If only using either one of the service for email only with a custom domain which one is better Tuta or Proton for email only?
Which one is better in terms that they will protect your emails and not disclose them
Proton is better (in my opinion) as it supports WKD whereas Tuta doesn’t support any E2EE email standard as far as I know.
2 Likes
Thanks so proton is looking like the winner so far
E2EE for email is at best useless security theatre. Email wasn’t designed to be encrypted.
- Stop Using Encrypted Email | Latacora
- The PGP Problem | Latacora (the answers may be outdated)
1 Like
It’s not totally useless security theatre. But yes, we know email security sucks, yet everyone needs to still needs to choose a provider for the many things that require email.
Out of interest, what email provider(s) do you use yourself/recommend?
Please have a read at some of the posts of this thread :What is the point of using Tutamail and Proton mail?
1 Like
Proton has the edge. But you should know that, unlike Tuta. Proton does not accept anonymous payments if that is a concern for you.
If you prefer an encrypted mailbox, I would suggest Proton. Since their encryption method is supported for most email client. Mailbox.org is also decent alternative.
If you don’t care about encryption, I recommend you to try Fastmail. Their sign up process require you to input phone number. Just ask their support to create an account for you to bypass this verification method.
I’m not convinced E2EE email is at best security theatre. It can work. However, in most cases the best case scenario is not achieved, it’s not foolproof, and email leaks metadata and the encrypted messages are not PFS. In most cases it is security theatre just like you said.
I found this quote in one of the articles you linked to.
If messages can be sent in plaintext, they will be sent in plaintext.
This is the biggest problem with E2EE email. Unless a protocol is designed for E2EE and makes it mandatory, the protocol will never be secure.
In the few times I have used E2EE with email, it failed about 3 out of 4 times. Most my contacts either replied by sending plaintext by mistake or refused to encrypt.
For a Proton contact, I sent encrypted email to them using their PGP public key. They disregarded my public key and responded to all my emails in plaintext.
Similarly, for a contact (non-Proton) that should have known better because of their occupation, I found their PGP public key and then sent them an encrypted message. They responded in plaintext, leaking the entire plaintext of the email I had sent them.
In another case, I sent a password-protected email (from my Proton or Tuta account) to a non-tech contact. I don’t know how, but they managed to leak the entire plaintext of the email I had sent them when they sent a reply as they normally would, circumventing the Proton/Tuta password-protected portal.
What is your specific use case and threat model? For instance, is it for contact within an organization between members, or for some other purpose?
Does your communication need to be email? If not, I recommend you use an E2EE messaging app over any kind of E2EE email.