Does a Top Priority Stamp Matter for Administrative Review
Based in | Switzerland |
Storage | five-twenty GB |
Price | $4.00/mo. |
Costless Tier | Up to 500 MB |
Website | ProtonMail.com |
ProtonMail gets a lot of attention as a secure email service, fifty-fifty getting shoutouts in various media outlets. But when you strip abroad the flowery language, does this email provider actually stand above the competition? And is information technology worth the to a higher place-boilerplate cost? Nosotros'll answer all this and more in our new and updated ProtonMail review for 2022.
If you desire to protect your e-mail from prying eyes, but don't demand the kind of protection that keeps spies and whistleblowers alive, ProtonMail could be the secure electronic mail service for you. It utilizes PGP encryption standards, end-to-cease and cypher-knowledge encryption. A high level of encryption is very important in an historic period of eroding security and regular data breaches in the news.
Because ProtonMail positions its service every bit one of the most secure email options available, in a higher place and beyond other secure email providers, we're really going to put information technology under the microscope in this updated ProtonMail review for 2022.
At the end of the twenty-four hours, only you can decide which is the best secure email service for your unique needs and threat model. And so allow'due south get started.
+ Pros
- End-to-end (E2E) and zero-admission encryption for Email, Calendar, and Contact information
- Operates under Swiss jurisdiction
- All data stored on servers in Switzerland
- Apps for Android and iOS mobile devices
- Web client, encryption algorithms, Android and iOS code are all open source
- Support for custom domains
- Strips IP address from emails
- Can be used with third-party electronic mail clients through the ProtonMail Span feature
- Can import contacts and emails
– Cons
- ProtonMail does not encrypt email discipline lines
- Sometimes requires personal data for verification of new accounts
- Disruptive and expensive pricing
- Incredibly long beta examination cycles
- May log IP addresses for government agencies
ProtonMail features overview
ProtonMail utilizes strong end-to-end (E2E) and cypher-access encryption standards to protect all email, contacts, and calendar data. All your data is encrypted when stored on ProtonMail servers, except email subject lines (more on this later).
Note: To sympathize the divergence betwixt E2E and naught-admission encryption, check out this excellent explanation.
Bated from this multi-tiered encryption arrangement, ProtonMail has plenty of interesting features, including:
- The ability to ship "self-destructing messages," which are automatically deleted at the time the sender specifies.
- Address Verification, a fashion to ensure that a Public Key received from another user hasn't been tampered with since you offset verified it.
- Full PGP back up.
- Premium accounts with a range of additional benefits, including a brandable Business account.
- The ability to send encrypted emails to non-ProtonMail users.
- Android and iOS mobile apps plus a web client.
- ProtonMail Span, which allows ProtonMail to integrate with other email clients that support the IMAP and SMTP protocols. This also allows you lot to import postal service into your account from other services.
Overall, this is a good lineup of features.
ProtonMail company history and funding sources
The ProtonMail family unit of products is run by Proton Technologies AG, a company based in Geneva, Switzerland. The founders met while scientists at CERN and came upwards with the idea for a secure electronic mail provider in the CERN cafeteria, as the story goes.
Funding for ProtonMail has come from diverse sources over the years. Aside from regular paying users, Protonmail has also benefited from the following funding sources:
- In 2014, ProtonMail launched an Indiegogo crowdfunding campaign which brought in over half a million dollars.
- In 2015, ProtonMail accepted a $two million investment from a United states-based firm chosen Charles River Ventures (CRV).
- In 2019, ProtonMail accepted €2 one thousand thousand from the European union authorities to "develop a suite of encrypted services."
ProtonMail is a bit more expensive than some of the other secure electronic mail services we've reviewed, such equally Tutanota and Posteo for case.
ProtonMail does not encrypt email subject area lines
One concern I have is that ProtonMail does non encrypt the discipline lines of messages. From the ProtonMail website:
All ProtonMail information at residue and in transit is encrypted. However, subject lines in ProtonMail are not end-to-end encrypted, which means if served with a valid Swiss courtroom order, we do have the ability to plough over the subjects of your letters. Your message content and attachments are stop to end encrypted.
ProtonMail complies with the OpenPGP encryption standard, which is based on the proprietary PGP standard. In that standard, address-related metadata is part of the bulletin header and must remain unencrypted to allow a bulletin to achieve its destination.
ProtonMail does non encrypt the subject of your emails. If this is a trouble for y'all check out our Tutanota review, which does not rely on PGP and fully encrypts subject lines.
The ProtonMail arroyo makes them compliant with the PGP specification, but leaves this potentially-revealing data unencrypted. Nosotros volition return to this important subject field in a moment.
ProtonMail servers and data security
All ProtonMail servers are physically located in Switzerland in secure facilities. This ways user data is protected by Swiss constabulary, which mostly provides for meliorate privacy than U.s. or EU police force.
However, ProtonMail makes it clear that if you violate Swiss laws, and they receive a Swiss courtroom order, they volition have to plough over whatsoever information they have on you to the Swiss government. This is where the lack of encryption for the Discipline line of messages can become a problem.
While the bodies of your messages and whatever attachments should remain safely encrypted, addressing information and the Discipline lines of your messages are stored in the clear and would be provided to the authorities. This information is enough to give anyone possessing it a good idea of who you communicate with and the subjects you discuss with them.
ProtonMail logging IP addresses
Additionally, ProtonMail may also be logging your IP address and providing this to government regime. I learned about this by reading ProtonMail's Transparency Study.
There was another high-profile example of ProtonMail logging IP addresses in 2021. This instance received lots of attention considering:
1) the ProtonMail user was arrested past authorities; and
2) ProtonMail then scrubbed its website of the "no IP logging" claims after the incident
This is some other reason we also recommend using a good VPN service that hides your truthful IP address and location. Using a good VPN is as well essential for basic digital privacy in a earth when ISPs log everything you practise online.
Some people as well question how gratuitous from The states and Eu influence Proton Technologies really is. Additionally, Switzerland now has data retention regulations, just ProtonMail argues that these regulations practise non apply to their services, but rather Swiss internet providers.
All that said, the ProtonMail threat model document specifically states that,
"we cannot guarantee your safe against a powerful adversary."
The spy agencies serving the Usa and EU definitely authorize equally "powerful adversaries." Under most circumstances, this is a secure email service. But if you decide to take on one of the Five Eyes, violate Swiss laws, or practise something else equally crazy, using ProtonMail is unlikely to salvage you lot.
Is ProtonMail really bearding?
If you await at the ProtonMail home page, you'll find this claim:
I like the idea of being able to create an account without providing any personal information. Just finding a secure and private electronic mail service is difficult, which is why we accept created this series of electronic mail reviews for you. An anonymous and encrypted email service would be slap-up — but in that location'southward a problem.
When creating an account to test out ProtonMail for this review, I was forced to go through a verification that is the exact reverse of "anonymous" — as they boldly claim to offering.
How does ProtonMail square this requirement to enter personal information, with their claim that, "no personal information is required to create your secure email account"? To me, information technology seems like a clear contradiction.
To attempt to explain away this contradiction, ProtonMail has created a page explaining their "Registration Human being Verification" procedures, which you can read about here.
First, the system doesn't always force yous to enter personal information. They have, "an intelligent algorithm that determines the required verification method based on a number of factors." Sometimes it volition but require a reCaptcha to confirm that you lot are human.
At other times you volition be forced to use electronic mail or SMS verification, or brand a "donation" using a credit menu or PayPal. In other words, their algorithm will make up one's mind for itself whether or not yous are allowed to create an account without disclosing personal information. So let's call information technology provisional anonymity.
The folio likewise explains that if you lot exercise employ electronic mail or SMS for verification, only a cryptographic hash of this information is stored. This hash, "is not permanently associated with the account that you create." The page doesn't explain if "not permanently associated" means "never associated," or "temporarily associated." Nor does information technology explain how credit card and PayPal verification is tracked.
I can understand the company's desire to have processes in place to prevent spammers from abusing the system. But I tin't understand their merits that no personal information is required to create your secure email account with the fact that sometimes personal data is required. The fact that the email and SMS hashes are not permanently associated with your account doesn't change the fact that you must provide them, then trust ProtonMail's handling of them.
We have reviewed other secure electronic mail services that give you more privacy when registering for an account. For an instance of this, run into our Tutanota review.
My Two Cents: ProtonMail needs to clarify or eliminate the claim of offering anonymous e-mail.
ProtonMail technical specifications
ProtonMail uses a diversity of encryption algorithms to protect your messages. All messages are finish-to-terminate encrypted and as well remain encrypted in your mailbox until actively existence read. The algorithms they use are open source versions of AES and RSA forth with OpenPGPjs algorithms:
- AES-128
- TLS 1.0
- DHE RSA
- SHA 3
QuoVadis Trustlink Schweiz AG signs SSL certificates for ProtonMail.
Security features of the certificates include:
- Extended Validation (EV)
- Certificate Transparency (CT)
- 4096-scrap RSA
- SHA-256 hash
ProtonMail hands-on testing
If yous've used email services like Microsoft Outlook or Gmail, you lot will notice ProtonMail to be easy to piece of work with. For this review, nosotros'll be looking at ProtonMail Plus plan, the starting time tier of paid ProtonMail service. At this fourth dimension, you need to have a paid ProtonMail business relationship and access the beta version of the production to employ some of the newest features, such as their new encrypted Calendar.
Creating a ProtonMail account
Creating an account with ProtonMail is pretty cocky-explanatory. Y'all tin can become an account in a thing of minutes:
- Go to the ProtonMail website and select the SIGN UP push button.
- Create a username and countersign. (Recovery email is optional.)
- Go through the verification steps
I've seen complaints that ProtonMail sometimes forces people to go through phone (SMS) verification if they effort to sign upwardly using a VPN or the Tor network. While I don't similar the thought that ProtonMail may force you to use SMS verification, I sympathise their desire to protect the service from spammers and bots.
Note: I have no reason to suspect that ProtonMail is lying to you lot well-nigh this, but I as well understand that many people want to apply ProtonMail truly anonymously. I could imagine someone like that using an bearding payment method similar a new, virtual credit card to make a donation. Or maybe renting an SMS number but long plenty to complete the process. Even using a dispensable email address then discarding information technology once the verification is done.
ProtonMail betas
Before we go farther, nosotros have to hash out how ProtonMail handles beta versions. They are serious about wanting community involvement in the process. As a result, the newest version of ProtonMail can exist stuck in beta for a long time. How long? Years.
ProtonMail version 4 went live in October of 2019. I am writing this review in Apr of 2021 and ProtonMail 4 is notwithstanding in beta xviii months later. I find this mind-extraordinary but that'due south the fashion this team rolls, apparently. In response to the diverse complaints on Reddit, ProtonMail acknowledges the missed deadlines and delays:
And so what does this mean to y'all? I don't recollect information technology is a good idea for a privacy-oriented person to rely on beta software. By definition, beta software isn't completely ready even so. This could include flaws, bugs, and/or exploits that undermine your privacy and security.
Unless yous are comfortable with the real, simply hard to quantify privacy risks of using beta software, I recommend you stick with the released version of ProtonMail (v3.16.61 at the time of this review).
I volition be talking almost some of the beta products related to ProtonMail, such every bit ProtonDrive and ProtonCalendar, just continue in mind that they are betas before deciding to trust your deepest secrets to them. This is especially important if you are looking for a Gmail alternative that offers all the necessary features.
Signing in to ProtonMail
Signing in to ProtonMail is like shooting fish in a barrel and straightforward. Simply go to the homepage and enter your login credentials. When using ProtonMail, you have the option to create a recovery email inbox, which can be used if you lose your countersign.
Once you sign into ProtonMail, y'all can stay with the free plan or upgrade to one of the paid plans. As is common with most secure e-mail services, the paid plans offer more storage and boosted features over the complimentary program. We noted this same dichotomy in our ProtonVPN review.
Note: As we get through this review, I'll let you know which features are bachelor simply in a paid plan or only in the beta.
The look and feel of ProtonMail
ProtonMail has a pretty standard interface, with a three-pane "Row View" layout (we saw that when talking about encrypted subject lines earlier). They as well offer the "Column View" option, as y'all tin can run across hither:
With Cavalcade View, y'all get all the usual folders in the left-nigh pane, with the ability to add together whatever custom ones you wish. And similar other privacy-oriented mail services, ProtonMail blocks remote content similar images by default, giving you the selection to load them correct at the top of the window.
The spider web client works smoothly although in that location can be a delay when opening a message, given that the bulletin must be decrypted before you tin read information technology. Since the client is browser-based, instead of a stand-alone app, you might find that it slows downward as the number of messages as your folders increment, but I didn't notice any problems during testing.
ProtonMail Settings
You can customize the layout of your ProtonMail inbox by clicking the Settings icon, then selecting Appearance in the left-hand column of the Settings window. For case, I used the Layouts department of Settings to switch back and forth between the Row View of the inbox and the Column View.
Exactly what you can do hither volition of course depend on which ProtonMail plan you subscribe to. We'll look at the differences between the plans later in the review.
Composing messages with ProtonMail
By default, yous compose ProtonMail letters in a pop-upward window chosen Composer. It comes with a good set of HTML formatting options, including inline images. This window appears in the lower-correct corner of the ProtonMail window, and looks like this:
Once you lot become used to the layout, the composition window makes including things similar Attachments, an Expiration time, a Read Receipt Request, andEncryption fast and easy. If you don't similar working in this little window, tin can make the Composer window large by clicking the Settings icon, then Appearance. In the Composer section that appears, select Maximized.
Note: You can only set an expiration time on messages sent to other ProtonMail users or encrypted messages sent to non-ProtonMail users. You cannot make an unencrypted message to a not-ProtonMail user elapse.
In that location are a few keyboard shortcuts that help with composing letters. But yous won't notice more avant-garde editing features such as macros and automated suggestions.
Sending letters to not-ProtonMail users
Like some other secure email services, such as Tutanota and Mailfence, ProtonMail gives y'all the option to send encrypted messages to people who don't use the service. The recipient volition need to know the shared password you are using, so that volition need to be bundled exterior the system. These encrypted letters automatically expire in 28 days (merely you tin can fix a shorter date if you lot wish). Here's a screenshot from our tests:
The recipient volition so get an email with a secure link. If they enter the correct password and click the View Secure Bulletin push button, they volition be able to encounter the message you sent them.
This organisation seems to work very well, equally long as yous can share the password outside the ProtonMail system to get the process started. For this endeavor, yous could consider using a secure messaging app.
Searching for letters in ProtonMail
ProtonMail has a very limited power to search your messages. Considering messages are encrypted (except while you are actually viewing them), the client can't search message bodies. This, of form, can be frustrating and really limit your power to find the message you are looking for. Hither's a screenshot of the search feature:
Version 4 of ProtonMail is supposed to have improved search capabilities compared to previous versions. However, bulletin torso searching is all the same not available, just searches are much faster, and you can employ complex search terms.
Comparison to Tutanota search – In comparing, we noted in our Tutanota review how this email offers full-text search capabilities — and has done and so since 2017. To practice this, Tutanota creates an encrypted search index which can then exist searched locally on the users' device.
The ProtonContacts secure contact manager is integrated into ProtonMail, giving users a secure manner to protect their contacts while functioning smoothly with ProtonMail.
ProtonMail creates ProtonContacts encryption keys for you. It uses those keys in their zero access encryption system to encrypt clear text contact data, ensuring that once they do encrypt your data this manner, even ProtonMail can't read it. ProtonContacts also uses digital signature verification to ensure that no one else tin secretly tamper with your contact data. ProtonContacts is also implemented in the mobile apps.
Note: E-mail addresses in contacts are not encrypted using zero access encryption. Why? Because ProtonMail needs to exist able to read the email accost to make certain your bulletin gets sent to the correct place.
ProtonMail beta versions
If yous want to use the beta versions of Proton Technology products, you'll demand to be using a paid version of ProtonMail, and launch it in beta mode. In one case you have a paid subscription, you can become into the beta as follows:
- Log out of ProtonMal.
- On the login screen, Enter your login credentials in the form.
- Instead of clicking the Sign in push button, click the BETA link (see beneath).
Doing this launches the beta (4.x) version of ProtonMail. In the top left corner of the window you lot'll see a new icon (currently a 3 by three array of dots). Click this to see a list of the electric current beta versions of the products every bit shown beneath.
Similar ProtonMail, ProtonContacts has a beta version under development. In keeping with the idea of avoiding beta products whenever possible, nosotros'll skip the beta of this one and concentrate on ProtonCalendar.
ProtonCalendar (beta)
Building an encrypted agenda sounds pretty like shooting fish in a barrel at first. Just encrypt all the data until the user opens the calendar, and so decrypt the data for them. Just merely as an email service has to interact with other email services, a calendar service needs to be able to interact with other calendar services.
Fifty-fifty worse, a full-powered calendar organisation needs to be able to share events with other calendar systems. The engineers battled with this complexity for over a year, and on December 20, 2019, they announced the arrival of ProtonCalendar.
ProtonCalendar has been in beta for over a twelvemonth now. I accept no idea when the concluding version will be released, but terminal I checked, the concluding version should include:
- agenda sharing
- issue invitations to anyone (whether they utilize ProtonMail or not)
- the ability to sync the agenda with events found in your ProtonMail inbox
ProtonCalendar is also scheduled to be added to the iOS and Android apps at a a hereafter date.
ProtonDrive (beta)
In Nov, 2020, Proton announced the release of ProtonDrive in beta. This is a basic secure cloud storage feature that tin exist used with certain accounts. However, every bit nosotros noted in our ProtonVPN vs NordVPN comparison, the Proton team has a addiction of restricting features to just the highest-paying subscription tiers.
We see that ProtonDrive is only available to the following users at this time:
- Visionary or Lifetime accounts
- Accounts with both ProtonMail Plus and ProtonVPN Plus with 1-year or 2-year plans
- Accounts with both ProtonMail Professional person and ProtonVPN Plus with one-year or 2-year plans
How long volition ProtonDrive stay in beta? Who knows. Just given Proton's history, it could be a actually long time. I've seen a growing chorus of ProtonMail users vocalisation their frustration over the endless beta condition of this and other products:
This volition someday be a welcome addition to the Proton product line. But if you lot need secure (not-beta) cloud storage at present, I suggest you consult our guide to the best cloud storage instead of waiting for ProtonDrive to come out of beta.
ProtonMail mobile apps
ProtonMail has apps for both iOS and Android. I've been working with the Android app and it looks practiced and functions smoothly. At the time of this ProtonMail review, the Android app had 34,000 reviews with a solid rating of 4.5 out of five stars.
Since our final major review, Proton Technologies completed the process of making their Android app open source. All the same, information technology is still non available on F-Droid. The iOS app is also open source. This app gets a score of 4.2 out of 5, with over ii,000 reviews.
ProtonMail business features
ProtonMail also offers a service for businesses that provides "cease-to-terminate encryption to secure your business organization communications."
This service includes migration tools and defended back up to transition your business from its current hosting to the ProtonMail infrastructure. It incorporates a user hierarchy allowing your Email Administrators to manage user accounts accordingly.
Given the current limitations with search and calendar, I'thousand not sure ProtonMail would exist a great fit for businesses that need all these features. In that location are other good options that are more fully-featured, such every bit Mailfence or Mailbox.org.
ProtonMail Support
ProtonMail provides differing levels of customer back up depending on which subscription plan yous have. Not surprisingly, free users get a basic back up level, with admission to a searchable cognition base and some helpful step-by-pace guides. As you movement up through the paid plans you lot go email back up and eventually priority support.
ProtonMail price and pricing plans
Since they don't display ads in their clients, or sell access to your messages to advertisers, ProtonMail charges for their services. As y'all tin can encounter below, ProtonMail has 4 pricing plans, including a free tier with 500 MB of storage.
The Free programme, with 500 MB of storage, 150 messages per day, and three folders / labels could be enough for you. If non, one of the paid plans will likely meet your needs.
When you lot compare ProtonMail'south paid plans with those of other secure email services, you'll see that they are more than expensive than the contest. In fact, to get access to all of the bones features, such as a take hold of-all email, you will be coughing upwards $8 per month.
Note that the Free, Plus, and Professional plans all offering ProtonVPN every bit an option, while the Visionary programme has the VPN built in.
ProtonMail alternatives
While at that place are several secure email services on the marketplace, Tutanota is the get-go alternative I would suggest. Rather than using PGP and S/MIME, Tutanota has rolled out their own encryption standard incorporating AES and RSA, which encrypts the subject field line, supports forward secrecy, and can be updated/strengthened over time. Tutanota has also rolled out a fully-encrypted Agenda feature.
My verdict: Tutanota is the best alternative to ProtonMail in the loftier-security category. (Information technology is based in Deutschland.)
There are other alternatives to ProtonMail that offer a bottom degree of encryption and security, but with more features:
- Mailfence is a Belgium-based e-mail that has many features, integrated PGP support, and it works well for groups/teams.
- Mailbox.org is some other adept option based in Germany with many features and options for teams.
Both Mailfence and Mailbox.org support custom domains.
ProtonMail FAQ
Here are some of the more common questions virtually this product and its related components such as ProtonMail Span.
Is ProtonMail really secure?
There is a lot of debate out at that place about how secure ProtonMail actually is. Aside from the financial ties to the United states of america and Eu that we discussed before, there have been some criticisms of the service on other grounds also.
- The browser client uses JavaScript encryption libraries. These are considered to be less secure than the libraries used in the ProtonMail mobile apps.
- Leaving the Discipline field in the clear (for PGP compatibility) means more data could exist exposed to those spying on the message traffic.
- A newspaper published at the end of 2018 criticized ProtonMail'south cryptographic architecture on a number of grounds. However, these aforementioned criticisms could be applied to any browser-based email client (non simply ProtonMail). Hither is the response from ProtonMail.
On the subject of using PGP, there are also some benefits in terms of security. OpenPGP is an open standard, which has been extensively audited for security, and is boxing tested, and well proven to be secure. ProtonMail also the maintainer of OpenPGPjs, which is the most widely used open up source encryption library and has therefore been thoroughly audited.
Lastly, we also have to keep in mind that ProtonMail is arguably the biggest name in the private email space. This makes information technology a expert target for criticism, every bit we also noted in our NordVPN review, equally the largest VPN provider.
Can ProtonMail hand over my data to the regime?
Because ProtonMail uses E2E and zero-cognition encryption, there isn't a lot of data that they can hand over to anyone. The only affair that is stored unencrypted is message headers and the email addresses of contacts.
Fifty-fifty hither, Proton Technologies says they won't hand over any data unless directed to by the appropriate Swiss dominance. Your information is about every bit safe as it can exist using publicly bachelor tech.
A bigger run a risk to the security of your information, is the manner governments are pushing to break end-to-end encryption. There are abiding efforts to force companies to insert "backdoors" into their software that would permit law enforcement to bypass encryption. This recent Fortune magazine article nicely describes the state of affairs in the United States today.
Can you switch between paid and free ProtonMail versions?
Proton Technologies allows you lot to switch between the free and paid versions of this encrypted electronic mail service. You can go from a paid version to the free version, but if you practise you lot'll lose all the premium features of the paid version you are leaving. You can also return to a paid version from the costless version. How? By subscribing to the paid version you want. You won't lose any of your messages when you do this.
What is ProtonMail Bridge?
ProtonMail Bridge handles encrypting/decrypting messages when you connect it to a third-party e-mail customer. The ProtonMail Bridge page describes it all-time:
Bridge runs in the groundwork by seamlessly encrypting and decrypting messages as they enter and leave your computer. The app is compatible with nigh email clients supporting IMAP and SMTP protocols.
You must have a paid subscription to use the bridge.
ProtonMail review determination
ProtonMail is a polished and popular end-to-end encrypted email service that will meet the needs of many regular users.
As i of the most pop secure email services on the marketplace, with a free basic account, information technology is a bang-up option for regular encrypted communications with friends, business concern partners, and others who want protection from routine snooping and hacking. You will, however, need to be patient about getting advanced features cheers to ProtonMail's extended beta examination cycles.
For those who want maximum security with full encryption of subject lines and potent data security, or but faster delivery of new features, Tutanota might be a amend fit.
Is ProtonMail the best secure email service for you lot?
I can't tell you that since anybody's needs are unlike. At that place are many factors to consider when selecting a secure email provider and the choice all comes downward to your own preferences. You can acquire more than about ProtonMail on their website here:
Alternatives to ProtonMail
We have numerous e-mail solutions that offer a higher level of privacy and security. You can also check out our full lineup of recommended secure electronic mail providers.
We also have a roundup guide on temporary disposable email services if y'all demand a quick email for registration.
And here is a listing of other e-mail services we have reviewed:
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Source: https://restoreprivacy.com/email/reviews/protonmail/