@@Naokarma idk who told you that but carrier pigeons still exist... They mostly exist for showoff tho, people buy pigeons and breed them to get better pigeons each generation.
Exactly. I don't fully trust in any e-mail service precisely for the reason you mentioned: the protocol itself. If you have something sensitive to share to anyone, e-mail is not the right medium.
Except, maybe, you and your intended recipient exchanged ciphers ahead. Preferably in a face-to-face real world meeting. In a place where there's not a single camera for miles away.
That's what PGP is designed to do. Problem is trying to explain the sender on how to use it is the problem in itself. ProtonMail supports it and they make it fairly easy to use. I generate my own PGP keys on my computer so I know there's no escrow key attached to it. My Thuderbird e-mail (Linux) client automatically attaches my PGP public key so they can use it to send me encrypted e-mails.
It also frustrates me when people refuse to communicate by e-mail or such because they consider it unsafe but then act like Telegram is totally rock-solid. Well, to begin with, it requires a contract-based global ID (phone number) attached to an account, and then Telegram is under jurisdictions, too. It is often better to use e-mail but have no smartphone than to use Telegram and a smartphone. But the 'popculture security sheeple' cannot be convinced after they already believe they are totally safe now with their cute little mass-used gimmick.
@@Dowlphin Or, even worse, Whatsapp, because it *allegedly* has E2E encryption enabled by default. But I have doubts if their 'encryption' doesn't have any backdoors, which can be used both 'legitimately' and illicitly.
Email in general cannot ever be truly secure. If one needs that level of total privacy there are other tools for said communication. With email, at best it's the equivalent of locking our doors at night - enough to keep honest people honest, that's about it. Determined people, either individuals or government agents, will find a way to crack emails.
Why not? Email has transport encryption between servers and between clients, it can have content encryption via autocrypt (or other methods including the Signal protocol like criptext), it has DNSSEC, TLSA, DANE. Encryption at rest can be done as well, or messages can be removed from server when delivered. What security holes are still left after all of that?
@@adamz1977 It was explained on the video, if you don't use PGP yourself and send encrypted data, the gov can make the company server comply with encryption removal at rest for that specific users etc. Heck, proton if wanted can also push an logger script on the web so even PGP would not work if typed on the web app of them. The only way for email to be secure is to type it on a offline editor which is not related to the email comany and encrypt it with PGP there. Then send it through email.
@@adamz1977 You can always manually encrypt your own data with a cipher. The only reason why Enigma was cracked was because an entire nation was intercepting hundreds of messages, original Enigma machines, etc - and devoting thousands of man-hours to cracking it! If you make up your own encryption, the scale that you operate at will make it even harder for people to crack.
As someone who literally sets up servers and mail servers are one of them, I can agree at some degree that you CAN secure email. BUT, can you still call it an email? And, the more you make it secure, the more complex it becomes that its a nightmare to maintain or even use. In the end, emails should never be used for something that requires security. Never send account information over email. And never use email for 2FA.
Functionality and availability wise, google is also very good. It just works. Both of them, indeed. But privacy wise.... I will just say I try to not use anything coming from google. I am not there yet... but one day!
Yes, I absolutely agree with you. The 5 most evil corporations that make money from harvesting user data are Google, Apple, Faecesbook, Microsoft and Amazon. If you use any other service (including email) provider that isn't affiliated to those corporations or the CCP, then you are going to be more private than you were using services on any of them. Email isn't encrypted unless you use PGP, at which point the body of the email is encrypted but the headers and the metadata are not - so someone from the outside can see who you were communicating with and what times, and may be able to guess what you were discussing purely because of that relationship. And that's something you just can't change with email.
@@joaomaria2398 the issue is once you use it you already lost the privacy, and your id.. you can only stop them from continuing to collect current data to send personalization at you.
the only privacy i care about is being sold for ads, i knew from the start they have to give up info for warrants which is fully justified. i just don't want random workers and ad companys in my emails. proton is perfect for daily use.
@@YountFilmsure but honestly who is using email for anything other than signing up for things or sending colleagues or businesses a message to start a line of communication. Afterwards if security is a concern no one is using email…
@@YountFilmLaws dont just change by accident. At least in the US and Germany we ellect governments. I think we should try our best to fight this at the government level. There are lots of surveillance options way harder to circumvent like hardware backdoors, public cameras, other peoples digital devices etc.. So yeah, I'll definitely try to fight on that side. If this fight is ever lost, then yeah just ditch mail.
The people that don't care about pivacy at all "I have nothing to hide" should think what could happen if uncle adolf was in command with access to all this data.
Just tell them to give you all their passwords so you can read what they say on facebook or in their emails. If they have nothing to hide then they should be OK with it.
honestly this was the best Ad for Proton Mail, sensibly discussing the technology and history, flaws and benefits. i hope they pay you, because they probably got a few subscriptions bc of this video.
I have no illusions about Proton being a beacon of inviolable privacy against the evil forces of the world, I just like the service they provide. Not just the email but the entire ecosystem of services. It works really well for me in my situation.
I switched to it after your email video, and I’ll use it because although they have shown they aren’t perfect, it is absolutely safer than Google Mail so switching to Proton was a net positive.
Exactly this. The people that kick and scream about protonmail to someone who's never heard of a VPN and have 1-3 Gmail accounts is really just missing the point. If they don't use proton they're probably just going to keep using Gmail, not open their own personal email server.
I've had caution to doing it for everything since some services are allergic to you using it. I guess if you wanted to be 99.9% private, you shouldn't be using the services that would have a problem with it in the first place. If anything, I'm getting very mad with other email services making account deactivation policies that are going to just get shorter and shorter until maintaining them becomes a chore and a risk of massive account lockouts... Edit: I read that Proton is doing the same thing... I guess it's neat you can pay for it once and cancel later and the account can remain active? But if they change the policy once, they'll do it again I guess...
@@AshnSilvercorp Oh yes, not just email services, but all internet services in general seem to be trying to prune anything they label as "dead". At this point in time, Proton is only resending any emails my Gmail gets, so nothing I use actually goes to Proton but rather Gmail, but I'll see what services in the future I can use Proton with natively.
@@AshnSilvercorp They were forced by the Swiss government to give his data, and unless you know the context, as I read this peasant what he wrote to the US government or somewhere, he threatened them and seriously, so I guess it's better after all to turn one man in than to have others commit su*cide from his false threats.... in short: it's one good thing, one bad thing that they ratted him out, because they broke their confidence a bit, but at the same time they helped catch the person through whom suic*des out of desperation could sprinkle
Plus Gmail now ask to add a phone number with out a choice, dont know how long or when that start it. But it wasn't a thing when a open account at Gmail, now i'll Try Proton Mail till they decide to also start asking for such verifications to verify.
If your hiding from the government you need to be using more secure communication anyways, if you just don’t want your email scanned and data sold then proton is pretty good
Protonmail is good for what it is. Even hosting your own mailserver isn't 'fully secure' and if you are sharing sensitive data there are better protocols.
@@tedrice1026 I suspect she had insider help, although, admittedly, I have no evidence for this. Only the fact that I cannot, *cannot* imagine that the secret services did not know she was doing it. I suspect she or good or Billy had connections of some sort to help them set this up in the first place, and secondly, to prevent them from getting into serious legal trouble. If I were to suddenly run my own mail server or my own mail address and use it for work, my employer would have me booted from the company in no time. I do not believe for a second that nobody knew from the get go what she was doing.
@@rft253It's because of the legendary quote by Terry A Davis, on how "the CIA (hard R nwords) glow in the dark, and you can see them while you're driving". Look it up, it's kinda funny, to be honest
this is actually a good reminder for me to go through my multiple emails and do some house cleaning, delete mails from services i am no longer using, delete emails that are a decade old and most importantly unsubscribe from all the email newsletters
I will say doing verification with it isn't really well explained. I've tried to use it to verify Linux iso's a few times, and the process is never really well explained on the install pages.
@@AshnSilvercorp it's pretty easy. If you want a video guide for it, check out Mental Outlaw's new Tails guide- he explains the process of verifying the ISO there.
@@tedrice1026 Exactly. That's the only hard part of it. And although I agree that distros should at least link to a guide or something explaining how to verify ISOs, that's a general issue with all open source projects... the number of times I've tried to find a proper install guide for some github project is way too dang high.
As a CIA Agent I love Proton Mail, makes over throwing democratically elected governments the world over a breeze. All my friends, family and global espionage network connected in one place
I agree, but I will also add that the person who wants to be invisible has to not only stop using email, but also reduce social connections to almost zero. Facebook was capable years ago of creating panthom profiles of people not on facebook, just by all the info he had on your friends and family. So if you have communications with people who are leaking data everywhere, they can still pin point you.
Facebook is for surveillance and never for privacy. Their logo is an evolved form of an freemason logo. I trust no tech companies at all that have their hands into survaillance,that is on the Stock Market that is owned by the evil 1% and that funds or funded the WEF.
@@azure4real if they are socializing with a non-existent avatar, are THEY socializing with you? are you socializing with them? I'd say not really, one of the joys of socializing is to get to open up about who you are. If not, is just glorified weather-talk.
one thing you forgot to mention that even emails encrypted with TLS are not safe from a MITM, you can trivially downgrade to plaintext or even just straight out not present a valid certificate. The only way to have authenticated TLS connections safe from a MITM is to use a service that supports MTA-STS and DANE, which sadly isn't very widespread.
@@EricMurphyxyz No, that's an example of a security hole being fixed. The word "inherently" means permanently, but as @jacksoncremean1664 already said, those MITM attacks can be mitigated with up-to-date security best practices.
@@EricMurphyxyz Hey.. When I found out it was created by the Intel agency I deleted my free Proton app... It redownloaded onto my phone all by itself.. But it doesnt show up in my apps list... How the heck do I remove it ?
I think this feels like a similar situation to signal where all they could give was the ip address where they logged in from so I think as long as you pair protonmail with vpn there should not be a danger of leaking ip address
@@brunoterlingen2203 kind of. Even generating one random number and having you use that has this problem, unless each person you talk to finds you with a different unique number. Phone numbers are extra bad, because they are a common identity proxy in all facets of life. Signal is still very secure and pretty private, but it is not anonymous.
Yeah that's why I never understood people constantly advocating and trying to get me into telegram. Sure it's not discord. But telegram requires my phone number, constantly broadcasts the last time I even clicked on the desktop app or looked at the mobile app, and then there's the read receipts. It felt like the more someone was trying to convince me to use telegram, the more of a stalker they were.
I appreciate this explanation. I was completely unaware that Proton Mail was so divisive. No wonder I get weird looks when I give out my email address. I have nothing more than a standard account & I'm not sponsored in any way. But I've been quite happy with it. 👍🏻☕️
I know we all have an anarchistic bent about us, but Proton is meant to provide an alternative to surveillance capitalism NOT lawful subpoenas. They *must* comply with their laws if they want to stay in business. People that think they ought not are simply mistaken about what Proton's stated mission is.
Email used to be just sent and not stored in the server. If everyone were to do that, at least when any entity wants to snoop it they can only see mails in transmit, not seeing years of data.
I got my first PGP key at a key party in Houston in the 1992 or so. A member of the Free Software Foundation or something similar was there with a laptop. We took a floppy diskette to the party where the guy with a laptop would generate our key for us. He was pretty busy at that, too. The real problem was that once I got back to the office with the diskette, I had no idea what to do with it.
@@Dryblack1 It was an event at a local bar where you could go to meet people and verify identities to sign each other's keys. And if you didn't have a key, you could take a floppy disk with you and someone there with a laptop could create a key for you and save it on your floppy disk. In our case, the guy with the laptop creating keys was a lawyer who was highly involved interested in the EFF (Electronic Frontier Foundation).
You can absolutely verify the code running running in your browser, and therefore you can verify if your PGP/GPG key is generated client side and then only sent to Proton Mail in encrypted form.
Yes but you hit the nail on the head in your first sentence: You can absolutely verify the code running running *in your browser* I cannot easily deduce what happens on the backend/server side of things. On top of that, as someone else pointed out in the comments, even if you use an open source product (which Proton mail now is), how do you know that the code in the repo is the code that is running in your browser/front end/back end?
probably a good thing to note how web-based FOSS programs don't always have proof that you're using the version containing the code publicly available.
with messaging apps being more secure, I can't remember last time I actually wrote an email. I basically just have an email address for purchase receipts for online shopping and website sign ups
Proton seems like the happy medium between privacy and convenience, so long as your not the tallest nail or low hanging fruit your probably not worth the governments time.
One thing I want to point out is that governments aren't the only party that one should want privacy and protection from. For each case of a government using online services and platforms to gain info on activists, whistleblowers, etc, there is one of corporate entities doing the same. Also in many cases, governments pursue whistleblowers, investigative reporters, etc on behalf of corporations, e.g. the Steven Donziger case.
I agree completely with your main point, but I don't know if it's fair to call a corrupted judicial system "government working on behalf of corporations", specifically the Donziger case. The line gets a bit blurry, but it's still corporations and their money corrupting the system. usually individual judges. I wouldn't call that "the government".
Swiss laws for privacy are the strictest in the world. Only a Swiss court with a legitimate court order can do anything to Proton. This is why Swiss banks are the popular choice for the wealthiest on the planet. Which makes using Proton Mail the best choice as well. Swiss laws make it so no companies have to comply with outside jurisdictions. Proton doesnt have to comply with any request or any legal action that isnt from a Swiss court ... and Swiss courts dont listen to outside jurisdictions (unless something is a direct threat to the Swiss people).
@@zhang-boyuHaha, exactly.. "Neutral" Switzerland has implemented more sanctions against Russia than the EU itself but not a single sanction against Izrael. 🤔 Also, the world's most influential psychopaths meet every year in Davos to discuss how to proceed with their manipulation of world affairs, completely against all the democratic values and processes they claim to stand for while at home in their "sovereign" nation states.😏
I'm trying to change my email provider to more safe/secure. I am not concerned about govt snooping, I am fearful of data breach access to my online emails that contain a lot of very sensitive info. Financial, etc.
Honestly, PGP/GPG is _not_ difficult or complicated at all. It takes only a few moments with our friends Alice and Bob and you'll educate all but the most technologically challenged. The hard part is finding other people who'll use it, leading to a feedback loop where eventually even privacy/anonymity focused folks give up on it; and that's why if there's one thing I disagree with in this video, it's how Eric constantly refers to it as if it's monstrously complicated, thus dissuading people who might be inclined to give it a try from even looking into it. If you've sat down long enough to install Linux and even learned how to use it, you can figure this stuff out. Believe me.
People used to say that email was like a postcard, readable by anyone who handled it. Now, it's like a letter in an unsealed envelope. Super-secure email is like a letter in a sealed envelope: the people at the sorting office know how to steam it open without leaving a trace. Of course you can write your letter in code, so it's unintelligible to anyone who can open the envelope. But the envelope still has postmarks/franking, a return address, you've left your fingerprints all over it. You can wear gloves while handling the letter, use a remailing service, but can you be sure that you've covered all your bases? No, you probably can't. What matters is WHO you're trying to hide stuff from. If it's a nosey neighbour or jealous partner, they probably don't have the wherewithal to conduct a forensic analysis of your mail. But if it's a government or other serious organisation on your case... you should look into alternatives to the mail.
No. Email is an ancient technology. Email will always use port 25, which is unencrypted. ProtonMail may encrypt your email, but port 25 will leave a rabbit trail directly to your contacts. You'll be discovered via your contacts. So, there is no privacy in email.
Kind funny that people expect companies to not comply with the government's requests. If they don't comply they can have their business shut down or go to jail.
I mainly use proton for the aliases so that when an alias of mine gets hacked, i can recover my accounts under that alias, switch those accounts to a new alias, and delete the old unsecure alias. My emails use to get hacked a lot so an alias attached to my main email just makes me feel more secure.
You're literally part of my pipeline to privacy-conscious in that image at the end LOL I use a hardened Firefox cuz of you (although I am having a severe memory leak issue with it that I have no idea what's causing it yet [EDIT; it was a CSS theme causing the leak LOL])
You gain a subscriber, the way you explain / edit and the quality looks insane effort i wish you be one of the largest youtubers on tech and related topics ❤
One reason I changed from gmail was I noticed they would go through my emails and create calendar entries from them. A family member sent me their travel itinerary and I started getting calendar notifications for flight times. Confused, I went through and found the entries matched up with the flight times from their travel details. But I've now noticed that Proton is doing the same thing. Work emails come in and now there are calendar entries. I don't like this at all. Clearly their systems are going through the emails to some degree. Proton has also really slowed down for me over the last month or so too.
@@andre1987eph That's possible in other cases. In this case, it was emails sent to me. I had no browser history/searches/etc.. or notes. There really was nothing else apart from the emails as they weren't my flights and I had no idea about them.
even signal has the same problem of setting up your encryption for you. the app is open source but the desktop app updates like every day, are you really going to check the binaries match the open source version? Or do you trust google play to send you the right program and not spy on you? hopefully you could verify the binary of the open source vs local copy, but most people don't know how to do that. I mean that's still better than web apps but theres still a slight problem
my only gripe with protonmail is that they keep trying to charge me for service i cancelled years ago. i don't have an opinion of their service one way or another, i just want them to stop trying to take money from me when i haven't used it in almost 5 years now rofl
You have to disable the security feature for logging ip addresses that log into your proton mail it's mean so you can see if anyone else logs into your account from a different ip bit disabling it it's not there to be logged
Proton mail, as compared to google, Yahoo and or Outlook mail, is like a messiah is to a religion. Its the best you can get. But, as noted, it is only encoded end to end if you are sending proton mail to another proton mail address
The only way to send and receive emails securely and get away with it, is to host your own server in your basement, and be a high level democrat from a certain famous family, then it gets completely ignored even when the rest of us would be in federal prison for the classified content that was being hosted.
Protonmail handed over specific data on certain users after being ordered to by the Swiss courts after being petitioned by the US. So, if you have Uncle Sam actually going to a Swiss court to obtain a warrant for your email, you've really screwed the pooch.
I think they have some. I don't know shady tactics for upselling and they also have some complications where if you try to downgrade from a paid account to a free account. The amount of horror stories I see of people that have a paid account and then want to switch back to a free account or they have a paid VPN but they don't want it anymore but they lose access to their free email account.
I find it very weird that they _insist_ on you linking "your" gmail account (which is non-existant) to your Proton account if you want the storage to be doubled. It's one of 4 requirements, and if you don't use gmail (because why would you?), or don't want to link it to your Proton, you're stuck with a measly 500 MB. Plus every single e-mail that you receive from Proton, like notifications etc., is _gigantic_ in comparison to normal mails, even though they don't contain much aside from some text. Normal e-mails mostly use up only a few KB, like usually well below 20 KB, but everything I got directly from Proton was around 1 MB large, even though there wasn't much else besides text in them.
I'm a security nerd. I used to run my own email server but you can't get people to use PGP. I've been a ProtonMail visionary supporter since the beginning. It's the only service I'll use now.
With true client controlled end to end encryption (which CANNOT be the case for metadata with inter-provider email, except maybe if you are literally sending them just a webpage that decrypts the message client side) - as you explained earlier about pgp), no need to trust the provider. For any other case: If the provider is in one sort of country, they can be legally compelled to give what they have to law enforcement. In the other sort of country, you cannot legally compel the provider to adhere to what they promised you.
I route Proton mail through my own domain name. When I set that up Proton required/suggested that I install a PGP key at the domain server via DKIM parameters. Your email will work without it, and its a pain to install at some domain providers, but it works, and Proton gives you a tool to test whether you've successfully set it up. I like that and that part of the pgp seems to work from that point forward. Yes if you send something to an email service owned by a company in silicon valley then, yes, there's probably a risk of getting cancelled depending on how based your beliefs are. If you're really worried, you can always use Proton's secure function which open's an email taken out in a protected environment using a separate password. Not an expert but that seems like a good solution for things like ssn's or your next great invention.
See man I wouldn't mind switching over to any mail service as long as it lasts, that why I willingly use gmail or outlook because I know it will be there even years after, how many third party mail services have lasted 10+ years and still update with new features?
Showed your bias from the start, had a clear primary point to make supported by a multitude of secondary points and logical conclusions which you even described some potential outliers for. I genuinely appreciate the no bullshit perspective of the video and found it to be incredibly informative and grounded. I am now even more convinced than I was before that Protonmail is right for me, and I now feel properly informed about the strengths weaknesses of the particular company, and the general service as a whole. Thank you.
came here for comments like these to be honest. so called "privacy experts" are just shitting on proton for no real reason other than that it was a small company that got big. I trust proton with my data no matter how sensitive. the only downside is that you have to pay up lol
@@shishibone yeah, the cost is unfortunate. Though I am glad they have options to pay for just the services you want. I'm finding I quite like their password manager.
@@d34ddud3 i agree. I first was sceptical about password managers as i just didn’t use them and it was weird coming from Firefox default login saves. But since I started using it (included in my visionary plan) i think it’s really neat to have my passwords synced between my phone and computer. As i tend to forget some logins quite often
I had complete forgot about the proton mail french activist thing, and i recently made an proton email for crypto just to seperate it for my other ones, im glad i found this after and watched all the way through, you explained it very well, good video
E-Mail is not inherently insecure, if you manage your own S/MIME or PGP keys, you have real end to end encryption. You can even use POP3 to collect your mail so it isn't permanently stored on the server. The advantage of Signal is that it is easier to use, so your peers bad security practice is less likely to get you into trouble.
Encrypt your text (hard as you wish). Convert birary to Base64. Paste into any email. Send. - Copy base 64 of the email. Convert base64 to binary Decrypt the binary. Read. - Just encrypt it by yourself. Send you public keys, protocols, and decryptors in "creative and secure ways."
It's one thing to mistrust a service or a provider if they really encrypt how they say. But at least with a commercial provider you've got a mutual binding contract and that helds someone liable to encrypt your email. On the other hand, you still got to prove they didn't in case of a breach. Buy when you said "it's convenient" what most people really want by paying someone besides convenienceis liability.
This is what I understood, correct me if I'm wrong. Email was never meant to be private and messages are encrypted during transit but google for example stores emails in plaintext. PGP can solve this by enabling 'end to end' encryption. I'm not sure how Whatsapp achieves its end-to-end encryption but despite PGP being a solution, it's a pain to setup and use by yourself. Luckily, protonmail enables PGP between proton accounts but if a gmail account sends you an email, proton scans the contents for spam and THEN encrypts it, which means they can read it. There was one case where proton revealed an IP address to the government which ended up in someone getting arrested. One IP isn't much which is good, but there's always a risk from the government with any email provider. Signal was meant to be encrypted from its foundation which I'll learn about soon probably from your channel (edit, you haven't made a video on signal, pls do one). So, proton is more convenient than alternatives and seems trustworthy but it can't be trusted 100%. Note: I haven't seen your emails video yet.
OWASP principle: don't trust service providers or "trust but verify". It's out there on a manual. It is simply not logical to think of service providers as invulnerable.
Technically you're correct but it comes under the broader banner of "zero trust" across an entire environment, not just within the bounds of application security. For example, it's estimated that around 80% of cyberattacks come from within an organisation through normal users of the system - and therefore zero trust treats users as equal to outsiders in terms of the security model you deploy to control what they do.
I am just now looking to start using Proton, and to be fair, Government should be able to ask to see data based on a a judge decion, not anythime they feel like. For me, I don't do anything illigal, so I am not necesarely afraid of a judges, but I do want an alternative to Google. I understand that if you want to be as secure as you can be, you need to run your own infrastructure, but for now I am looking basically to not depend on google for e-mail and storage.
Write message in notepad, Zip it and password protect it, then email it as attachment. Then send a hand written letter to the recipient with the password. Easy!
Sure you can't trust a company 100%, but aren't 3rd-party audits a good way to help with that trust. I don't remember the details about Protonmail audits though.
If you really must send secret messages over the internet, you need to encrypt them offline on a small computer that is kept locked away and NEVER connected to the internet and the recipient needs to do the same. Use one time pads that were hand delivered. Then you can send them over any email service, but an encrypted one like Proton Mail provides you with another level of protection. However, governments will still know you sent an encrypted email and will have access to the big data.
The problem is people are misled through lack of knowledge. They don't understand that mail in and out of protonmail is plain text to and from all others. This is where law enforcement waits. It doesn't go encrypted. Protonmail can't see it when the email has been encrypted or decrypted, but can before and after. The only time it is secure is when two users connect to the site and keep emails inside protonmail. There are so many that use their app and get caught. Protonmail is encryption to server, not encryption in transit.
If u want a secure email service rent a server and domain and make ur own email server in thus I mean you dont want someone to give away ur info we'll they can't if they don't have it
@nsoolo And even if the traffic is encrypted... They can just seize your hardware. Or just, simply look at the other person's email and see what they sent you/you sent them. Email is a two sided thing. Doesn't matter how much encryption in the world you're using if the person you're sending it to uses none.
I think nothing is private, if the government take interest in you then say goodby to your supposed privacy, they can outlaw and force provider to spill any info about you one way or another, true anonimity is boil down to just make sure you leave a little as digital footprint as possible, and dont be outspoken ot worse, record yourself.
I like protonmail but one thing I don't like is much of the community. Like if someone is new to the community and has genuine questions about for instance, they're often vague terms of service and the occasional contradiction of them by proton staff on the subreddit,, they get their heads bitten off. It's like there's a dozen or so militant volunteer moderators or something that just scream at anyone that has a question or a concern about proton. A good app. A pretty s***** community.
I know this sort of thing can be off-putting. We use SSH at work and guess who my colleagues come to if a new public/private key pair needs to be set up?
Hey Murphy ! I found myself recently wondering a lot about my privacy and the future of all of ours. It's pretty great what you do, and the shout out to Snowden won me over, cheers.
Email is unsecure. Period. Proton mail is no better or worse than other email services. But I do like it's hosted in Switzerland who has pretty good privacy. Yeah, if the government/police show up with a warrant they will have to hand out the information they have on you, but that's true for ALL companies in the world. Do you trust MS to not hand out the information if asked? (I wouldn't trust MS with my socks drawer) btw. I am using Proton mail for some of my email, but I also (still) use gmail.
I think there’s a rabbit hole when you get in to privacy products. I want privacy from the private sector and criminals. I have no expectation that I can have privacy from the government 😂
We are never 100% sure of anything, Proton is not perfect, but compared to Google, it delivers what it promises, Google even asks for your blood type if it wanted to It is not possible to be completely anonymous, but at least we can protect ourselves, keeping an eye out for dangers and positioning ourselves well, to always avoid the worst, which in this case Maintain such privileged privacy
No you cant. They handed over "encrypted" emails that were apparently not encrypted, because if they were, nobody would be able to read them. Proton could though.
Its like people dont realize that if youre an activist against your government then you already lost. Its not a matter of how, its when. Only time will tell when you end up dead or in jail. Secure methods of communication just prolong the inevidable
This video is 100% spot on. Email could have been made secure, but it wasn't. Truly secure email with end to end encryption, requires that both ends have the tools to encrypt and decrypt. This is why protonmail to protonmail communications are secure in as much as you can trust protonmail. Even perfectly executed, if there were vulnerabilities in the encryption methods that the agencies were aware of, it wouldn't be made known to the public. I'm also not sure how far they've come with quantum proof encryption they've come, but that's an issue too. Then there's the idea that the agencies are storing information that they aren't able to decrypt today, because one day they will be able to. So current encryption methods that aren't quantum proof, that they can't read now, they likely have and will be able to read in the future. The scope of that goes way beyond email.
you guys use e-mail services? pfff i always count on my pigeon george. trust me he never speaks a thing about me
real mfs send letters manually
Funfact: Carrier pigeons were a distinct species, and one that went extinct due to over-hunting.
@@Naokarma idk who told you that but carrier pigeons still exist...
They mostly exist for showoff tho, people buy pigeons and breed them to get better pigeons each generation.
Wait until your avian carrier gets intercepted by feds' falcon. This is VERY unlikely to happen, unless you're Osama kind of guy.
@@a-_-a men of culture rfc 1149 is the future
Exactly. I don't fully trust in any e-mail service precisely for the reason you mentioned: the protocol itself. If you have something sensitive to share to anyone, e-mail is not the right medium.
Same for SMS text messaging.
Except, maybe, you and your intended recipient exchanged ciphers ahead. Preferably in a face-to-face real world meeting. In a place where there's not a single camera for miles away.
That's what PGP is designed to do. Problem is trying to explain the sender on how to use it is the problem in itself. ProtonMail supports it and they make it fairly easy to use. I generate my own PGP keys on my computer so I know there's no escrow key attached to it. My Thuderbird e-mail (Linux) client automatically attaches my PGP public key so they can use it to send me encrypted e-mails.
It also frustrates me when people refuse to communicate by e-mail or such because they consider it unsafe but then act like Telegram is totally rock-solid. Well, to begin with, it requires a contract-based global ID (phone number) attached to an account, and then Telegram is under jurisdictions, too.
It is often better to use e-mail but have no smartphone than to use Telegram and a smartphone. But the 'popculture security sheeple' cannot be convinced after they already believe they are totally safe now with their cute little mass-used gimmick.
@@Dowlphin Or, even worse, Whatsapp, because it *allegedly* has E2E encryption enabled by default. But I have doubts if their 'encryption' doesn't have any backdoors, which can be used both 'legitimately' and illicitly.
Email in general cannot ever be truly secure. If one needs that level of total privacy there are other tools for said communication. With email, at best it's the equivalent of locking our doors at night - enough to keep honest people honest, that's about it. Determined people, either individuals or government agents, will find a way to crack emails.
Why not? Email has transport encryption between servers and between clients, it can have content encryption via autocrypt (or other methods including the Signal protocol like criptext), it has DNSSEC, TLSA, DANE. Encryption at rest can be done as well, or messages can be removed from server when delivered. What security holes are still left after all of that?
@@adamz1977 It was explained on the video, if you don't use PGP yourself and send encrypted data, the gov can make the company server comply with encryption removal at rest for that specific users etc.
Heck, proton if wanted can also push an logger script on the web so even PGP would not work if typed on the web app of them.
The only way for email to be secure is to type it on a offline editor which is not related to the email comany and encrypt it with PGP there. Then send it through email.
I.T. guy here; I hope I'm not witnessing someone defending faxes right now 😏
@@adamz1977 You can always manually encrypt your own data with a cipher. The only reason why Enigma was cracked was because an entire nation was intercepting hundreds of messages, original Enigma machines, etc - and devoting thousands of man-hours to cracking it! If you make up your own encryption, the scale that you operate at will make it even harder for people to crack.
As someone who literally sets up servers and mail servers are one of them, I can agree at some degree that you CAN secure email. BUT, can you still call it an email? And, the more you make it secure, the more complex it becomes that its a nightmare to maintain or even use. In the end, emails should never be used for something that requires security. Never send account information over email. And never use email for 2FA.
ProtonMail is just a better alternative to gmail. That is it.
It isn't the holy savior of the mail privacy.
It's pretty good but I agree, it's neither the holy savior or the devil, it's just a good option if you don't trust Google
Functionality and availability wise, google is also very good. It just works. Both of them, indeed.
But privacy wise.... I will just say I try to not use anything coming from google. I am not there yet... but one day!
Yes, I absolutely agree with you.
The 5 most evil corporations that make money from harvesting user data are Google, Apple, Faecesbook, Microsoft and Amazon.
If you use any other service (including email) provider that isn't affiliated to those corporations or the CCP, then you are going to be more private than you were using services on any of them.
Email isn't encrypted unless you use PGP, at which point the body of the email is encrypted but the headers and the metadata are not - so someone from the outside can see who you were communicating with and what times, and may be able to guess what you were discussing purely because of that relationship. And that's something you just can't change with email.
@@joaomaria2398 the issue is once you use it you already lost the privacy, and your id.. you can only stop them from continuing to collect current data to send personalization at you.
I'd rephrase that: pm is not as bad as Gmail. Only in algebra is "not as bad" the same as "better".
the only privacy i care about is being sold for ads, i knew from the start they have to give up info for warrants which is fully justified. i just don't want random workers and ad companys in my emails. proton is perfect for daily use.
It's "fully justified"... until the laws keep changing and the warrant is for "suspicion of collecting rainwater in barrels on your own property."
@@YountFilmsure but honestly who is using email for anything other than signing up for things or sending colleagues or businesses a message to start a line of communication. Afterwards if security is a concern no one is using email…
@@YountFilmLaws dont just change by accident. At least in the US and Germany we ellect governments. I think we should try our best to fight this at the government level. There are lots of surveillance options way harder to circumvent like hardware backdoors, public cameras, other peoples digital devices etc.. So yeah, I'll definitely try to fight on that side. If this fight is ever lost, then yeah just ditch mail.
It seems to me that covering your tracks because the cops are after you is probably (hopefully!) more privacy than the average person needs.
The people that don't care about pivacy at all "I have nothing to hide" should think what could happen if uncle adolf was in command with access to all this data.
Just tell them to give you all their passwords so you can read what they say on facebook or in their emails. If they have nothing to hide then they should be OK with it.
😂😂😂
Plot twist: uncle KLAUS is in command with all the datas
The reality is that the people in charge are just as bad if not worse than him.
I wonder how many of those who have nothing to hide would let anybody put a camera in their house just to watch.
honestly this was the best Ad for Proton Mail, sensibly discussing the technology and history, flaws and benefits. i hope they pay you, because they probably got a few subscriptions bc of this video.
I have no illusions about Proton being a beacon of inviolable privacy against the evil forces of the world, I just like the service they provide. Not just the email but the entire ecosystem of services. It works really well for me in my situation.
I switched to it after your email video, and I’ll use it because although they have shown they aren’t perfect, it is absolutely safer than Google Mail so switching to Proton was a net positive.
Exactly this. The people that kick and scream about protonmail to someone who's never heard of a VPN and have 1-3 Gmail accounts is really just missing the point. If they don't use proton they're probably just going to keep using Gmail, not open their own personal email server.
I've had caution to doing it for everything since some services are allergic to you using it. I guess if you wanted to be 99.9% private, you shouldn't be using the services that would have a problem with it in the first place.
If anything, I'm getting very mad with other email services making account deactivation policies that are going to just get shorter and shorter until maintaining them becomes a chore and a risk of massive account lockouts...
Edit: I read that Proton is doing the same thing... I guess it's neat you can pay for it once and cancel later and the account can remain active? But if they change the policy once, they'll do it again I guess...
@@AshnSilvercorp Oh yes, not just email services, but all internet services in general seem to be trying to prune anything they label as "dead". At this point in time, Proton is only resending any emails my Gmail gets, so nothing I use actually goes to Proton but rather Gmail, but I'll see what services in the future I can use Proton with natively.
@@AshnSilvercorp They were forced by the Swiss government to give his data, and unless you know the context, as I read this peasant what he wrote to the US government or somewhere, he threatened them and seriously, so I guess it's better after all to turn one man in than to have others commit su*cide from his false threats.... in short: it's one good thing, one bad thing that they ratted him out, because they broke their confidence a bit, but at the same time they helped catch the person through whom suic*des out of desperation could sprinkle
Plus Gmail now ask to add a phone number with out a choice, dont know how long or when that start it. But it wasn't a thing when a open account at Gmail, now i'll Try Proton Mail till they decide to also start asking for such verifications to verify.
If your hiding from the government you need to be using more secure communication anyways, if you just don’t want your email scanned and data sold then proton is pretty good
I'm new to internet security. What would you use for such a situation?
@@TheBlackStrangerEmail is fine if you PGP encrypt the contents
@@TheBlackStrangeror maybe signal?
@@TheBlackStranger Signal or Telegram
exactly, that's the main reason I use proton...
Protonmail is good for what it is. Even hosting your own mailserver isn't 'fully secure' and if you are sharing sensitive data there are better protocols.
I don't know - it seemed to work well for Hillary! Just keep a big hammer on hand.
She's got democrat privilege, that's what you're forgetting@@tedrice1026
@@tedrice1026 I suspect she had insider help, although, admittedly, I have no evidence for this. Only the fact that I cannot, *cannot* imagine that the secret services did not know she was doing it.
I suspect she or good or Billy had connections of some sort to help them set this up in the first place, and secondly, to prevent them from getting into serious legal trouble.
If I were to suddenly run my own mail server or my own mail address and use it for work, my employer would have me booted from the company in no time. I do not believe for a second that nobody knew from the get go what she was doing.
@@tedrice1026😂😂 fair enough
Rules for Life .
1. Do not trust any Device , system or service , ever .
2. Never forget Rule 1.
Then what's the point of technology? Might as well trust something.
@@nightowl425 Good luck with that .
@@nightowl425 you use it cautiously. Just because you use it doesn't mean you have to trust it.
As a fellow glowing fed I approve this message
@@rft253 Because the greatest programmer who ever lived told us so.
@@rft253It's because of the legendary quote by Terry A Davis, on how "the CIA (hard R nwords) glow in the dark, and you can see them while you're driving". Look it up, it's kinda funny, to be honest
@@rft253cause they're feds
@@rft253do NOT look up terry davis
CIA n*gg*rs glow in the dark @@rft253 Why? Probably the nanotech in their blood, luciferase, graphene oxide... who knows...
this is actually a good reminder for me to go through my multiple emails and do some house cleaning, delete mails from services i am no longer using, delete emails that are a decade old and most importantly unsubscribe from all the email newsletters
Proton + SimpleLoguin
PGP is actually easy to use, but it's a pain to maintain a list of public keys for all your friends
I will say doing verification with it isn't really well explained. I've tried to use it to verify Linux iso's a few times, and the process is never really well explained on the install pages.
@@AshnSilvercorp it's pretty easy. If you want a video guide for it, check out Mental Outlaw's new Tails guide- he explains the process of verifying the ISO there.
You're contradicting yourself.
Try getting anyone else to use it!
@@tedrice1026 Exactly. That's the only hard part of it. And although I agree that distros should at least link to a guide or something explaining how to verify ISOs, that's a general issue with all open source projects... the number of times I've tried to find a proper install guide for some github project is way too dang high.
As a CIA Agent I love Proton Mail, makes over throwing democratically elected governments the world over a breeze. All my friends, family and global espionage network connected in one place
Tim what did we talk about you telling people you're a CIA agent.
@@notafbihoneypot8487 let me guess, you wear a white coat and offer people a temporary place to stay? 😉
@@notafbihoneypot8487 😅
Oh snaps! 🤣
Please report to sound proof conference room for "remedial" training regarding the release of internal operational procedures.
PGP isn't really confusing, it's just kinda a pain adding extra steps
This
Have you tried the autocrypt standard though? There's zero friction using that with clients that support it fully (like Delta Chat).
I find it funny. PGP was great. BUT then Symantec bought it and wtf happened? It’s still around but what a shit show. I miss the PGP desktop.
Pgp I have still not had it work out and i tried it all so what are u talking about its impossible
What is ur opinion about OpenPGP as in Thunderbird available?
Protip; if you're a drug dealer, don't do business over public email
Or online at all
I agree, but I will also add that the person who wants to be invisible has to not only stop using email, but also reduce social connections to almost zero.
Facebook was capable years ago of creating panthom profiles of people not on facebook, just by all the info he had on your friends and family. So if you have communications with people who are leaking data everywhere, they can still pin point you.
Facebook is for surveillance and never for privacy.
Their logo is an evolved form of an freemason logo.
I trust no tech companies at all that have their hands into survaillance,that is on the Stock Market that is owned by the evil 1% and that funds or funded the WEF.
You do not have disown socializing with others.
You just have to avoid being so honest with others about who you are.
@@azure4real if they are socializing with a non-existent avatar, are THEY socializing with you? are you socializing with them?
I'd say not really, one of the joys of socializing is to get to open up about who you are. If not, is just glorified weather-talk.
one thing you forgot to mention that even emails encrypted with TLS are not safe from a MITM, you can trivially downgrade to plaintext or even just straight out not present a valid certificate. The only way to have authenticated TLS connections safe from a MITM is to use a service that supports MTA-STS and DANE, which sadly isn't very widespread.
True. Another example of email being inherently insecure.
@@EricMurphyxyz No, that's an example of a security hole being fixed. The word "inherently" means permanently, but as @jacksoncremean1664 already said, those MITM attacks can be mitigated with up-to-date security best practices.
@@EricMurphyxyz
Hey..
When I found out it was created by the Intel agency
I deleted my free Proton app...
It redownloaded onto my phone all by itself..
But it doesnt show up in my apps list...
How the heck do I remove it ?
There is no way around coding your own e2e solution if you want peace and freedom.
@@braddockbrawler
Hi.
Can you please tell me if you get this?
I think this feels like a similar situation to signal where all they could give was the ip address where they logged in from
so I think as long as you pair protonmail with vpn there should not be a danger of leaking ip address
Signal still uses a public identifier (phone number) and so can still be used to find your identity. One needs to compartmentalize one's contacts.
Thus Signal is shit re privacy by having to give your phone number- it totally negates so called benefits.
@@brunoterlingen2203 kind of. Even generating one random number and having you use that has this problem, unless each person you talk to finds you with a different unique number.
Phone numbers are extra bad, because they are a common identity proxy in all facets of life.
Signal is still very secure and pretty private, but it is not anonymous.
Yeah that's why I never understood people constantly advocating and trying to get me into telegram.
Sure it's not discord. But telegram requires my phone number, constantly broadcasts the last time I even clicked on the desktop app or looked at the mobile app, and then there's the read receipts. It felt like the more someone was trying to convince me to use telegram, the more of a stalker they were.
I appreciate this explanation. I was completely unaware that Proton Mail was so divisive. No wonder I get weird looks when I give out my email address. I have nothing more than a standard account & I'm not sponsored in any way. But I've been quite happy with it. 👍🏻☕️
I know we all have an anarchistic bent about us, but Proton is meant to provide an alternative to surveillance capitalism NOT lawful subpoenas. They *must* comply with their laws if they want to stay in business. People that think they ought not are simply mistaken about what Proton's stated mission is.
Email used to be just sent and not stored in the server. If everyone were to do that, at least when any entity wants to snoop it they can only see mails in transmit, not seeing years of data.
I got my first PGP key at a key party in Houston in the 1992 or so.
A member of the Free Software Foundation or something similar was there with a laptop. We took a floppy diskette to the party where the guy with a laptop would generate our key for us. He was pretty busy at that, too.
The real problem was that once I got back to the office with the diskette, I had no idea what to do with it.
I must know what a key party is
@@Dryblack1 It was an event at a local bar where you could go to meet people and verify identities to sign each other's keys. And if you didn't have a key, you could take a floppy disk with you and someone there with a laptop could create a key for you and save it on your floppy disk.
In our case, the guy with the laptop creating keys was a lawyer who was highly involved interested in the EFF (Electronic Frontier Foundation).
@@ej2953 Fascinating, thanks for sharing!
Very nice endorsement Eric, your badge and money payment will be at the standard dead drop.
You can absolutely verify the code running running in your browser, and therefore you can verify if your PGP/GPG key is generated client side and then only sent to Proton Mail in encrypted form.
Yeah, that seems obvious, I was wondering if he meant something else but then I'm not sure what that something else might be?
Yes but you hit the nail on the head in your first sentence:
You can absolutely verify the code running running *in your browser*
I cannot easily deduce what happens on the backend/server side of things. On top of that, as someone else pointed out in the comments, even if you use an open source product (which Proton mail now is), how do you know that the code in the repo is the code that is running in your browser/front end/back end?
@@masterTigress96 Well if it's not backend you could just compare the open source code and the stuff you got
probably a good thing to note how web-based FOSS programs don't always have proof that you're using the version containing the code publicly available.
I didn't think about that before, thanks, now I have another thing in my list to worry about lol.
with messaging apps being more secure, I can't remember last time I actually wrote an email. I basically just have an email address for purchase receipts for online shopping and website sign ups
Proton seems like the happy medium between privacy and convenience, so long as your not the tallest nail or low hanging fruit your probably not worth the governments time.
One thing I want to point out is that governments aren't the only party that one should want privacy and protection from. For each case of a government using online services and platforms to gain info on activists, whistleblowers, etc, there is one of corporate entities doing the same. Also in many cases, governments pursue whistleblowers, investigative reporters, etc on behalf of corporations, e.g. the Steven Donziger case.
I agree completely with your main point, but I don't know if it's fair to call a corrupted judicial system "government working on behalf of corporations", specifically the Donziger case. The line gets a bit blurry, but it's still corporations and their money corrupting the system. usually individual judges. I wouldn't call that "the government".
@@squirlmy Yeah true, I was typing "governments" while thinking "states" there.
@@squirlmyWhat? Government isn't government when it's local and corrupt?
Swiss laws for privacy are the strictest in the world. Only a Swiss court with a legitimate court order can do anything to Proton. This is why Swiss banks are the popular choice for the wealthiest on the planet. Which makes using Proton Mail the best choice as well. Swiss laws make it so no companies have to comply with outside jurisdictions. Proton doesnt have to comply with any request or any legal action that isnt from a Swiss court ... and Swiss courts dont listen to outside jurisdictions (unless something is a direct threat to the Swiss people).
*a direct threat to the Swiss people* - like Russians😂
@@zhang-boyuHaha, exactly.. "Neutral" Switzerland has implemented more sanctions against Russia than the EU itself but not a single sanction against Izrael. 🤔
Also, the world's most influential psychopaths meet every year in Davos to discuss how to proceed with their manipulation of world affairs, completely against all the democratic values and processes they claim to stand for while at home in their "sovereign" nation states.😏
I'm trying to change my email provider to more safe/secure. I am not concerned about govt snooping, I am fearful of data breach access to my online emails that contain a lot of very sensitive info. Financial, etc.
Love your channel and how honest you are! Please make more videos like this!
Honestly, PGP/GPG is _not_ difficult or complicated at all. It takes only a few moments with our friends Alice and Bob and you'll educate all but the most technologically challenged. The hard part is finding other people who'll use it, leading to a feedback loop where eventually even privacy/anonymity focused folks give up on it; and that's why if there's one thing I disagree with in this video, it's how Eric constantly refers to it as if it's monstrously complicated, thus dissuading people who might be inclined to give it a try from even looking into it. If you've sat down long enough to install Linux and even learned how to use it, you can figure this stuff out. Believe me.
People used to say that email was like a postcard, readable by anyone who handled it. Now, it's like a letter in an unsealed envelope. Super-secure email is like a letter in a sealed envelope: the people at the sorting office know how to steam it open without leaving a trace.
Of course you can write your letter in code, so it's unintelligible to anyone who can open the envelope. But the envelope still has postmarks/franking, a return address, you've left your fingerprints all over it. You can wear gloves while handling the letter, use a remailing service, but can you be sure that you've covered all your bases? No, you probably can't.
What matters is WHO you're trying to hide stuff from. If it's a nosey neighbour or jealous partner, they probably don't have the wherewithal to conduct a forensic analysis of your mail. But if it's a government or other serious organisation on your case... you should look into alternatives to the mail.
No. Email is an ancient technology. Email will always use port 25, which is unencrypted. ProtonMail may encrypt your email, but port 25 will leave a rabbit trail directly to your contacts. You'll be discovered via your contacts. So, there is no privacy in email.
It is hard to teach the use of PGP/GPG to people who do not know what a file is.
Kind funny that people expect companies to not comply with the government's requests. If they don't comply they can have their business shut down or go to jail.
11:01 Actually Thunderbird supports PGP so you can set it up on that without a lot of work or needing the command line.
You're definitely not simping for Microsoft, you didn't even cover Hotmail, Live or Office 365, which is bizarre.
He did in his original video, it was the first or the one after it
14:57 they actually did say that. The CEO is on record explaining exactly that. Quite transparent about it
I mainly use proton for the aliases so that when an alias of mine gets hacked, i can recover my accounts under that alias, switch those accounts to a new alias, and delete the old unsecure alias. My emails use to get hacked a lot so an alias attached to my main email just makes me feel more secure.
My issue with proton is that it's very expensive for personal use if you want a custom domain for your family, this is the sole reason I don't use it.
You're literally part of my pipeline to privacy-conscious in that image at the end LOL I use a hardened Firefox cuz of you (although I am having a severe memory leak issue with it that I have no idea what's causing it yet [EDIT; it was a CSS theme causing the leak LOL])
Librewolf?
@@SomeRandomPiggo no I would've said a branch if I was using that
@@Zippy_Zolton They're not asking if you use Librewolf. They're suggesting to use it.
Waterfox is better in that regard. Operates on the same code stack as well so you can still use the same plugins.
@@cjmoss51I'm sure it is, but I am currently sticking with Nightly Firefox
GPG doesn't need to be CLI only. There are GUI apps like Kleopatra that make it really easy 🎉
Lol I once reccomended Kleopatra to someone and he wasn't able to figure it out
@@Antek1234l lol yeah I mean it's not for everybody, but it makes 'the thing' easy for anyone invested
True, I agree, it's much easier than cli version
@@Antek1234lI actually found kleopatra more confusing than cli lol, the gnome one is good, but I use kde so gtk apps look worse, I'll stick with cli.
Yeah, everyone has different preferences, some programs are just better as a cli tbh
You gain a subscriber, the way you explain / edit and the quality looks insane effort i wish you be one of the largest youtubers on tech and related topics ❤
One reason I changed from gmail was I noticed they would go through my emails and create calendar entries from them. A family member sent me their travel itinerary and I started getting calendar notifications for flight times. Confused, I went through and found the entries matched up with the flight times from their travel details.
But I've now noticed that Proton is doing the same thing. Work emails come in and now there are calendar entries. I don't like this at all. Clearly their systems are going through the emails to some degree.
Proton has also really slowed down for me over the last month or so too.
Google is probably getting the flight info from other apps on your phone such as your browser search website activity etc. Even your "Notes" App.
@@andre1987eph That's possible in other cases. In this case, it was emails sent to me. I had no browser history/searches/etc.. or notes. There really was nothing else apart from the emails as they weren't my flights and I had no idea about them.
even signal has the same problem of setting up your encryption for you. the app is open source but the desktop app updates like every day, are you really going to check the binaries match the open source version? Or do you trust google play to send you the right program and not spy on you? hopefully you could verify the binary of the open source vs local copy, but most people don't know how to do that. I mean that's still better than web apps but theres still a slight problem
Excellent subject matter explainer, top class!
Really appreciate it!
how you are verified with so low subs
@@sguptzz it's a stupid Google+ thing from 2011.
You talk with a similar inflection to my childhood best friend’s mom. It’s oddly comforting.
my only gripe with protonmail is that they keep trying to charge me for service i cancelled years ago. i don't have an opinion of their service one way or another, i just want them to stop trying to take money from me when i haven't used it in almost 5 years now rofl
You have to disable the security feature for logging ip addresses that log into your proton mail it's mean so you can see if anyone else logs into your account from a different ip bit disabling it it's not there to be logged
Proton mail, as compared to google, Yahoo and or Outlook mail, is like a messiah is to a religion. Its the best you can get. But, as noted, it is only encoded end to end if you are sending proton mail to another proton mail address
I used PGP many years ago, and I recall how difficult it was to set up and get going.
Read the bible kid, even if you don't like candy it's useful to learn it
It has gotten alot better these days. Thunderbird automatically handles the keys without installing some add on.
The only way to send and receive emails securely and get away with it, is to host your own server in your basement, and be a high level democrat from a certain famous family, then it gets completely ignored even when the rest of us would be in federal prison for the classified content that was being hosted.
Protonmail handed over specific data on certain users after being ordered to by the Swiss courts after being petitioned by the US. So, if you have Uncle Sam actually going to a Swiss court to obtain a warrant for your email, you've really screwed the pooch.
I think they have some. I don't know shady tactics for upselling and they also have some complications where if you try to downgrade from a paid account to a free account. The amount of horror stories I see of people that have a paid account and then want to switch back to a free account or they have a paid VPN but they don't want it anymore but they lose access to their free email account.
I find it very weird that they _insist_ on you linking "your" gmail account (which is non-existant) to your Proton account if you want the storage to be doubled. It's one of 4 requirements, and if you don't use gmail (because why would you?), or don't want to link it to your Proton, you're stuck with a measly 500 MB. Plus every single e-mail that you receive from Proton, like notifications etc., is _gigantic_ in comparison to normal mails, even though they don't contain much aside from some text. Normal e-mails mostly use up only a few KB, like usually well below 20 KB, but everything I got directly from Proton was around 1 MB large, even though there wasn't much else besides text in them.
I'm a security nerd. I used to run my own email server but you can't get people to use PGP. I've been a ProtonMail visionary supporter since the beginning. It's the only service I'll use now.
With true client controlled end to end encryption (which CANNOT be the case for metadata with inter-provider email, except maybe if you are literally sending them just a webpage that decrypts the message client side) - as you explained earlier about pgp), no need to trust the provider. For any other case: If the provider is in one sort of country, they can be legally compelled to give what they have to law enforcement. In the other sort of country, you cannot legally compel the provider to adhere to what they promised you.
I route Proton mail through my own domain name. When I set that up Proton required/suggested that I install a PGP key at the domain server via DKIM parameters. Your email will work without it, and its a pain to install at some domain providers, but it works, and Proton gives you a tool to test whether you've successfully set it up. I like that and that part of the pgp seems to work from that point forward. Yes if you send something to an email service owned by a company in silicon valley then, yes, there's probably a risk of getting cancelled depending on how based your beliefs are.
If you're really worried, you can always use Proton's secure function which open's an email taken out in a protected environment using a separate password.
Not an expert but that seems like a good solution for things like ssn's or your next great invention.
See man I wouldn't mind switching over to any mail service as long as it lasts, that why I willingly use gmail or outlook because I know it will be there even years after, how many third party mail services have lasted 10+ years and still update with new features?
6:53 oh deamn, what an ABSOLUTE CHAD
Showed your bias from the start, had a clear primary point to make supported by a multitude of secondary points and logical conclusions which you even described some potential outliers for. I genuinely appreciate the no bullshit perspective of the video and found it to be incredibly informative and grounded. I am now even more convinced than I was before that Protonmail is right for me, and I now feel properly informed about the strengths weaknesses of the particular company, and the general service as a whole. Thank you.
came here for comments like these to be honest. so called "privacy experts" are just shitting on proton for no real reason other than that it was a small company that got big. I trust proton with my data no matter how sensitive. the only downside is that you have to pay up lol
@@shishibone yeah, the cost is unfortunate. Though I am glad they have options to pay for just the services you want. I'm finding I quite like their password manager.
@@d34ddud3 i agree. I first was sceptical about password managers as i just didn’t use them and it was weird coming from Firefox default login saves. But since I started using it (included in my visionary plan) i think it’s really neat to have my passwords synced between my phone and computer. As i tend to forget some logins quite often
I had complete forgot about the proton mail french activist thing, and i recently made an proton email for crypto just to seperate it for my other ones, im glad i found this after and watched all the way through, you explained it very well, good video
E-Mail is not inherently insecure, if you manage your own S/MIME or PGP keys, you have real end to end encryption. You can even use POP3 to collect your mail so it isn't permanently stored on the server.
The advantage of Signal is that it is easier to use, so your peers bad security practice is less likely to get you into trouble.
No, he meant exactly pop3 and not imap.
I didn't watch the video yet. Answer:
No you can't. They will randomly close your account and you are SOL. They are unreliable
My email been compromised before I was even born.
Encrypt your text (hard as you wish).
Convert birary to Base64.
Paste into any email.
Send.
-
Copy base 64 of the email.
Convert base64 to binary
Decrypt the binary.
Read.
-
Just encrypt it by yourself. Send you public keys, protocols, and decryptors in "creative and secure ways."
Not sure why people choose to rely on services like email if they’re that highly skeptical
It's one thing to mistrust a service or a provider if they really encrypt how they say. But at least with a commercial provider you've got a mutual binding contract and that helds someone liable to encrypt your email. On the other hand, you still got to prove they didn't in case of a breach. Buy when you said "it's convenient" what most people really want by paying someone besides convenienceis liability.
This is what I understood, correct me if I'm wrong. Email was never meant to be private and messages are encrypted during transit but google for example stores emails in plaintext. PGP can solve this by enabling 'end to end' encryption. I'm not sure how Whatsapp achieves its end-to-end encryption but despite PGP being a solution, it's a pain to setup and use by yourself. Luckily, protonmail enables PGP between proton accounts but if a gmail account sends you an email, proton scans the contents for spam and THEN encrypts it, which means they can read it. There was one case where proton revealed an IP address to the government which ended up in someone getting arrested. One IP isn't much which is good, but there's always a risk from the government with any email provider. Signal was meant to be encrypted from its foundation which I'll learn about soon probably from your channel (edit, you haven't made a video on signal, pls do one). So, proton is more convenient than alternatives and seems trustworthy but it can't be trusted 100%. Note: I haven't seen your emails video yet.
OWASP principle: don't trust service providers or "trust but verify". It's out there on a manual. It is simply not logical to think of service providers as invulnerable.
Technically you're correct but it comes under the broader banner of "zero trust" across an entire environment, not just within the bounds of application security.
For example, it's estimated that around 80% of cyberattacks come from within an organisation through normal users of the system - and therefore zero trust treats users as equal to outsiders in terms of the security model you deploy to control what they do.
Please, make a video about tempest search engine and browser.
Even i have never heard of that.
Great video. You just got another subscriber
I am just now looking to start using Proton, and to be fair, Government should be able to ask to see data based on a a judge decion, not anythime they feel like. For me, I don't do anything illigal, so I am not necesarely afraid of a judges, but I do want an alternative to Google. I understand that if you want to be as secure as you can be, you need to run your own infrastructure, but for now I am looking basically to not depend on google for e-mail and storage.
Honestly I’d prefer a service that is completely honest about these things, telling you: we can’t make it perfect but these are the things we can do
Write message in notepad, Zip it and password protect it, then email it as attachment. Then send a hand written letter to the recipient with the password. Easy!
nothing is safe online
Sure you can't trust a company 100%, but aren't 3rd-party audits a good way to help with that trust. I don't remember the details about Protonmail audits though.
They have had yearly audits iirc.
Govt goes to email providers asking for a criminals inbox. Finds spam and password reset forms. Lol.
If you really must send secret messages over the internet, you need to encrypt them offline on a small computer that is kept locked away and NEVER connected to the internet and the recipient needs to do the same. Use one time pads that were hand delivered. Then you can send them over any email service, but an encrypted one like Proton Mail provides you with another level of protection. However, governments will still know you sent an encrypted email and will have access to the big data.
The problem is people are misled through lack of knowledge. They don't understand that mail in and out of protonmail is plain text to and from all others. This is where law enforcement waits.
It doesn't go encrypted. Protonmail can't see it when the email has been encrypted or decrypted, but can before and after.
The only time it is secure is when two users connect to the site and keep emails inside protonmail.
There are so many that use their app and get caught.
Protonmail is encryption to server, not encryption in transit.
If u want a secure email service rent a server and domain and make ur own email server in thus I mean you dont want someone to give away ur info we'll they can't if they don't have it
@nsoolo And even if the traffic is encrypted... They can just seize your hardware. Or just, simply look at the other person's email and see what they sent you/you sent them.
Email is a two sided thing. Doesn't matter how much encryption in the world you're using if the person you're sending it to uses none.
I think nothing is private, if the government take interest in you then say goodby to your supposed privacy, they can outlaw and force provider to spill any info about you one way or another, true anonimity is boil down to just make sure you leave a little as digital footprint as possible, and dont be outspoken ot worse, record yourself.
Thanks for the thoroughness and the provided context
I like protonmail but one thing I don't like is much of the community. Like if someone is new to the community and has genuine questions about for instance, they're often vague terms of service and the occasional contradiction of them by proton staff on the subreddit,, they get their heads bitten off.
It's like there's a dozen or so militant volunteer moderators or something that just scream at anyone that has a question or a concern about proton. A good app. A pretty s***** community.
I know this sort of thing can be off-putting. We use SSH at work and guess who my colleagues come to if a new public/private key pair needs to be set up?
Hey Murphy !
I found myself recently wondering a lot about my privacy and the future of all of ours.
It's pretty great what you do, and the shout out to Snowden won me over, cheers.
Email is unsecure. Period.
Proton mail is no better or worse than other email services. But I do like it's hosted in Switzerland who has pretty good privacy.
Yeah, if the government/police show up with a warrant they will have to hand out the information they have on you, but that's true for ALL companies in the world.
Do you trust MS to not hand out the information if asked? (I wouldn't trust MS with my socks drawer)
btw. I am using Proton mail for some of my email, but I also (still) use gmail.
I think there’s a rabbit hole when you get in to privacy products. I want privacy from the private sector and criminals. I have no expectation that I can have privacy from the government 😂
But what if government themselves turn into criminals?
We are never 100% sure of anything, Proton is not perfect, but compared to Google, it delivers what it promises, Google even asks for your blood type if it wanted to It is not possible to be completely anonymous, but at least we can protect ourselves, keeping an eye out for dangers and positioning ourselves well, to always avoid the worst, which in this case Maintain such privileged privacy
No you cant. They handed over "encrypted" emails that were apparently not encrypted, because if they were, nobody would be able to read them. Proton could though.
Speaking of Signal, didnt they end support for MMS and SMS? I'm in need of a good alternative
I have given you a good alternative two times here but both times my comments was deleted. Simple comments with the name of the app. Eric?
@@TormentedHealer Does it start with a T and end in gram?
@@5DimesPlayer No. Start S end N.
@@TormentedHealer Hm. I couldn't find anything. I did a Google search and came back empty.
Its like people dont realize that if youre an activist against your government then you already lost. Its not a matter of how, its when. Only time will tell when you end up dead or in jail. Secure methods of communication just prolong the inevidable
That's why selfhosting is the answer
Can you do a comparison between proton suits of products vs skiff products?
This video is 100% spot on. Email could have been made secure, but it wasn't. Truly secure email with end to end encryption, requires that both ends have the tools to encrypt and decrypt. This is why protonmail to protonmail communications are secure in as much as you can trust protonmail. Even perfectly executed, if there were vulnerabilities in the encryption methods that the agencies were aware of, it wouldn't be made known to the public. I'm also not sure how far they've come with quantum proof encryption they've come, but that's an issue too. Then there's the idea that the agencies are storing information that they aren't able to decrypt today, because one day they will be able to. So current encryption methods that aren't quantum proof, that they can't read now, they likely have and will be able to read in the future. The scope of that goes way beyond email.