I have often seen people presume that if they don’t give out their main proton mail, they’ll be “safe” when that is not the case; and only serves to give a false sense of security. Proton alias are glorified SimpleLogin mails with perhaps better reputation, and their only purpose is better compartmentalisation. The website should reflect that so people can make informed decision.
2 Likes
None of this explains why a warning would be required.
3 Likes
Does this really happen? I’ve seen people talk about it before, but I cannot reproduce. When trying to login with a simple login alias, it says that the address does not exist. The contrary is true for the multiple normal (non-alias) addresses you set inside proton mail though
1 Like
I realise “warning” may be too out there, but there should be a mention of risk associated with it. Currently, it only links to a Proton article, which talks more about how to create an alias while completely omitting the part stated above.
I mean it’s a few additional lines, “main purpose is compartmentalisation of emails but can be used for login too” or however you want to word it.
Proton calls them aliases as well, which is what I’m talking about. This doesn’t happen with SimpleLogin mails.
Honestly, you should never type a ***@proton.me email anywhere in the first place.
I can understand how scary it might have been to OP but the whole point of buying into Proton is to shield yourself with SimpleLogin and never (ever) give anybody your private Proton/Tuta/etc.
Good thing is that they can delete those aliases as fas as I remember. 
Sad thing is that they bought some yearly plan probably a bit too fast here. 
But yes, the whole “alias” branding is quite confusing for sure.
Sharing a screenshot of the post from Reddit for people not willing to visit that one.
3 Likes
Right, but what is the risk? That someone who has your non-default Proton address, your password, and your 2FA can log into your account? That’s really a bizarre thing to be concerned about imo.
4 Likes
Bizarre. By your logic, there’s no need to turn on 2FA either as long as one have a long & unique password. Very unlikely to be breached. Many operate their password manager like this, but of course, additional safety net is always good. Same here. You may disagree, but people consider this as a factor, and the website should reflect that information. It’s as simple.
1 Like
Once per year, last I checked. You can disable them, however.
That’s my point. Personally, I wasn’t aware of the fact, and if I did, I wouldn’t have bothered with the aliases. I’m not alone in this, thus my recommendation.
1 Like
Yeah no. If you believe you depend in anyway on this for your account security, you probably have to update your password 
. It doesnt make any sense.
This would only be concerning if through the additional address you can see the others which is not the case.
2 Likes
The fact that:
- they don’t make both things clear (separation between SimpleLogin + Proton) is on their side to fix (Proton’s)
- that SimpleLogin’s UX is quite confusing as a whole
doesn’t make it any better that’s for sure.
I am actually quite surprised that Reddit’s OP went as far as finding those aliases down in the settings, not the most accessible thing so far. 
But hey, it’s also not a big deal/critical in any manner IMO.
I don’t, thanks for your concern.
I only want the site to mention above which linked articles omits, though Proton should have done so themselves.
1 Like
There is really nothing special going on here. You can login to most websites you add secondary email accounts. Also suprise, you can use a username to login too. There is nothing to be concerned about being mentioned here.
It’s misleading. It’s worded as to be completely separate emails all the while having the convenience of all them landing in the same inbox, except you can login through them as well, which they don’t mention.
1 Like
Sounds like something Proton should be fixing by making it more clear and not us.
I’m confused. Those “additional” addresses made in Protonmail are legitimate logins no? You’re making new usernames etc, encryption keys are generated (citation needed), etc. Everybody knows the address is you because it’s you with a different name.
If you want an “alias” that’s not linked to you then that’s a proton pass feature, making forwarding e-mail addresses.
I guess not everybody is as used to aliases as we are.
I have to say that I understood how it works thanks to Naomi, it is still quite not easy to wrap your head around when you have both:
- new inbox email
- concept of aliases
where/what, especially when it comes down to sending emails from your party in the first place. 
1 Like
It would be nice if aliases were as convenient as outlook but it doesn’t work like that with proton. +1 point for outlook I guess 
I intuitively treat the email aliases in proton as part of my proton identity - something that if exposed would end up back to my proton account. Though i admit i’ve never tried to login with it, i suppose to me the threat model around it was the same 
I could see how it isn’t clear, but the recommendation here is to use something like proton pass, simplelogin, addy, etc vs any type of aliasing you can use in any of the full providers so I dont see it as a critical issue.
That being said proton could make it more understood in their setting when you make an alias that its a full fledged email in proton’s eyes
1 Like
If one of your aliases did get leaked in a data breech it can be disabled. I doubt if it could be used to log into your Proton account at that point.
Also, the doofus on Reddit doesn’t seem to understand the need for different passwords on different accounts.