Which Secure Email Provider?

Discussion in 'privacy general' started by TomAZ, Dec 28, 2017.

  1. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,036
    Location:
    USA
    I'm considering three secure/encrypted email providers and wondering. . . which is the MOST secure -- ProtonMail, Tutanota or ScryptMail?
     
  2. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    782
    I like Fastmail better than Protonmail. It just works and the phone app syncs perfectly also. I know this doesn't answer your question on which is more secure.
     
  3. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,212
    I would go with tutanota
     
  4. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,036
    Location:
    USA
    What in particular do you like about Tutanota?
     
  5. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,212
    Protonmail makes a lot of connections to third party servers in the US in addition to the connection to their server in Switzerland.
    Tutanota only makes one connection, it is to their server in Germany.

    For convenience, Tutanota uses a single password, a bcrypt hash of that password is used to log in, the email is then retrieved and decrypted on your device by your actual password. Therefore your actual password is never sent over the internet.
    Protonmail does similar but uses two separate passwords.

    I do have one reservation though. I have noticed an issue over the past few months with some android apps.
    I have a lot of apps on my phone but the ones affected are only those related to privacy.

    When I used the Protonmail app, and click on the compose new email button I get this warning,
    "Protonmail is trying to obtain your current position"
    The TUTANOTA app does exactly the same thing as does OPENKEYCHAIN when I click on generate key pair, as does CONVERSATIONS(end to end encrypted messenger) as does SILENCE(another encrypted messenger)
    None of those apps have location access in their list of required permissions.

    Protonmail came from google play
    Tutanota from tutanota.com
    Silence from fdroid
    Conversations from fdroid
    OpenKeychain from fdroid
    So, not a repository specific issue.

    This is very suspicious IMO. I contacted Protonmail about it they claimed no knowledge of that issue but refused to share their app source code when I asked, even though on their website they claim to be open source.
    I posted on fdroid forums one guy said it might be the near field api but why would only privacy related apps do it?
    I was going to contact Tutanota about it until I found the only way is via that overblown dumb comments site, reddit.
    Please click on all the pictures of street signs. Really ? **** reddit, bye. Click.
     
    Last edited: Dec 29, 2017
  6. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,436
    Location:
    UK
    One more aspect about Tutanota is that they have recently added 2FA support using Fido U2F on their paid accounts. Protonmail have also added 2FA, but using OTP (for instance, Google Authenticator).

    Of course, which 2fa option you prefer is dependent on your existing hardware/software and attitude to risk, but my feeling is that U2F is significantly superior from a privacy perspective, as well as being able to use cheap passive dongles.
     
  7. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,343
    Location:
    Lloegyr
    I'm not particularly impressed with the Proton Google Play app. But it just could be me.
     
  8. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    89
    I like Posteo. Costs €12 per year but not having to spell out "tutanota" on the phone every time you mention your email seems worth it. Encryption is enabled in 1 click and you can pay anonymously even with PayPal.
     
  9. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,887
    I am a bit "outside" of much of this conversation in that I approach and handle my accounts in a different way than most posting here. First I would NEVER consider accessing an email account that I NEED to be secure with my "smartphone". My opinion, feel free to differ. Next on the multiple server issues mentioned above; I only use Protonmail's onion link for access, with NO exceptions. Therefore when I glance at the routing in my TOR bundle I see my three relays and the three masked from Protonmail's side. With complete end to end encryption a "mystery" server, if I miss one, would mean nothing security wise. Addressing another comment above; there is obviously no attempt of value in finding my "position" in a TOR circuit as was mentioned concerning an app on an Android. Sorry, just too many loose ends on smartphones for me.

    deBoetie, I am with you 100% on U2F.

    Mirimir, I don't use either of the two services you asked about. Next week I'll have a look around while I am connected there.
     
  10. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,036
    Location:
    USA
    Thanks for all of your comments.

    When I started this thread, I should have been a little more specific. This would be for desktop use only -- not for use with a phone app.
     
  11. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,212
    I use it on my smartphone but not for anything security critical.
    Having said that, I don't believe any currently available internet device is much more secure than Android because I am of the opinion all of them are compromised at the hardware and/or the OS level by design.
     
    Last edited: Dec 29, 2017
  12. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,212
    Me either, it seems kinda sluggish.
    Tutanota is a better app IMO, it does what I need it to.
     
  13. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,343
    Location:
    Lloegyr
    Yeah, the only thing I like about it is that it makes my tablet bleep (sometimes) when I have mail. I usually respond on a conventional computer lol.
     
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,436
    Location:
    UK
    +1 on not using this class of app on a smartphone (apart from not having one).

    It's hard enough securing a decent desktop, and manifestly impossible on a - normally - constrained smartphone operating system which may also not be update-able.
     
  15. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    95
    Location:
    Hungary
    "pay anonymously even with PayPal"
    paypal and anonymity?
     
  16. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    89
    There is no permanent connection between your payment and your account.
    https://posteo.de/en/site/faq
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,926
    So they say.
     
  18. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    89
    At the end of the day, very few email providers can "prove" anything.
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,926
    Right. So don't count on them for anything. Encrypt/decrypt locally. Use VPNs and Tor for anonymity. Use VMs for isolation.
     
  20. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    89
    Sadly using GPG for all my email is a distant dream at best and saving my emails locally without storing them on a server isn't going to work for me. So I have to rely on a third party email provider. I would pick Tutanota but the name is just so stupid I feel ashamed of giving my email to people.
     
  21. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    879
    I'd recommend Tutanota. Tor friendly too. The interface is very minimal but who cares about that. It gets the job done unless of course, as has been mentioned numerous times, you can't get recipient to do basic safe practices. That's the biggest trouble with email. Your privacy is only as secure as your respondent understands AND upholds what the very word means.

    If two people who like security and privacy want to use Tutanota who cares about the name. It makes ZERO difference.
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,383
    Yeah :ninja:

    Btw: Posteo has added support for "Autocrypt" ("public keys will be exchanged automatically" / "which will soon simplify real end-to-end encryption in email applications")
    :thumb:
    I'm satisfied with Tutanota.
     
  23. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,212
    Tuta nota is Latin for Secure message.
    They have other domains you can choose from including keemail.me but seriously, no one is going to care what the name of your email provider's domain is unless they have OCD.
     
    Last edited: Dec 31, 2017
  24. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,926
    I could mention a few, but the names would all get censored ;)
     
  25. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,212
    Yes lol
     
Loading...