this post was submitted on 17 Jun 2024
161 points (97.6% liked)

Privacy

32111 readers
729 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Due to the recent announcement of Proton moving to a non-profit structure (although not becoming fully non-profit) I've decided to take another look at them and really, Proton Unlimited is an enticing offer. However, the fact of everything from mail, to accounts, to storage being in one place is somewhat disconcerting. Also I recall them being decent, but not particularly outstanding at refusing to provide data to outside sources, there was a situation a while back where they handed over information of a climate activist.

To be fair, mail is insecure by default and if you're going so far as to write to another Protonmail user you might as well use something actually secure and I am not exactly planning on breaking the law so I'm not too worried about data being handed over to authorities, yet it still leaves a bitter taste in my mouth and with the state of politics where I live there certainly is a concern that, being queer, I should also be a bit weary of governing bodies as well, as laws may change in the future.

Basically, by switching to Proton I'd be putting a lot of trust in them, instead of splitting it up between things like Mullvad, Bitwarden, etc. and besides a password manager (and to some extent my email provider), while dramatic, a single failure at any point wouldn't be a total disaster. Are they trustworthy enough for the convenience benefits to be worth it to any of you?

top 50 comments
sorted by: hot top controversial new old
[–] cyberwolfie@lemmy.ml 37 points 5 months ago* (last edited 5 months ago) (1 children)

You don't have to use all services. I have the Unlimited plan and use mail with custom domains (+ the included SimpleLogin account) and VPN mostly, and Drive for backup (no Linux client yet makes it a no-go for daily use, but I have my own Nextcloud server that serves my purpose fine). Pass I have not tried (I use another manager), and Calendar I also don't use.

I still feel I am getting my money's worth.

[–] GravitySpoiled@lemmy.ml 15 points 5 months ago (5 children)

https://flathub.org/apps/com.hunterwittenborn.Celeste

Pass is awesome

Calendar is good but can't speak caldav which makes it useless for android and linux.

[–] CatLikeLemming@lemmy.blahaj.zone 9 points 5 months ago (1 children)

Wait, it doesn't support caldav? That really kills the appeal of the convenience they provide as a one-stop-shop, as I'd have to deal with hosting my calendars in another way. I guess at that point I could just get SimpleLogin and use the rest as I have it, even if that gets close to proton unlimited price-wise...

[–] GravitySpoiled@lemmy.ml 2 points 5 months ago (1 children)

Yes. I host my own nextcloud, I don't need their calendar. But that also means I don't need their drive. I only need the VPN and the mail and simplelogin is a nice bonus.

[–] EddoWagt@feddit.nl 1 points 5 months ago (1 children)

I'm pretty much in the same boat, you think it's worth subscribing only for the vpn and email?

[–] GravitySpoiled@lemmy.ml 1 points 5 months ago (1 children)

Tough question, but I guess yes. It's 10 bucks a motnh iirc, and I don't pay for streaming services

[–] EddoWagt@feddit.nl 1 points 5 months ago (2 children)

Yeah I suppose that's not too expensive, although it feels like a waste when I'm not using all the services provided

load more comments (2 replies)
[–] cyberwolfie@lemmy.ml 9 points 5 months ago (1 children)

Nice, didn't know about Celeste. Will check it out :)

[–] lastweakness@lemmy.world 2 points 5 months ago

Use it but don't rely on it. Celeste uses rclone. The rclone support was temporarily disabled from Proton's end a while back and also, the rclone backend still has a bunch of bugs and the developer seems to have gone missing

load more comments (3 replies)
[–] Alk@lemmy.world 29 points 5 months ago (2 children)

Others have touched on whether its trustworthy, but let me paste a comment I made a while back about why I like it so much from a functionality standpoint.

Let me tell you why I like it. It lets you generate a new email alias and password instantly whenever you make a new online account somewhere. Or just whenever you want. I've been slowly changing all my accounts over to their own unique email alias that can't be tied back to my main email. My main address is known by nobody at all.

The main benefits are if someone steals a password, the email address that comes with it will only be useful for that one account. (I don't need to go over the benefits of a standard password manager.) and so if that email is leaked or added to a spam list, I simply delete that address after changing the address for the single account it was used for. I can tell exactly which address is getting spam easily. 0 spam. Ever. Spam email has been solved for me.

Proton remembers which sites use which email/password as well.

Other than that, it's just good for privacy. Having a different email for each account makes it harder to track a user across accounts.

These addresses are somewhat auto generated, with the name of the site along with a random word and a few numbers. But if you want to create another email address, you get a handful of custom ones for free with the subscription too. You can revoke these the same way, so you can have a professional looking email to hand out to people that's not auto generated, without giving out your account's root email address.

Edit: I also want to specify that while all of this is technically possible through other means, Proton makes it easier than any other option. Plus access to a good vpn, a nice replacement for Google drive (for storage and basic editing, at least) in addition to the email service and password manager mentioned above. A very good deal, in my opinion.

Edit 2: it sure sounds like I'm a paid shill but I can assure you I just really fucking love Proton and I get too excited about things.

[–] Tywele@lemmy.dbzer0.com 7 points 5 months ago* (last edited 5 months ago) (1 children)

But if you want to create another email address, you get a handful of custom ones for free with the subscription too. You can revoke these the same way, so you can have a professional looking email to hand out to people that's not auto generated, without giving out your account's root email address.

These addresses are not as easily revoked, you have to contact support if you want to remove them.

[–] Alk@lemmy.world 7 points 5 months ago

Ah, I am mistaken then. I thought they were just as easy. Good to know you can still revoke them if need be, though.

[–] YaksDC@lemm.ee 3 points 5 months ago (4 children)

I am asking here because it sounds like you might have first hand knowledge. I currently use LastPass for a password manager and I really like it's integratiom with the Android phone and using it within app and on websites.

How is the integration of Proton into the phone? I don't want to have to open a different app and copy/ paste the password.

Thank you.

[–] Thetimefarm@lemm.ee 14 points 5 months ago

Lastpass is the last password manager you should be using. They've had tons of data stolen, bitwarden is decent on android so I just stick to that. Should probably change passwords after switching over.

[–] jjlinux@lemmy.ml 9 points 5 months ago

You need to take all your passwords out of LastPass and move to anything else. Bitwarden, ProtonPass, KeyPass, even Nextcloud, but run away from LastPass as soon as humanly possible. That shit and screaming your credentials at the top of your lungs while someone records it is the same crap.

[–] Alk@lemmy.world 6 points 5 months ago* (last edited 5 months ago) (1 children)

It's actually great. How it works most of the time is you highlight the text box in whatever app, and if proton thinks its a login box (it has like 90% accuracy) it will make a button pop up above the keyboard. Tap it, it opens proton and suggests the account it thinks this app uses. You can tap fill or search for another account. You can then tell it to always use this account for this app, or only this time. Then it goes back to the app you were in automatically and fills it. Next time you fill it there, it doesn't need to open the app, it will just fill it.

This requires that you give it screen reading permissions IIRC but you can disable that. If you dont want this feature. Also, if you have auto lock enabled it will ask you for your password or biometric (if enabled) before auto filling or opening automatically.

I used to use dash lane and I've found that proton works a bit better than that on my pixel 7.

Oh and if you're using a browser it will not ask "every time for this app" and will try to use the website you're connected to instead. I think.

[–] YaksDC@lemm.ee 2 points 5 months ago

Thank you for your detailed answer. I'll have to give it a try.

[–] Eliteguardians@lemmy.ml 1 points 5 months ago

Please, I beg of you to switch to a decent password manager. 1password, Bitwarden, keepassxc, and Proton Pass.

[–] stinerman@midwest.social 19 points 5 months ago (3 children)

The climate activist thing they did pursuant to a warrant, which every company will do, and the only thing of interest they turned over was the person's recovery email...which was personally identifiable. From there the authorities got everything else. IIRC, they got access to the person's iCloud. None of the person's emails or anything like that was given out. If you are strictly concerned about privacy you shouldn't use a recovery email so that your login can't be tied back to you.

As far as the service, I am using Mail and Pass daily and like both. I use the VPN and Drive sparingly, but I have enough space on it to stop using my Google Drive. Calendar is useless for me because of the lack of CalDAV support... and also because I can't have many calendars on the free plan.

It hits the sweet spot between privacy and ease of use for me. YMMV.

load more comments (3 replies)
[–] Ilandar@aussie.zone 18 points 5 months ago* (last edited 5 months ago)

For my threat model, yes they are trustworthy enough. I am not concerned about concealing my identity from a government investigating me for some alleged crime, but rather just transitioning away from Google and investing my time and money into a company that better respects my privacy. As a result, the centralisation doesn't concern me as much as it does others and I am fine using Proton for VPN, email, calendar and storage. I also use SimpleLogin, which is now owned by Proton. All their applications are well designed and reliable for basic use in my experience, and it is more affordable for me to bundle these services together. I would definitely recommend them to people like myself, but your threat model sounds a little more complicated so you might want to do some further research and see what else is out there.

[–] iiGxC@slrpnk.net 16 points 5 months ago (2 children)

I think they're trustworthy, but not the best in all those categories - I think tuta is better for mail (no dependence on google services), mullvad is better for vpn (linux app actually works with wireguard, and doesn't have a hard dependence on networkmanager), and keepassxc + syncthing is better for passwords, although to be fair I haven't tried proton pass

[–] EveryMuffinIsNowEncrypted@lemmy.blahaj.zone 5 points 5 months ago (2 children)

mullvad is better for vpn

Except if you torrent and have poor upload speeds, as it doesn't support port forwarding.

[–] kylian0087@lemmy.dbzer0.com 2 points 5 months ago (1 children)

Anymore yeah they used to allow it. A even better option for uploading is seeding to I2P. the bigger we can get i2P the better.

[–] EveryMuffinIsNowEncrypted@lemmy.blahaj.zone 1 points 5 months ago (1 children)

You're talking about this, right?

That sounds promising. Know any good sites that can help me get started, or at least learn more?

[–] kylian0087@lemmy.dbzer0.com 2 points 5 months ago (1 children)

The official site is best to get started. Personally i find it the most easy to run a container and configure a secondary Firefox profile: https://geti2p.net/en/

load more comments (1 replies)
load more comments (1 replies)
[–] Thetimefarm@lemm.ee 4 points 5 months ago

This is my opinion exactly. Plus they don't have a way to upgrade storage without a family or business plan. I just want a google drive alternative for the sake of migrating away from google, not security, though it's a nice bonus. Right now you can't increase the storage on the basic plan, you can upgrade to unlimited but it only gets you 500 gb but costs a lot more. If they had a $5/month plan for 2 tb of storage and no other services I'd sign up right now.

[–] RmDebArc_5@sh.itjust.works 11 points 5 months ago

You don’t have to use all the services, most of them have an excellent free tier. My setup is paying for VPN, using the free tier of pass and self hosting my email and cloud storage.

Legally they (and every other company) are required to hand over data to the police, however they can try to have as little data as possible. While Proton doesn’t take as extreme measures to protect your privacy as for example mullvad, they have no log policy and such. I believe the case where they had to collect data (IP address, which they normally don’t collect) they received a legally binding order from the Swiss government which normally is used for serious crimes. Every company has to follow these orders, so this isn’t a proton thing but rather a Swiss law thing.

[–] TheButtonJustSpins@infosec.pub 11 points 5 months ago (1 children)

I really love Proton, but I'm only using Mail, VPN, and Calendar. I kept BitWarden - already had it for a bit before Pass came about.

Oh: I'm also using SimpleLogin. Love that.

[–] trevor@lemmy.blahaj.zone 2 points 5 months ago

FYI: Bitwarden has integrations for SimpleLogin, Addy.io, FastMail, etc. for their username generator, so you can easily generate aliases for every site, regardless of what alias provider you use.

[–] TylerDurdenJunior@lemmy.ml 10 points 5 months ago

it was some years ago. But during an outage, one of their services turned out to be routing traffic through Israeli / Unit 8200 company servers.

My trust in proton evaporated back then.

https://cryptome.org/2015/11/protonmail-ddos.htm

[–] narc0tic_bird@lemm.ee 8 points 5 months ago

I think their services are generally pretty good, yes.

But their frontends really aren't. Their web apps are serviceable for desktop use. The Proton Mail desktop app is essentially the web app in an Electron or CEF wrapper. But on the desktop you can at least use Proton Bridge to then use whatever IMAP mail client you want.

On mobile, you can't. You have to use their services with the corresponding app they provide on Android and iOS. I moved from iCloud Mail to Proton just a few weeks ago (and I also had Proton a few years ago), which meant I had to switch from the default iOS "Mail" app to the Proton Mail app, as Proton doesn't support IMAP without a bridge (naturally, as IMAP doesn't support end-to-end encryption).

Unfortunately the Proton Mail app is not a fully native app but instead it must be using React Native or something similar. It's a low effort port of the web app, meaning very few integrations with iOS were actually done. For example, Apple Mail can show the email content in the notification, Proton Mail doesn't. At least you can mark mails as read in the notification, but you can only see the subject line without opening the app. Offline functionality is very limited as mail contents aren't cached on device, which can also make opening specific mails very slow (comparatively at least), and overall the app just feels less responsive compared to a native Swift UI app. UI animations aren't "attached to your finger", instead they just fully play once triggered no matter what. Calendar attachments just show up as an .ics file that you then have to download and open to add them to your calendar instead of just having a simple "Add to calendar" button.

But the worst part is that the iPad version is basically just the iPhone version blown up to fill the screen. It doesn't have a multi-column layout with your inbox on the left and the selected mail on the right. Nope, just like on the phone app, you open a single mail, it takes over the whole screen and you have to go back to your inbox again.

For that reason I didn't even bother with their calendar service.

The VPN app is fine. The iPad app is the same blown up iPhone app as well, but you don't actively use the app for more than a few seconds to pick and connect to a server, so I don't care.

Proton Pass is a little bit better (it's also newer I think), it does have a separate iPad layout. It also integrates well with their email alias service (SimpleLogin, although the SimpleLogin service standalone is a bit different still). I still use 1Password though because of the SSH Agent integration on desktop and it also comes with a Safari iOS browser extension for additional convenience features over just the native OS integration for password managers.

I actually use SimpleLogin and while it's technically not an OG Proton service, you do get their Premium service included with your Proton subscription (Proton owns SimpleLogin now). Very good service and hey, it has a pretty solid iOS app.

I didn't really use Proton Drive yet, but I'll probably use it for archiving some stuff by just uploading it through the web interface. Last time I checked they didn't have a native Linux client yet (for Dropbox-like folder sync), but somebody hacked support into rclone I think, although the API isn't documented on Proton's part, so it's probably not super-reliable.

That's it, right? Apparently Proton might acquire Simple Notes, and I'd sure take that included in my subscription, although I feel like Proton should focus on vastly improving their existing services first before they broaden their portfolio.

[–] JoeKrogan@lemmy.world 7 points 5 months ago

Personally I would split them so they are not all in the same place. So for email use something like proton or tuta, vpn could be mullvad and a local password manager such as keepass xc synced with syncthing.

[–] NuXCOM_90Percent@lemmy.zip 6 points 5 months ago* (last edited 5 months ago)

I can't speak to their Password Management as I use Bitwarden for that

But I am slowly but surely migrating myself away from gmail to (my own email at my own domain routed to) Proton. The webmail is very much comparable to gmail and, if you communicate with like minded people, it has decent support for signing and even encrypting email both to other proton mail users as well as to complete randos with just a password that you can send later. My only real complaint is that (... for some really good reasons) there is no easy to use exchange server and I need to run their mail bridge to use a desktop client like Thunderbird to send and maanage and (one day) back up emails.

VPN? I switched over to this around the same time I decided I wanted to "take control" of my email and it works pretty well. Very easy to get some openvpn credentials that I can plug into whatever setup I want. And no extra fee for port forwarding unlike SOME providers. That said, my main complaint is that the port is semi-randomized which doesn't play the nicest with my totally legit linux iso torrenting setup... But a quick docker ps and docker logs and then updating the config is pretty trivial and I only have to do it maybe once a week?

The big elephant in the room is that, as you rightfully understand, you are still putting a LOT of trust. But that is actually why I like Proton. Because other companies pretend they are going to knife fight the CIA and the US Government on your behalf all while actively not acknowledging anything until we get a post mortem. Proton are VERY open about just how far they are willing to go to protect you (not very) and what YOU can do to mean that Proton can't provide much useful information once the appropriate paperwork and legal actions have been filed.

I wouldn't trust a paid account with anything more sensitive than what really innovative stuff a friend did with a bun in the dumpster behind the Wendy's the other night. But, hypothetically, if I needed to send an anonymous email? Third party VPN/Tor, clean hardware, and a free Protonmail account works great and I do trust Proton to give the absolute bare minimum in that case.


And just for a bit of context. My "grand plan" is to migrate the vast majority of my correspondence and accounts to email addresses tied to one or more of my own domains. Currently I plan to use Protonmail for the mail server because I don't want that smoke. But the point is that I control the email address so I can get my Heat on and walk away in 30 seconds (actually more like a few hours but...).

Which is why the other aspect of that is that I want to back up the emails I actually want to save (rather than just EVERYTHING like those of us with older gmail accounts do) via a local client that I then archive to an encrypted volume on my NAS and (REDACTED) after that.

[–] sunzu@kbin.run 4 points 5 months ago

One service provider, single point of failure. After google bullshit and how long it took me to get away, i aint cornering myself again. I will pay for the extra fee for mobility and choice.

[–] RagingHungryPanda@lemm.ee 3 points 5 months ago

Well, I just got blocked for replying all to an email with two recipients and now I can't access my email, calendar, passwords, or VPN, so that's great.

[–] earmuff@lemmy.dbzer0.com 3 points 5 months ago

Been using Proton stuff for years. Some things are super annoying and just don‘t work. Their software engineers are mediocre at best. This made me move everything away from Proton a couple of years ago. Funny enough, all the other privacy focused providers annoyed me even more. So after 1-2 years without Proton, I moved everything back :D

Don‘t expect too much and you will be fine. Simple features you know from other services might be missing. Support is meh, but you rarely have to use it.

[–] hperrin@lemmy.world 3 points 5 months ago

I’ve been using Proton for several years now, and paying for their Mail and VPN features. Proton Mail is definitely better than Gmail, but other than the privacy features, it’s just a basic email service. Their VPN also is just a basic service. If that’s what you need, then by all means, I’ve always had a good experience with them.

That being said, I do run a competing email service called Port87 that (IMHO) has better features for organization and spam protection, so take what I say with the knowledge that I am technically their competitor (although my user base is tiny compared to them). Really, I see them more as an ally against Gmail and MS Exchange, because I’ve never experienced any sort of anti-competitive behavior from them like I have with both Google and Microsoft.

Supporting smaller players in the email space is what keeps email open, so the more people move away from Gmail and Exchange/MS 365, the better.

[–] trickster@infosec.pub 3 points 5 months ago

I agree with what others have already said about Proton being "good enough" for some threat models. And I second the argument about other options – such as Tuta for email, Mullvad for VPN, etc.

I'd just add one more thing. Once a company offers me to "handle" my digital privacy toolkit, I loose trust. Because a) it's less resilient b) less secure c) less private. I would think twice before trusting emails, calendars, contacts, passwords and network security — to a single company.

[–] BlueBeard@lemmy.world 3 points 5 months ago

Use a custom domain for your important accounts. That way, if you decide you don't like Proton, you can move to Tuta or a different provider and recreate your addresses there. That way, the only thing you have to change is some DNS records.

I'm currently testing the paid version of tuta and proton.

Regarding the other services, as other said, keep things separate. Personally I use self hosted bitwarden for passwords and Synology drive for well, drive.

[–] governorkeagan@lemdro.id 2 points 5 months ago

I’ve been using their services for the last 2 years and have no complaints. I started on the free plan and have moved up to the family plan with custom domains and aliases for everything.

[–] geography082@lemm.ee 2 points 5 months ago

Self hosting

[–] Zerush@lemmy.ml 2 points 5 months ago

I use Proton services (among others) since years and i think that they are pretty trustworth with stable services and fair conditions.

[–] maruudn@lemm.ee 2 points 5 months ago
load more comments
view more: next ›