrypted" but I saw a thing in the api response when I did curl or something which showed logs so I assumed proton keeps logs..
Another problem I feel is that since proton is only encrypted via your password which you enter into the system and it seems that you can change the password if you have something like phone verification. Fundamentally something like this can only work if they have the keys, so they are having the keys to your encrypted account.
I am sure that there are ways of adding your own private key too but how many people using proton are doing that?
Fundamentally, this is how the stack will work or has to work imo. You are trusting them because of lack of conflicts. They have built their name on privacy and so everyone will leave if it they are less private but the thing is, is that they might be using some open source tech that might have an update that couldn't be audited or somehow get hacked themselves and since proton might have some juicy targets like journalists. People's lives may be on the cutting edge.
I heard this somewhere that I wish to share, you want technologically private solutions not because you don't trust someone but rather that it should remove the need of trusting in the first place. Proton hasn't / can't reach it imo.
I don't mean any hate towards proton but that was my understanding. I still use it and in fact Please let me know if I caught something wrong or what I am saying is correct. My purpose is not to spread misinformation but rather inform my opinions/correct them if I am wrong.. (I may be wrong, I usually am [my most loved line from the book how to win friends and influence people])
I feel as if we need to get things like pi etc. or whatever and atleast to me hosting something like matrix seems okay-ish I am not sure. Email just doesn't feel as if a good protocol for privacy.
I've been following this on X/Twitter and I think one of the most egregious things that's important to point out is that folks from Phrack reached out to Proton in private multiple times, and Proton ghosted them. Proton only engaged with them and then reinstated the accounts after Phrack went public and their X/Twitter post went viral.
It also looks like one of the writers filed an appeal with Proton and Proton denied the appeal, so they manually investigated the incident and refused to reinstate the account and then only did after this got attention on X/Twitter.
So make no mistake about it: Proton didn't just disable the accounts after whatever CERT complained, which would have been bad enough - they also didn't do anything about it until this started getting lots of eyes on social media.
Proton does not require a shred of proof that you are a real human being either, fyi. I'm not actually attacking them for this specifically, because I feel that we need privacy focused tools, however the fact that I was able to create a few hundred proton email addresses in seconds by injecting usernames/passwords was scary, even to me. I'm surprised they aren't on spam block lists worldwide. Their captcha is child's play that a script can defeat with simple image examination. i encourage them to buff up their spam controls, just a bit, and decrease moderation by a lot unless they can promptly deal with cases such as this.
I dropped Proton when a ton of services (all the major A and B tier cloud providers I tried for starters) could not/would not activate an account with a proton email.
Email is a critical infrastructure these days. Most people have neither the time nor the will to deal with emails failing to send and/or be delivered. (Send or receive)
Their controls are buffed up: all of those accounts are linked due to having been created with the same IP address. If one is blocked, they all are. If you try to circumvent this with a well-known proxy (such as Tor or a V"P""N") you will find that captcha activation will not exist as an option.
That definitely doesn't look good for privacy POV. If they do not want abuse, they ought to use other means. They should not associate IPs with account creation. That is kind of scary. In fact, if what you have said is true, then one's account can be blocked by someone else's mischief on the same IP, which is not very uncommon at all i.e sharing the IP.
They could take government ID, or fingerprint your machine, make you submit a picture of your face, do these options seem better to you?
Nope. Zero-knowledge proofs seem to be the middle ground, IMO. Prove X without revealing X itself.
How else?
I'll go out on a limb and say it: it's an American cybersecurity agency. Proton's CEO/Proton[1] loves the current US admin. I wouldn't be surprised if they comply now and ask questions later, if at all.
1. According to the now-deleted Reddit comment from the official Proton account glazing Republicans, so I assume they were speaking on behalf of all of Proton. https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru.... I have zero evidence except for the CEOs questionable public statements, but I wouldn't be surprised if Proton turned out to be the 21st century Crypto AG.
Proton is a honey watering hole pot. This has always been clear.
Please think a bit before posting. This feels like you didn’t stop to think that this could be seen as cheap and provocative by many.
And yes, some quotes, references, or a modicum of argumentation around a divisive point of view is also a good idea.
Proton has always been political, you see them supporting some protests, but not others.
So clear that you can present the least evidence for it aside from the CEO's saying a thing or two that doesn't automatically spit on the current administration?
if I didn't knew better, that would sound plausible, but the truth is much more boring (for the better)
> Proton's CEO/Proton[1] loves the current US admin
The CEO once expressed support for Gail Slater as head of antitrust and subsequently criticized lack of effective work towards tech regulation on the Democratic side in the same social media thread.
Calling that "love for the current US admin" (which hadn't even taken office when those statements were made) is pure disinformation.
Half the American tech landscape is either running toward Trumps bed or bending right down and making all the right mating signals in hopes of some interest, but a few pro-republican comments from the Proton CEO should be held as immediately and deeply suspect of this company being a honeypot?
People of all kinds can say certain positive things about the Republican Party for different reasons in specific contexts and not be fanatics you know. That's how using actual reasoning and nuanced discourse works in the world of not throwing your brain in the garbage through ideological rigidity.
For me, at least, it's less about the initial comments than how he handled the fallout from it.
Why should there be fallout from supporting the current admin? Tech companies colluded with the government during the biden administration to censor American citizens.
I never saw any outrage. Only memory holing and denial
> Why should there be fallout from supporting the current admin?
Well, why or why not doesn't matter; there _was_ backlash. And to my recollection, he made some rather bizarre defensive posts on Reddit that were later deleted and replaced with a corpo response.
> I never saw any outrage
You probably aren't looking hard enough. There was plenty of outrage, and congressmen excoriated tech companies for "suppressing right-wing voice"
Not in Liberal/Left leaning communities. They called for more censorship.
Yours is an entirely different argument to what gp was claiming, and undermines the crux of gps position.
Ideological rigidity or not, I'll bet dollars to donuts that Proton disabled the accounts at the behest of an American agency. All the highfalutin talk is missing my main point.
Which the reddit fanatics on their sub are bending over backwards to defend and explain away when there is no two ways about it tbh.
On a positive note: having reach on social media can solve problems nowadays.
The effect is opposite - things get fixed only when you get enough social noise and that is not good.
This has always been true. The difference today is that if you are able to craft a powerful message, distribution isn’t a problem anymore.
Isn't that like saying "Yay, rich people get to bend the law", certainly useful to some, but kind of a weird thing to cheer for?
So, if you have sufficient influence, you can get things moving.
What about those of us nobodies with no influence?
well, you can't get the same stuff done that the folks with influence can. like they're working with a better toolbox.
Which is all cool until Google rug-pulls your influence and you’re back to zero… in which case it doesn’t sound like a tool anymore.
Maybe a tool with DRM embedded would be an appropriate analogy?
One of the reasons why I don't use my personal Google accounts for stuff like Firebase.
Sadly, Proton was, until now, a serious and perhaps leading contender for where I might migrate my email as I reduce my dependence on Google. They felt more credible then Tutanova, and less mainstream corporate than Fastmail. Not sure where to look now.
> Not sure where to look now.
Maybe take a look at https://posteo.de/en
And there’s no shortage of people excited to hop on the next outrage train.
With good cause, in this case, but the crowds wielding pitchforks don’t much care either way.
> Phrack reached out to Proton in private multiple times, and Proton ghosted them.
According to Proton's response in the linked reddit post: https://news.ycombinator.com/item?id=45227356
They say: "Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels."
You'll note that Proton's PR only mentions the second date - " last one on Sep 6 with a 48-hour deadline."
Proton doesn't mention that the first email from Phrack which Proton ignored was weeks prior to that, which is what led to the second email in the first place.
You'll also note that Proton doesn't mention that their Abuse Team refused to re-anable the account after the article author did the appeals process, as per Phrack's timeline at the top of their article.
That's a great point. I guess at this point it'd be ideal for them to treat this an incident and do a proper postmortem with timelines and decision calculus.
Definitely agree. A frank postmortem would be a good thing to see.
But that would be contrary to their clear intention thus far: to sweep this under the rug. /s
I had previously liked Proton. I started seeing bits and pieces of info about their security being lackluster over the past year or so, causing doubt about their credibility. I'm definitely done with them after this.
This is honestly sad to see. I use Proton and advocate it to others. This does make me rethink my position somewhat - although I’d argue it’s still better than Google / Microsoft-owned email services.
To be honest, I've found Proton's public customer service representatives to be very duplicitous, so it's hard to take their word at face value. It's pretty ridiculous to see their response to legitimate concerns start with: "That doesn't sound right..." 80-90% of the time.
> a 48-hour deadline. This is unrealistic for a company the size of Proton
and yet suspending the account...
Sorry but doubt.
The whole "we have only received two emails" is a classic move of every company caught with their pants down. Considering Proton's history, they don't get the benefit of the doubt on this one.
As for the "company size excuse" sorry but considering the business you claim to be in (the private and secure email), having an on-call skeleton crew legal team available over the weekend for urgent requests is a bare minimum (and I'm pretty sure they have people available to hand over everything the cops request if "the proper process is followed").
Remember that they have turned over information in less than 24 hours before (for what they call an extreme case of course). So the "size" excuse doesn't hold. Doesn't matter how urgent it is, if they are the small bean they claim they are, there is no chance they can have a turnaround of less than 24 hours.
Again, it's not what they did that's the biggest issue, it's the coverup. Just like last time they got in hot water. Because the coverup raises a lot more questions.
If you don't have enough people to run your business you're doing it wrong. If you don't have enough money to hire people for your business, it's not a viable business.
> having an on-call skeleton crew legal team available over the weekend for urgent requests is a bare minimum
I don't know about Switzerland, but in Germany, no company will be available "over the weekend". Almost everything on the internet in DE is Mo-Fr 9-17.
> I don't know about Switzerland, but in Germany, no company will be available "over the weekend".
Before 31 December 2020, the Swiss Airforce famously only operated during office hours....
[flagged]
The true value of a company can be measured by our ability to communicate with them. If we can't communicate except after public outrage, then what does that say about the company?
Here's a genuine question: is Proton Mail the least shitty of companies that provide email services?
I self-host email and will continue until I die. But for others who need a company to do this for them, is Proton Mail the least shitty of options? Does this change the evaluation? I'm genuinely curious about the opinion of others here.
I self hosted for 20 years, worked flawlessly, gave up because of security concerns. I would like to go back to it.
Question: How do you manage the security on such a box? Is there any simplification I missed?
I couldn’t keep up with it. So many patches, unrelated to mail, broke something in the stack, bringing the server into a critical state. Often, I had to lock down everything before going up again, consuming a day’s effort or two. These were two days without mail.
To answer your question, from my limited experience: no.
There are better or less shitty companies like Fastmail, Runbox (tried them), even Purelymail (but 1 or 2 people setup), Mailbox (shitty support, solid setup; I am a customer), Migadu (good name, I have never used them), there's Tuta (but somehow they seem off to me; like Proton they also do not allow IMAP/POP - Proton allows with some circus), MXRoute has good name at places like LET forum. There's even Zoho if you just a mail service (but then if you use Zoho then only reason to not use Google or MSFT will be cost or just the middle finger :D) … and many more.
So there are options.
PS. as per self hosting email - I can't self host my seedbox properly on a VPS, I don't think I should even try email :)
Not allowing IMAP/POP isn’t just for the lulz, it’s not compatible with the encryption architecture Proton uses, which is kind of the selling point of the product. You can either have your emails encrypted at rest with your key OR you can have plain IMAP/POP without a bridge client, you can’t have both.
I never really understood the point of that. If you are exchanging emails with someone using one of the most popular email services that together make 99% of the marketshare, their server retains your email unencrypted anyway. So the only time that encryption will really matter is when emailing someone who is also using Proton.
Proton also supports PGP emails... for the dozen or so people who are setup to receive them.
So does m365.
> the only time that encryption will really matter is when emailing someone who is also using Proton.
Correct, and this was/is explicit when you first sign up for a proton email account.
Did I anywhere say it was for the "lulz"?
> The true value of a company can be measured by our ability to communicate with them.
True, but sadly too many people don't care.
Look at how many people will happily throw $$$ per month at Claude when it is basically absolutely impossible to contact a human being at Antrhopic.
> is Proton Mail the least shitty of companies that provide email services?
Tutanota could be worth a look.
What's your stack? After reading this, self hosting suddenly appeals to me.
forget about self hosting email... I tried it for years, and even if you get it working (needs months), it will eventually stop working again. The problem is that in order to get the big boys to accept you as an email provider, you have to jump through infinite hoops, and be treated like a criminal and/or scammer in the meantime (or at best a business that is trying to send newsletters). You will never get a human to talk to, it's just an infinite loop of automated processes.
Anyway, the problem is "trust" which boils down to IP reputation. And since we are all still on ipv4, your IP was reused. Which means you need to spend months cleaning it. And you won't have a guarantee that you won't lose this IP in the future.
> I tried it for years, and even if you get it working (needs months), it will eventually stop working again.
I've been self-hosting for decades and have never, ever seen the sort of problems you suggest. Once its working, its working.
When people have a problem, its usually because they are trying to either:
Both of which should frankly come to no surprise to anyone with a modicum of technical know-how.Hosting off a home internet connection, assuming the ISP will even open the ports in the first place, has been something to avoid since, well, basically forever ... certainly anywhere after the late 90's.
Hosting off a less than reputable provider is the same. I'm not going to name names, but certain providers are well known for originating spam or not responding to abuse@ messages.
I too have self-hosted for decades, there was a brief period of annoyance where I had to set up SPF records long ago, but since then it hasn't been problematic AFAIK (not that I'm in constant contact with people on all the major providers).
However, a close friend and fellow ex-sysadmin who also has self-hosted since the 90s, has had some headaches in recent years. He upgraded his dedicated server at the same US provider I use, without attempting to preserve his original IP addresses.
He hosts email for his wife's small business, and with the new IP addresses has come a lot of problems. Her billing is performed primarily via email, when the emails get blocked, her income is directly affected. It's so bad sometimes I'd say it's straining their marriage.
This isn't at a disreputable hosting company. It's simply the reality of provisioning new systems receiving new ipv4 addresses inherently from a pool outside the pre-spamers-and-scammers-everywhere era, these addresses have passed through a dumpster fire of abusers.
At this point I'll never retire my dedicated server just to hang onto its IP address with a clean history I've controlled since the 1990s. Even if the machine becomes nothing more than an overpriced reverse proxy to somewhere else I run the real back-end on... the address has become the primary value.
So when advising people begin self-hosting, at least consider the reality of available ipv4 addresses they're likely to end up with. Even the reputable vendors have been used by malicious actors buying hosting with stolen credit cards and fake identities. We can't have nice things.
Can't you just use a paid SMTP relay which will have good reputation. Sure not exactly selfhosted but trivial to switch.
Not who you asked, but I self-host some non-critical mail domains using Mailu[0], which is a set of docker containers. It's been fairly low maintenance. Ease of setup depends on your technical knowledge, but if I can do it, and you're on HN asking the question, you'll probably manage.
[0]: https://mailu.io/
I've been self hosting my email for a couple years. Currently using mox https://github.com/mjl-/mox I'd avoid popular server providers like Hetzner or DO. Lots of abuse there so you might get dropped. https://www.eth-services.de sponsors mailcow and has been pretty reliable
So, now you have to worry about your VPS/Internet provider deplatforming you. Or about your domain name being seized. And spam filtration, backups, redundancy...
I'm not saying email self hosting should not be done, I just say a bit of planning should be done.
DNS seems like the most annoying part, it is SPoF by design. The problem can be mitigated, but seems like cannot be solved. For example, owning multiple domain names in multiple jurisdictions. And round-robin them. You cannot eliminate SPoF for any one specific service you want to login using email. But you won't lose access to everything at once.
Edit: P.s. At the same time, owning your domain for mail seems to be one of the most impactful things to do to reduce digital serfdom. Banned at *mail? Just switch those MX records and go on.
OpenSMTPd + Dovecot is extremely easy to setup and maintain.
For my parents, I registered a domain on OVH and they use the free email accounts they come with. So that's an independent, ready to migrate, email account for about 8 euros per year.
[dead]
Proton's response copied from a Reddit thread:
Hi everyone,
No, Proton did not knowingly block journalists’ email accounts. Our support for journalists and those working in the public interest has been demonstrated time and again through actions, not just words.
In this case, we were alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service. This led to a cluster of accounts being disabled.
Because of our zero-access architecture, we cannot see the content of accounts and therefore cannot always know when anti-abuse measures may inadvertently affect legitimate activism.
Our team has reviewed these cases individually to determine if any can be restored. We have now reinstated 2 accounts, but there are other accounts we cannot reinstate due to clear ToS violations.
Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels.
The situation has unfortunately been blown out of proportion without giving us a fair chance to respond to the initial outreach.
Thank you for your understanding, The Proton Team
I don't follow. They can't tell if their terms of service have been violated so they took CERT's word for it? How did they decide to restore two accounts then?
there are ways to demonstrably violate terms of service without having access to a user's unencrypted data
This makes the situation even worse for me. CERTs lack any legal authority to compel action or enforce compliance. Without a thorough and fast post mortem analysis, this incident is deeply concerning for anyone who relies on Proton as their primary email provider. I guess getting trigger happy just comes as soon as you get a bigger user base but that's exactly when you get caught slipping. Like they did with the false positives it honestly reads like:
"We have good relationships and trust this CERT so we carpet bombed all accounts they send us without even looking at them."
I wonder what would have happened to accounts or users without the reach on socials.
they didnt do it because CERT said they legally had to - they did it presumably because they pay CERT to catch abuse and misuse and take action based on their findings
This doesn't change my statement, even if they take the word of the CERTs as gospel. This represents a significant attack vector for denial-of-service attacks, as demonstrated by what happened here, and for a service like Proton, such a vulnerability is nearly inexcusable.
Proton dropped from the top spot on my list of “user-first email platforms” when they announced they’ll be deleting accounts that haven’t logged into their service in some arbitrary amount of time. If I can’t rely on my email / messaging / phone / communications provider to keep an open line for as long as I need it – whether that’s one year or two years or twenty years, then I’m not going to use it. And if they require payment in exchange for providing that service, then it better accept privacy-preserving payment, but even then, I’m probably not going to use it.
Proton had a great thing going where their VPN service and business service funded the cost of maintaining free accounts. The fact that they chose to destroy years of trust by announcing a deletion policy, indicated to me that they no longer care about their users more than they care about running a business.
I’m not even asking for something unreasonable. It’d be one thing if they didn’t want to maintain free accounts with no activity but hundreds of gigabytes of storage. But they haven’t stratified the limit by storage usage. If you’ve got a free account consuming a few megabytes of storage, maybe an email you setup for the government service you interact with every few years… well you better make sure you remember to do the arbitrary chore of logging into that account every year, or Proton will just delete it, no questions asked.
Maybe they’ll send you some reminders if you gave them a “recovery” email, but that defeats the point of signing up to a privacy-preserving email service and calls into question the premise that they even are one.
(In related news, I need to text myself on Google Voice every few months or they’re gonna delete the number I use for 2FA on critical services… and this is an account that has $4 of credit loaded into it from ten years ago…)
> deleting accounts that haven’t logged into their service in some arbitrary amount of time
One year, to be exact: https://proton.me/support/inactive-accounts
It's not exact or strict. They may or may not delete.
> Proton dropped from the top spot on my list of “user-first email platforms” when they announced they’ll be deleting accounts that haven’t logged into their service in some arbitrary amount of time.
... for free accounts only, after 12-24 months of not having logged in at all.
> And if they require payment in exchange for providing that service, then it better accept privacy-preserving payment, but even then, I’m probably not going to use it.
They allow you to physically send in cash.
> I’m not even asking for something unreasonable
I don't disagree in principle, but the way you're asking for these things does in fact make you come across as an unreasonable customer.
I've had multiple proton accounts and can vouch for (pure anecdote of course) two of those working fine despite me forgetting to use them completely for at least four years. So not sure how true what you say is. These are both free accounts btw.
The amount of hate that Proton gets here for the above still ambiguous situation (and in many other comment threads) is bizarre and oddly hive-minded.. The company is far from perfect but compared to the overtly parasitical openly done deep scanning of your email content and utter disregard for any responsiveness to user complaints from any major American tech company's email service, Proton is positively saintly by comparison. Id' suggest growing and regularly watering a bit of perspective.
EDIT: I see a number of comments about Proton's "jankiness" and service unreliability here too. I haven't experienced any of that either on desktop or mobile.
If you don't pay, you are not a customer. They are doing you a favour. Don't be a begger.
I've need a paying subscriber to Proton since 2018, but I recently canceled my subscription (which ends in November). I just got fed up with the constant bugginess and jankiness of their offerings.
Any suggestions for mail hosting and VPN? I hear good things about Fastmail and mailbox.org (I see they very recently rebranded to just mailbox and revamped their offering).
Also, I've been a heavy user of the SimpleLogin alias service. Any suggestions for easily porting all those accounts to a new provider? Manually changing each and every account to a new email seems painful.
Fastmail is fine. It's somewhat limited in its UX, but technically speaking, everything works, and it's snappy. Very few outages. I really like their integrations with calendars, contacts, and mail for 3rd party sites/services. Not a ton of features or deals re: custom domains or multiple users, but it's fine if it's just for yourself. edit They literally -JUST- turned on Offline support for their app and web interface, so my only real complaint is gone. Go with Fastmail.
For a VPN, what do you need it to do? For tinfoil hat privacy stuff, get a VPS in Estonia or something. If you just want a secure tunnel while working remote, get a WiFi access point with Wireguard and Dynamic DNS at your home (it's free plus you probably have more bandwidth).
Hey, what's the trick of keeping your VPS OS/etc updated and upgraded without having to nuke (or replace or copy to elsewhere and "paste" back) the current setup on that VPS? In all my self hosting attempts it works butter smooth until I try to update/upgrade my VPS OS or hell even the app I am using like a VPN, or a seedbox, a notes app etc etc. I mean it's been really painful. Sometimes I have used the VPS w/o updating for 3-4 years - no security/OS update - none. The moment I do that - bam! Everything broken or gone :(
Two basic ways:
1) Use your VPS OS's native software upgrade mechanism
2) Build, test, and deploy immutable images
For 1), you configure your OS (Ubuntu LTS let's say) to do automatic unattended upgrades only for security updates (check documentation for instructions). They're designed to be backwards compatible so this is safe and automatic. May require you to periodically reboot the box. When that version of Ubuntu is eventually end-of-life, they usually provide a manual upgrade procedure to upgrade in-place to a newer version of Ubuntu. A couple manual steps over an hour or two and you're set until the new version goes EOL (many years for Ubuntu LTS).
For 2), you would build either a container or a disk image with your OS, preferred software, configs, etc. Build the image (Packer for disk image, Docker for container), write a simple test to run it and make sure it's working. Now you can install that new container or disk image onto your VPS, and you know it'll work. This is more work, but the resulting image is guaranteed to work the same way every time. So every time you upgrade, you just build a new image. If the new image doesn't work for some reason, just go back to the last image that did work. Set all this up on a CI/CD platform (GitHub Actions, CircleCI, etc) and you can just keep using that setup forever, no need to get it set up on your laptop again if you reinstall your laptop OS.
For either of these, it helps to use only software that is packaged for your OS, rather than installing custom software. There will be less extra work to perform to get the software to work and configured, and upgrade steps will be smoother.
For 2), it also helps to use a VPS which has a Terraform provider (https://registry.terraform.io/browse/providers?category=infr...) so you can write code to automate updating your VPS's disk image (or restoring an old one).
But if you get a VPS your traffic will always be linked with a unique IP. VPNs have an advantage there.
Most providers will hand you a new IP if you suspend then restart your instance. That at least spreads you pool of IPs across their AS (or some subset of it). For the price of a "reputable" VPN service, you could run 2 or 3 low end VPSes from different providers. A bit of Ansible, Python (or language of your choice), and perhaps some browser automation if the cheap VPN provider doesn't have a usable API - should allow you to automate provisioning VPN endpoints and rotating IP addresses.
That would at least move your needle around a lot, even if it isn't bringing along the haystack of all the other VPN customers sharing their endpoint IP addresses. You couldn't consider this sufficient protection against TLAs or Mossad. Or disgruntled Magic The Gathering players burnt by MtGox...
> get a WiFi access point with Wireguard and Dynamic DNS at your home
Could you elaborate more on this?
Not the parent but you can set up Dynamic DNS at home and Wireguard in your router and later use the Wireguard connection to connect to your home network and have a safe tunnel.
It’s quite easy to do with openwrt routers.
Yep! And TP-Link, Asus, GL.iNet, MicroTik, and other consumer routers also have Wireguard/OpenVPN servers and Dynamic DNS clients.
For the parent commenter: you set up an account at a Dynamic DNS service, and configure your router so when it's online, a dynamic DNS hostname will always point at your router's IP. Then you set up a Wireguard or OpenVPN server on your wifi AP. Then set up your phone, laptop, etc to connect to that server at the dynamic dns hostname. Now you have a VPN server running on your home wifi AP. Connect when you're away from home, and your traffic will go securely through your home ISP connection.
This 9-year-old issue me a bad taste for mailbox...
https://userforum-en.mailbox.org/topic/anti-spoofing-for-cus...
That's classic Mailbox. Deny there's a problem, or just don't ever respond. Hell, my tickets, when I face an issue, don't get responded to for weeks sometimes, and when it gets responded to, often it's a one-liner accompanied by closure of ticket :D
I'm using Fastmail and Mullvad. Both seem to work pretty well and are reasonably priced. You could also host your own on VPSs if you're feeling adventurous.
I've been on Zoho for my (and my partner's) email for 4+ years and it has been great. Chose them because there is no per-domain charge, so I have like 12 domains on it.
The configurability is extensive in both web app and ios email app. Service has been fast and stable. They rarely change anything in the UI (no random tinkering is what I mean) so it is predictable and easy to use.
I love https://purelymail.com/ for the same reason. Unlimited domains and you can pay based on usage. I pay about 1 cent per day.
I wanted to use them. But they had a bug in SMS sending and it's been a few weeks (or more) and they have not fixed it or been able to fix it. Also, it was not clear whether they use the same setup for recovery/alert SMS (I asked, received no reply). I tried following up with their support for a few days (it's a one-person setup; recently a support person was hired who responds on Discord and is apparently swamped), but it didn't happen. I just tried now and the issue still exists. That seemed like not a good sign. Also - ownership has changed few months ago.
Ah crap the ownership change is new to me. At least the opening blog post seems like they're trying to do good by the customers.
https://news.purelymail.com/posts/updates/2025-03-06-a-new-c...
Also been using zoho for at least 6 years. Cheap and reliable.
I wouldn't trust Zoho. More than 10 years ago, they shadowbanned (can not be shared or publicly viewed) my documents because it criticized Chinese communist party.
what are the charges?
Entry level is $12/year. Bring your own domain.
My experience is the apps are missing very fundamental features. Which would be fine... If you could use other clients. But you can't, except for email, kind of.
Like, the calendar on mobile doesnt even have a search function. What if I want to know when an event is happening? I just have to scroll and scroll until I find it? Come on now. Also no storage backup in proton drive??? What??? That's, like, 90% of the purpose of proton drive!
Yeah I was really disappointed they released their llm service before making an official proton drive linux client.
> constant bugginess and jankiness of their offerings
This is something I had not heard (also have been a paying user for a very long time).
I've never encountered a bug, to my knowledge. I did dislike that when they released photo storage they didn't have a proper search feature.
Same here, no bugs in Proton apps and I’m still a happy subscriber.
For me the jank is in their billing and the plans I can purchase. I can either have a Business Mail Essentials plan or a Business Password plan, but if i want both at the same time I have to buy a plan that's three times as expensive or drop my custom domain name.
I do dislike their billing options when it comes to feature / service selection.
There was also that whole IMAP data loss issue. Unsure if that ever got resolved.
Android / Linux using the web apps / chrome ext here.
Proton seems to have a lot of cheerleaders that come out of the woodwork when anyone complains. I'm happy that somehow their code is magically bug free for you, since you've somehow never encountered any bugs whatsoever in their code (despite their release notes mentioning literal bugs they've fixed).
I'm glad it works for you, but their offering is frequently buggy and broken for me.
It'd be useful if you pointed out bugs instead of just implying that anyone who doesn't share your experience is some sort of shill
The person I was responding to literally said they were "a paying user for a very long time" and "never encountered a bug". No software is bug free. I can't think of a single software service I've used for as long as Proton (7 years now) where I haven't encountered a single issue over that time. I take their statement to be so incredibly unlikely as to be facetious or intentionally duplicitous.
So I responded in kind, because I've definitely seen company cheerleaders, and I'll have no part of it. I'm glad you all are happy with Proton. I'm not telling you to leave.
And if you really want to see complaints, you don't have to look far. Read the other comments on this thread. I don't have to spell everything out for you.
Idk what to tell you. Email is mostly a solved problem for most cases, and object storage is mostly the same. Password manager is one of the best I've found in any platform, at least for the individual-user use case.
The VPN has always just worked, too.
If you're using desktop apps for things, really can't help you there as I have no experience with any proton offerings for that piece.
https://old.reddit.com/r/ProtonMail/comments/t8vwhf/deleting... https://news.ycombinator.com/item?id=33432296 https://old.reddit.com/r/ProtonMail/comments/yjz3yu/proton_b... https://old.reddit.com/r/ProtonMail/comments/1j79x7j/has_the...
(The temerity of the customer service response on that last one, saying they have no clue about the bug being asked about is galling, but par for the course for them).
BTW, make flippant responses, get responses in kind. Normally I'd ignore this idiocy, but today was your lucky day. Anyway, it's clear you're just a troll and I've indulged you enough.
I would imagine this is the universal case, otherwise they would be out of business.
People that feel very satisfied or dissatisfied with something are most likely to comment. I've just been very satisfied.
I moved to Fastmail a few years ago. No real complaints, and I’d definitely do it all over again.
That said, because I’ve not experienced any failure, I’ve not experienced how well Fastmail handles failure, which is the real measure of a company.
For mail hosting, take a look at Posteo.de (no custom domains though), mailbox.org, runbox.com, mailfence, migadu, and cranemail. All these are cheaper and a lot more affordable than something like Fastmail. All of them support IMAP, using which you can move your email elsewhere (or easily backup/have local copies).
I am a Fastmail customer. Absolutely horrible customer support but pretty solid email. Do not even think about using the "suit" they offer alongside email.
The rebranding and "revamp" is limited to the logo and colour changes :D everything under the hood is still the same good old OX inferiority. Hell, you may never want to use their webmail either (my 99.9999% mail usage is via IMAP clients). They are fine other than that.
Fastmail is pretty good if their price and offerings are not an overkill for you. You should check Runbox as well - really good.
Simple Login alt: addy.io? Fastmail and Mailbox (auto-deletes in 30 days unless you "touch" it :D) also have disposable email as part of email offerings. Don't know about Runbox.
Similar case, I recently migrated from @mozmail to SimpleLogin and wondered if I made the right choice.
I heard using your own domains solves the migration issue but that makes your email pretty identifiable just by looking at your domain.
I wonder whats a suitable replacement candidate after Mozmail and Simple Login? One of the reasons I migrated away from Mozmail to Simple Login was that you can't initiate a email sending, which made it difficult to contact support if needed. Plus Mozmail are on Amazon SES.
You mean Firefox Replay right? It has been in beta for a long time (I mean anything other than the basic free plan). Did you get in via some invite or so?
https://relay.firefox.com right? Or there's another service?
> that makes your email pretty identifiable
Agreed. I have also stopped abusing the catch-all of my domains. It became a pain very soon. Not only privacy issues but I couldn't possibly block those emails/spam that were coming on usernames like sales and many more.
Yes I was using Firefox Relay.
> Did you get in via some invite or so?
I signed up normally. It's been a while so I don't remember the details but I didn't receive any invitation or early access etc.
Fastmail has an open source API they call jmap. You could probably find or write something that could help convert to the fastmail masked email. I was able to setup an integration with a local llm to read my email and act on it in about an hour.
I like fastmail they seem to have a move slow and don't break things mentality that I like from my email.
I moved from Proton to Fastmail (and Mullvad for VPN).
I was a a founding paying member of Proton Mail. I loved them and evangelised them for years. But after a decade, the quality of the offering, especially the mail and calendar, is almost a joke, and the company seems very distracted chasing the next big thing (the half baked password manager being one).
Comparing Fastmail’s UI and feature set with Proton, you quickly realise they are leagues apart.
And no Fastmail doesn’t provide e2e encryption. For that I use Signal, and for the few occasions where I need e2e encryption in email, I use PGP.
My only wish is that there was more client support for JMAP protocol. Even thunderbird doesn’t support it, and I can’t go back to IMAP because I like labels. Thankfully Fastmail’s own web interface is so good it is not a big issue.
I’d say they make one of the best password managers. Its probably their biggest success in recent years.
> (the half baked password manager being one).
Or a very bizarre LLM offering: https://news.ycombinator.com/item?id=44657556
https://tuta.com/
The one thing I don’t like about both Proton and Tuta is that they don’t support IMAP. Users of these platforms would find it a bit more difficult to move their emails out of the system if they wish to.
See here:
https://news.ycombinator.com/item?id=45229681
I recently moved from Gmail to Migadu and started to use my own domain instead. Works great so far
I've used Migadu since their free plan days. Even though I had trouble in the transition (partly due to my fault) it was handled decently and I stayed on. Been friction less since. I must also mention Edison e-mail, which makes such a great client!
I've been happy with Startmail, good customer service, they don't offer any of the non-email cloud services though.
Fastmail is a good product with technical chops, contributes to open source and cares generally about being good members of the international email space, standards etc.
Fastmails interface is very plain, and it works very fast and works well.
They support a plethora of ways to do mail and have many advanced users so their mail support is very good, maybe close to running your own mail server without having to deal with rbls and getting spamlisted
I use Fastmail and I’m mostly happy with it. Their design team is thoughtless so their web and mobile offerings are disappointing. The mail hosting itself seems to be excellent though.
Can proton even win here? The obvious solution would be "we don't take down unless there's a court order", but then you'd get exposé pieces saying how protonmail is a den for drug dealers/pedophiles/doxxers/cyber criminals.
> The obvious solution would be "we don't take down unless there's a court order", but then you'd get exposé pieces saying how protonmail is a den for drug dealers/pedophiles/doxxers/cyber criminals
I think it'd be crazy to make a service worse because of worry over potential hit pieces that might whine about a perfectly reasonable policy. It isn't as if Proton Mail hasn't been accused of those things before anyway (along with accusations of being a honeypot and not private enough).
It's better to have integrity and fight for your users than to cave just to avoid click bait articles by people with irrational views.
No.
They currently do cooperate and they go get the odd bad press about this.
So doing what they actually claim to do would change nothing. Their current stance is just a cop out.
Yes.
Most CERT requests are valid and good and should be obliged.. but there should be a manual check involved.
Especially when an appeal is filed. Especially when the content is obviously security reporting.
Both extremes are wrong - don't ignore CERTs and don't mindlessly oblige them. Find one of the many reasonable middlegrounds.
> but there should be a manual check involved.
I suspect there's a few email providers where the marketing and reputation management teams are hurriedly adding "check the user and the user's affiliated social media reach before suspending this account, and before responding to any support requests from the user."
My new elevator pitch: We proactively research all of our customer's users and new signups to assign them a social media reach score. We then automate escalating external account action requests or user support calls for highly ranked users to senior staff and providing details and evidence of their social reach and industry affiliations. While we generate revenue from these customers, our primary revenue stream is the aggregated data we acquire while doing this, and selling access to that data to law enforcement, the insurance industry, and Nation State intelligence organisations across the globe.
The Reddit response from Proton: https://www.reddit.com/r/ProtonMail/comments/1nd1nrc/comment...
I’d like more details about the initial CERT contact if anyone knows anything
The silence of proton can only be interpreted to their disadvantage. This is not very smart and will make everyone doubt on them.
While I like the idea of a safe and uncompromising service, proton seems less so now.
Ladar Levison and Lavabit certainly earned themselves credibility there a dozen years or so back.
Sadly https://lavabit.com/ currently just says "We are not accepting new users at this time. Mail services remain online, while we work on improving our website code. "
PSA: Proton deletes “unused” accounts after one year, and defines unused in some opaque sense where receiving but not sending emails is “unused” so I’m in a nasty position of my iCloud account being unrecoverable. Going to have to spend nontrivial time off boarding my account.
> defines unused in some opaque sense where receiving but not sending emails is “unused”
"You are considered active if you log in and use our services once a year. Simply logging in to any Proton service on our web, desktop, or mobile apps at least once a year is enough."
<https://proton.me/support/inactive-accounts>
I had the mobile app and login. That wasn’t enough. Reading emails was not enough.
I almost never use my protonmail to send emails, just reading, mostly on phone too. Has been fine so far.
Do they still use that old shady billing? You could get "credits" from coupon to upgrade your plan, and once it ends, it automatically subscribes and your account bill goes to negative. Unless you pay that, your account is locked. Happened to me some long time ago and haven't used Proton since.
Is this for paid accounts too? If you prepay for 5 years and get lost at sea for 3 years, should you expect your proton to still work?
It's for free accounts, only.
It is very naive to believe that email providers and VPNs do not have to respect the laws.
If this would be the case they would not be approved by any payment providers at all.
On top of that, add the possibility that hosting companies and upstream network peers would shut them down.
And what specific law did you have in mind, exactly?
You do know what law required Proton to act as it did at each step in the story, right? You wouldn't just come up with random non-sequiturs, right?
And this is why I host my own email server, even if I am not a journalist investigating governments or anything of the sort. It's a matter of control over my computing.
Common folklore is that this is extremely onerous to self-host (and have it work successfully.) How did you go about it?
Also, how do you mask your identity if you self-host? I can have as many mailboxes as I want but they're all trivial to correlate because they share a domain that isn't providing email accounts to large amounts of users. And then there's the matter of a VPS not actually being under my control. It's a VM running in a datacenter. I could run the mail server locally, but then I'd still need to relay through a VPS to mask my IP address. And that's still only protecting from a casual adversary...
The common folklore is just FUD. The main issue is deliverability to the likes of Google, Microsoft, Yahoo, etc. You need a clean fixed IP in non-residential block and a sufficiently aged domain or your mail will be flagged as spam or rejected. Alternatively, you can use a relay service for outbound email. Besides the deliverability issue, hosting email is fairly trivial from a technical standpoint; on Linux, the standard utilities are Postfix, Dovecot and OpenDKIM. The server is for my own use, so I don't even bother with spam and AV filters.
Even if you can't send email at all (unlikely if you use an outbound relay), there are very significant privacy benefits to having your own server. I send very few emails relative to the number I receive. You couldn't pay me enough to go back to one of big commercial providers.
> You need a clean fixed IP in non-residential block
Feels like that's carrying a lot of load there?
Where do you get those? I doubt any inexpensive VPS provider has any clean IP addresses? AWS charge you $5/month for an elastic IP address, and I bet you'd need to cycle through their pool of those looking for one that hasn't been blacklisted recently?
There's another thing to consider here too. I was selfhosting my own mail, but back in 2013/14 I investigated all my mail, and even though I'd avoided Google/Microsoft,Yahoo et al. - over 80% of my personal email was on their servers because that's where my correspondents were. I pretty much gave up maintaining my own (slightly over complicated) stuff and gave in and chose to accept the "Do no evil" company at face value. 4 or 5 years later that company no longer existed, even though they continue with the same name today.
If I may say so, did you not just show in this very comment that that common folklore about self-hosting email "successfully" is not really FUD? :D
As far as I can remember, you don't even get IMAP access on the Proton free tier. For me, that's a non-starter. The privacy claims are also mostly marketing, as it is basically impossible to verify what Proton actually does when approached by a three-letter agency. I wouldn't use email anyway if I had something to hide, the email protocol wasn't designed with secrecy of communications in mind. For that, Signal seems far better, or perhaps a self-hosted, encrypted Matrix room.
When people show you themselves, believe them. Proton is no longer to be trusted. Use at your own risk.
proton always glowed but just straight up bending to unnamed agencies puts em rank and file with every single other provider
Is refusal realistic? It's nice in the abstract, but in practice, there are plenty of ways to coerce illegitimate compliance.
No company is gonna seriously refuse when their jurisdiction's equivalent of the FBI or NSA turn up with a court authorised order. As James Mikkens said: "YOU'RE STILL GONNA BE MOSSAD’ED UPON"
But it'd be nice to be able to expect your email provider to not cave in to a request from some other counties CERT organisation without pushing back for evidence and some sort of proper judicial authority behind the request.
This article, right? https://www.usenix.org/system/files/1401_08-12_mickens.pdf
You either die a hero, or you live long enough to see yourself become the villain.
not all heroes wear capes, much less releases personal AI assistant to navigate your own data while the MAIL CLIENT AND CALENDAR APP is on beta on Linux for YEARS
I'm worried and surprised to see the many comments here that, contrary to what I'm used to reading here, nobody seems to have dug deeper, looked critically at the evidence. Quite a lot of just ad hominem and insinuations.
This looks like brigading to me. Which is the only way for govs to fight against protonmail: spreading doubt.
Hence I am reinforced to continue being a strong supporter of Proton.
I thought Proton was a confidentiality / privacy oriented thing. How do they even know who owns the accounts?
You can disable an account without knowing who owns it, although they do have credit card/payment information now, and I don't think new accounts get encryption services unless they pay.
That said, if your inbox is encrypted, protonmail does so on the client side with a second password. They can maybe delete the account, but proton mail doesn't know what the encrypted data is. What happens to new emails sent to a disabled address is anyone's guess though. Honestly I think they're doing the best they can given the circumstances
>and I don't think new accounts get encryption services unless they pay.
source? Their compare plans page specifically lists "End-to-end encryption" as a feature for their free plan.
https://proton.me/mail/pricing#compare-plans
I thought I made a new account a while ago (as the front end for an OSS project) and it wasn't encrypted, and then when I checked encryption was moved to the paid membership. It looks like I may have just been confused though, because you're right it looks like it's still part of the free tier
You are trusting them. They control the client, how the keys are created/stored, etc. Javascript, etc. If they were to suddenly turn one day, they could.
This is the weakness of cloud services.
It is very possible for them to inject custom JS to a specific user.
You are the bosses at Protonmail, do you want police at 6 am shaking your kids, seize all your devices, loose all agreements with PayPal and Visa/MasterCard, because you want to protect a guy who distributes child pornography or plans a terrorist attack ?
No way, so you tap on the shoulder of the CTO and ask him to push a temporary update or turn on a feature flags, in order to collect the missing information.
This is true for all companies who control the client.
From what we (at least I) know, this wasn't the police in Switzerland waking up senior management.
t was - without anyone admitting to it - probably KrCERT who requested the account suspension. KrCERT don't seem to have any legal jurisdiction in Switzerland.
"KrCERT/CC, which is an internal division of KISA, is a CSIRT with national responsibility and a focal point of contact for Korea on international cybersecurity incident handling." -- https://en.wikipedia.org/wiki/Korea_Internet_%26_Security_Ag...
I'd like to think if they 'tapped on the shoulder of the CTO ' of a company headquartered in Switzerland, he'd say "maybe, come back with an order from a relevant court or security agency in Switzerland and I'll get my team right on that".
Trusting them is almost guaranteed, but it doesn't have to be, sort of. The clients are opensource so you literally clone, audit, and run the clients locally.
Full disclosure, I use Proton and overall trust them so unless I see strong evidence of abuse or lies on their part I'm inclined to post contextualizing comments on stuff like this, b/c well I don't wanna host my own mail server, at least not in prod.
Or just use an open source email client.
I would expect their own apps to be open source, are they not?
Indeed they are: https://github.com/ProtonMail
If you, or someone else, like please audit the repos. Could be cool to see trusted forks of some of the clients.
Using an email client requires a Proton Bridge thing that acts as a local IMAP/SMTP proxy: https://github.com/ProtonMail/proton-bridge
As if disabling the issue tracker and stonewalling pull requests wasn't bad enough, seeing how it is built out of multiple layers that communicate via gRPC was what made me instantly lose all trust in Proton. I don't know who's been doing their hiring but just from one look at that kludge it's evident they've lost the plot altogether.
(There's a third-party alternative called Hydroxide, but it's experimental. Haven't been able to send emails through it from Thunderbird yet, though I've only looked into this for a few hours recently.)
Second paragraph of the article:
>But last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency
They all are until they get threatened.
Soon or later we will default to analog means. It’s not looking good.
Last time I checked, hacking was still a crime in most jurisdictions - even if the target is considered a geopolitical adversary. This sort of activity is also against the Proton ToS. Once KrCERT and Proton were alerted to this activity, they would have been legally obligated to act.
That's not to say I feel any sympathy to the target - who by all counts has done a fair bit of damage. But this sort of hacktivism / vigilantism simply isn't helpful. There's a high likelihood that one or more nation states / law enforcement agencies may have had active operations directed against this threat actor derailed by such activity.
tl;dr - If you're going to conduct such activities, practice proper OPSEC. And don't let your desire for attention / recognition take priority over staying on the right side of the law.
It's because the journalists were covering the professor-student rape scandal at UIUC Champaign that was covered up by Champaign and other governing bodies.
Citation required?
That's not what Phrak says here: https://phrack.org/issues/72/7_md
Where they say "Proton was used only for email and only to communicate with South Korea"
Forward Email fan for the fact they are 100% open source. Easy access to the developers. All others closed source in most regards.
Proton mail is a exercise in gullibility
Hmm going to wait and see how this plays out, maybe it's time to look at alternatives, assuming that my custom domain email isn't somehow locked to them.
Proton does not do anything it says in the tin.
Just a warning
So, is this a case where Random Cybersecurity/Tech Group mistakes responsible disclosure for hacking, and then reported it to Proton, which took their word for it and disabled the account?
From the Proton/X discussion in the Intercept article
"Big Tech CEOs are tripping over themselves to kiss the ring precisely because Trump represents an unprecedented challenge to their monopolistic dominance.”
They don't know how this is going, from what I see Trump threatens something not to change something, but to get something. If there is any anti-trust drive it's there to shake the tree, not to break up big tech. Trump loves big US corporations, like those in the 50s and 60s, those pre-Bell-breakup.
A related submission a few days ago with similar Proton response on twitter: https://news.ycombinator.com/item?id=45201153
Side note regarding proton that it seems that people are mentioning the fact that ip is being tracked with user creation in proton mail?
So if someone downloads proton vpn and uses it that way, then I always considered it to be the best vpn (even better than mullvad) but I guess I was wrong...
I would still use protonvpn but I will try to migrate towards quite frankly more services from now on.. Email should just be a way to discuss what should be your matrix account or xmpp or even signal...
Another thing that I want to point out is that I had once went into network permissions etc. in proton docs and tried to write a comment and write stuff etc. and I am not sure about the writing stuff but although these do feel "encrypted" but I saw a thing in the api response when I did curl or something which showed logs so I assumed proton keeps logs..
Another problem I feel is that since proton is only encrypted via your password which you enter into the system and it seems that you can change the password if you have something like phone verification. Fundamentally something like this can only work if they have the keys, so they are having the keys to your encrypted account. I am sure that there are ways of adding your own private key too but how many people using proton are doing that?
Fundamentally, this is how the stack will work or has to work imo. You are trusting them because of lack of conflicts. They have built their name on privacy and so everyone will leave if it they are less private but the thing is, is that they might be using some open source tech that might have an update that couldn't be audited or somehow get hacked themselves and since proton might have some juicy targets like journalists. People's lives may be on the cutting edge.
I heard this somewhere that I wish to share, you want technologically private solutions not because you don't trust someone but rather that it should remove the need of trusting in the first place. Proton hasn't / can't reach it imo.
I don't mean any hate towards proton but that was my understanding. I still use it and in fact Please let me know if I caught something wrong or what I am saying is correct. My purpose is not to spread misinformation but rather inform my opinions/correct them if I am wrong.. (I may be wrong, I usually am [my most loved line from the book how to win friends and influence people])
I feel as if we need to get things like pi etc. or whatever and atleast to me hosting something like matrix seems okay-ish I am not sure. Email just doesn't feel as if a good protocol for privacy.