Frustrated by Proton, but really not seeing an alternative

Hey guys,

Maybe someone could give me some advice, but most likely it will just be my whining about not having a really great email provider (for me).

First, all the things I really like about Proton that others don’t offer:

• offers email aliasing service - most of my emails unfortunately have no E2EE and go through an aliasing service, so I feel safer if I only have to trust one company (not the case of all eggs in one basket since both services theoretically have access to my emails), also I kinda like the simple-login “implementation” in protonmail, but it’s still far from perfect, so no big deal.
• PGP support - I know PGP isn’t really great, but it’s really the only encryption standard I could realistically use.
• zero-access encryption - oh yea, it could be EDIT: hypothetically bypassed by proton. And the emails are stored unencrypted on the other (senders) side’s big-tech servers anyway. But still, I like it and it’s better than nothing.
• email client support
• nice UI - but yea, not that important to me

I liked Skiff (at least on paper). Shame it’s no longer an option.
Tuta is great, but no unlimited aliases, no PGP, and no custom email client support. Also, their reddit mods seem crazy (I hope only reddit mods ).
Mailbox, Posteo - I haven’t tried them yet. Probably don’t have email alias service either and have their own problems (mail spoofing drama etc.)

Ok, so why don’t I want to use Proton services?

When I pay for email and simple-login, I feel like I am literally being robbed.
I would pay: $48 mail + $30 login /12 = $6.5 per month
But if you click on ProtonVPN pricing and choose 2 year plan unlimited (no 2y plan in mail tab ) it costs $8 per month

So basically people who pay $1.5 more than me get VPN, Pass and 500GB storage?
Ohh, if I pay $6.5, I feel like I am sponsoring these things anyway, but getting nothing out of it. I’d rather donate the money to some other FOSS project.
And no, I don’t want their crappy VPN (linux user here), Pass or Drive. And I don’t need more than 15GB for mail.
ok, but that is probably just my problem.

Then there are the classic Proton things like:

• no automatic contact sync on android
• no Fdroid repo / dependency on google play services
• aggressive, awful and misleading marketing (tbf I’d say, it’s slightly improved over time)
• not releasing calendar source code
• and probably more…

But then I saw an interview with Andy Yen. Well he explains a lot of things.
And even if I don’t agree with some things, I could at least hope to get what I want one day.

Then the Proton Docs were announced … the amount of money and time it had to take… when most of their services are not even in a decent state!

And then I read about Proton Scribe. That was the last straw.
Literally a product based on scraping other people’s content. By Proton, privacy by default…

And what do you think?

Regarding the Proton pricing: you can get pretty good deals if you wait for the November “Black Friday” offers, they are usually quite a bit cheaper esp. for the 1/2 year subs.

Now, that’s just an absurd take. Please back your claims with actual facts/proofs.

If you come from my prespective where i tried actually doing all hy myself Proton is a great relief. Pretty decent provider for good price imho and getting a lot of improvements every now and then. Surely there is still a lot that can be improved but overall very ststisified.

Your claim on zero access encryption is FUD. Please leave that out of the forum.

On the webapp they would need to add one line of js to log your password, if they wanted.

Again complete FUD. If they would it is both illegal and putting them out of business.

They could still do it if they wanted to, as there is no technological barrier preventing it, just a pinky promise. With all due respect I don’t see how it’s “FUD”

asayan, I think you are referring to the “keys to the castle” dilemma. No one can know if the System Administrators aren’t reading, capturing, adding lines of code that the rest of us don’t see.
The best we have is Open Systems, audits and “after the fact” reporting from others.
So far most people do believe that Proton is offering a secure and safe set of services. No other proof has been presented to the contrary.

Sure… I have nothing against Proton. I just don’t think it’s fair to call FUD because what was stated by the op is objectively true.

Not defending Proton price strategy, which is quite questionable but why don’t you get the Mail Plus plan that is $4 a month in the yearly plan?

Never liked Proton, the mentality to “put all your eggs in one basket” service was never good for privacy & security, historically.

Technically too, their apps are so aggressive pinging home by any chance given or not.

And by the road-map of their services and ecosystem they are trying to evolve, feels like taking a Neo-liberal market catch approach.

So by the end of the day i feel you, you are not alone.

To reply to the actual OP, I can relate.

Paying for e-mail doesn’t seem worth it, the usefulness of something like Proton is limited to reducing miscellaneous data Google can collect, though the contents of the emails themselves are readable by Google as most people use Gmail.

Disroot seems to be a promising alternative, but they are a political organization which can be a problem.

“zero”-access encryption - oh yea, it could be bypassed by proton. And the emails are stored unencrypted on the other side’s big-tech servers anyway. But still, I like it and it’s better than nothing.

Now, that’s just an absurd take

Your claim on zero access encryption is FUD

As I understand it, This is a long known “vulnerability” (“tradeoff” would probably be a better term). I think this wouldn’t be contentious if it wasn’t Proton being discussed. The point of zero knowledge encryption is not needing to rely on trust/law/policy, so when that isn’t the case, its worth being aware of.

While I understand the sensitivity towards things that can read like FUD about reputable respected orgs like Proton (since we constantly deal with so much FUD in the privacy space), I don’t think it is a fair characterization of OP’s statement unless they claimed it made Proton’s encryption useless or horribly insecure (which would be untrue), but I don’t believe OP is intending to imply that.

My (basic) understanding is that this is just simply a limitation/tradeoff that comes from choosing to offer webmail (trading some security, for more convenience/usability). I don’t think its an issue specific to Proton (my mail provider makes similar compromises because even for security/privacy focused organizations, security/privacy isn’t the sole priority).

If I understand correctly, Proton even alludes to this risk in their threat model:

Another attack vector would be if an attacker somehow gained access to Proton Mail’s servers in Switzerland without us noticing. Such an attacker could conceivably change the Proton Mail software to send bad encryption code to users’ browsers that would somehow allow the attacker to get unencrypted data. Proton Mail has implemented numerous safeguards against this on the server level which make this a difficult attack to pull off successfully in an undetectable way.

I do not believe this makes Proton a bad or insecure service, its a very good service made by thoughtful and serious people. It’s just something to be aware of.

I probably didn’t express myself very well. I’ve edited my post.
I mean, I really do like what they are doing with zero-access encryption
And I know that it’s fundamentally impossible to make it better, more private or more secure.
But I don’t like how they call it, because it’s a bit misleading.

Mail Plus does not include unlimited aliases.

Long time Proton user here, so I think its ok for me to jump right in

True, but there is simple workaround this: free addy.io account (offers unlimited aliases), create it, set real email address (in addy.io) to your Proton one, install addy extension, and you are free to go

@nobeke not so much. Ive been with them for 2 years and, well, thats enough of them

As of mailbox.org: UI-wise it feels like middle of '90 but the service itself is outstanding.
Havent tried Posteo.

As for separate payments for Proton and SL: this is not true. When you buy Proton unlimited you get SL Premium for free. For one, flat price.

Believe me, you do need. Start sending/receiving mails with attachements (say, JPGs) and you will see.

Again, not true at all. When I created Proton account, there was a wizard to import contacts from . Worked like a charm.

True.

Have no idea/dont care one bit.

Probably. Just remember: no service is perfect.

Not using. So will not start this convo.

I dont like Scribe either, but, instead of quiting, I just dont use it.

Correct. I keep managing the 20 available (10 Proton and 10 SimpleLogin) like I do with the 15GB space and find it enough for my case.

As @xe3 said, I think OP’s claim about zero-access encryption bypass is reasonable and shouldn’t be dismissed as FUD. In the absence of OpenPGP E2EE, it’s technically possible for Proton to steal email plaintext as emails enter/exit their server. This is a valid concern shared by email users considering email leakage that happened under PRISM, worthy enough to warrant using OpenPGP. Law/policy shouldn’t be relied upon for security. I recall (maybe incorrectly) that Proton discussed this and suggested OpenPGP for E2EE.

However, considering Proton’s track record to date, I don’t think it’s probable or likely risk that Proton routinely bypasses the zero-access encryption. It might happen to a specific user if Proton is served a valid court order though.

I don’t like the idea of putting my email, VPN, calendar, files, passwords etc into a single service, let alone a service that requires internet access. It might be a good idea to use just part of the suite (for example just email) for non-critical use cases, and don’t rely on Proton for any critical use cases.

How about DuckDuckGo’s email protection service ?

I think OP is referring to sync with device contacts like Google contacts.

Indeed, no one should. It may be good for beginners or novices or senior citizens.

Personal opinion : Tuta, Filen, Bitwarden. VPN, It’s a precarious narrative most people don’t need one and depends on their threat model. Generally for VPN, I would advise using a DNS based filtering and rely on your ISP as everything is encrypted TLS. And use free VPN services such as Proton or Windscribe in the case, where you need to hide something from ISP.