Free and Open Source Software

I’m on the edge of quitting protonmail. The issues:

• #CAPTCHA hell. At least for Tor users.
• no app in f-droid
• API shenanigans and/or CAPTCHA breaks hydroxide (the foss bridge)
• protonvpn: you can no longer fetch all the configs in one download. You have to click “download” >120 times now to get all the configs
• account locks if you do not login frequently enough (i think every 6 months)
• if you supply your login creds but get a CAPTCHA and say fuck this, and walk, it does not count as a full login needed to reset the expiration clock
• the CAPTCHAs are graphical which forces you to enable images in your browser; but when you do that you get images that junk up your screen and waste bandwidth
• no public keyring. Hushmail was better in this regard. An advanced user could upload their PGP public key to Hushtools and then encryption just worked for hushmail users contacting that person. After Hushmail started charging, I would tell the normies who need comms w/me to get a gratis Protonmail account. But then I have to send them my public key and they have to figure out how to attach it to my profile in their phonebook. It’s a show-stopper in many situations.

Proton AG lost me as a customer the minute they backdoored a binding arbitration clause into their TOS last year.

The difficulty of proving damages in breach of privacy cases combined with generally weak privacy legislation globally means the threat of a class action often serves as one of the only practical deterrents to abuses of power by corporations controlling sensitive personal information. By changing its terms of service, Proton essentially immunized itself from suffering any significant penalty in the event its negligence leads to a mass breach of privacy of its users.

Tactics like the use of binding arbitration clauses are hallmarks of inherently untrustworthy corporations.

My only major complaint is their free-tier is a bit lacking compared to what Skiff had (or I guess has, but not for much longer.) I think their platform is great, and definitely worth paying for, but given I'm a broke college student that's not much of an option. Also their support for third party clients (or lack thereof) isn't great, though I don't use those as much. Otherwise I like it quite a bit!

Only thing would be the closed source server and no third party apps. They do have an API, but I haven't found anything written on top of that.

I'm not entirely sure why expected a user-owned private key 🤔 How do they ensure zero knowledge if you send them the username and password?

CC BY-NC-SA 4.0

General rule of thumb:

1. Web: can change at any moment, can serve a highly secure mail web app... except to those it might decide to target, giving them zero notice, leaving close to zero trace.
2. Electron based "app": if it can run random JS from the web, see first point.
3. Compiled app: to change its way of working, the user needs to update/download a different version. An explicit user action is required, people can notice malicious changes and warn others about them.
4. Compiled open source app: same as a compiled app, except people can also notice malicious changes before running the code, fork it to remove them, compile it themselves, and warn others.

ProtoMail, touts itself as a "secure web app", which is a contradiction.

If you use an open source app to access ProtonMail's service, the security lies in whatever app you use. At that point, might as well send E2E encrypted mail via GMail.

TL;DR: the way most people use it, is just security theatre.

Proton fell into the black hole when they pitched to replace Gmail on Huawei phones. Being eager to do business with the CCP was a dealbreaker.

That said, I have a Tuta account. I don't use it for everything, but I have no complaints.

I've had good luck. Reliable and fast as any other service.

I'm a 3rd year subscriber of the Unlimited plan, $158 for 2 years at a time. I utilize the drive, aliases, mail and VPN.

No real complaints. I still use Google calendar because it integrated more with Android phone. I still consider going back to Gmail occasionally for simplicity. I really hate Gmail though but email is garbage. Does it really matter?

I basically priced out good vpn's, and the two year price of proton was pretty similar to most other quality VPN plans. So why not stick with it and get the rest of the ecosystem too.

I don't think about it too much, it's email and it works.

I do not care about secure email because I don't communicate with anyone else using it, but I do like how it automatically blocks trackers and cleans email links for me.

My experience has been fine. If you go into Proton Mail with the understanding that you're doing it to stop Google from data mining your email, and not for the sake of truly private/anonymous email, you'll have a good time. The aliasing feature is super nice as well.

Nothing really. They did once put a scan on someone's IP after the authorities asked them to. But it was a court order. Makes sense.

I don't use them because I think Email is beyond saving anyway. 90% of our mail goes to or from Amazon, Google or Microsoft anyway. OpenPGP is not used by anyone, even Phil Zimmermann famously refused to use it. There is so much spam and phishing that most institutions no longer send anything of value by email, it's just a notification service for "please log in to our portal to view your message". Email is just so broken and the workarounds so feeble that it's beyond fixing.

Email as we knew it is just gone and done. I just use O365 because it's cheaper and offers me a lot more (like 1TB cloud storage which I use with Cryptomator). Proton Drive is too expensive for me and I like doing the encryption on the user-end anyway because that offers real end to end security. I applaud what proton are trying to do but it's too little too late and I don't want to use a special email client. If they want to promote privacy they should do it with something where that's still possible.

And for VPN I prefer mullvad anyway because I like the way they sell scratch cards on Amazon. And my password manager I self-host.

But really it's not a bad service if you can afford it and don't want to go for Microsoft and Google.