I have mixed feelings about protonmail. On the one hand, they tend to be on the right side of political / legal issues, and this transparency report is nice:<p><a href="https://protonmail.com/blog/transparency-report/" rel="nofollow">https://protonmail.com/blog/transparency-report/</a><p>On the other hand, they recently reduced the level of detail in the transparency report.<p>There is also the fact that they are Swiss, and their privacy laws were severely weakened by a recent referendum. In particular, the Swiss government can now monitor all cross border traffic without a warrant.<p>ProtonMail fought the referendum, but hasn't updated this "Why Switzerland?" page:<p><a href="https://protonmail.com/blog/switzerland/" rel="nofollow">https://protonmail.com/blog/switzerland/</a><p>They also haven't moved to a more appropriate legal jurisdiction.<p>[edit: clarify links]
I would be interested in hearing what the security pros think about this..tptacek, grugq, dguido, idlewords. At this point, these are the guys I trust with security advice.<p>Worth mentioning their VPN recommendations: algo by trailofbits and freedome. There is another paid service they recommend but I can't recall the name.
Using public commercial VPN providers for serious security/privacy is a very bad idea. Get someone to set up Trail of Bits "Algo" for you (or do it yourself, if you're comfortable with Ansible).
How does this compare to TunnelBear [1]?<p>- TunnelBear is a bit more expensive (4.99$/mo, paid annually vs 4$/mo).<p>- TunnelBear supports up to 5 connections per account vs 2.<p>I use TunnelBear regularly for my browser and phone. Both works great.<p>My subscription is going to expire soon and I'll be open to try other VPN providers, not that there is anything wrong with TunnelBear. Any recommendations?<p>This site [2] has feature comparisons but experience using VPN services is another story.<p>[1] <a href="https://www.tunnelbear.com/" rel="nofollow">https://www.tunnelbear.com/</a>
[2] <a href="https://thatoneprivacysite.net/vpn-section/" rel="nofollow">https://thatoneprivacysite.net/vpn-section/</a>
The free tier is in a waiting list right now. I thought I shouldn't try the paid one without getting a feel for how good and fast the service is (had bad experiences with another highly popular VPN provider in the past and canceled within a few days).<p>I also wondered why ProtonVPN doesn't list any trial period in the paid plans. So I went to the support page and found that it has nothing about payment, trials and cancellations. I then went to the Terms of Service page [1] and found that one can cancel within 14 days and get a full refund. If anyone from ProtonVPN is reading this, please move this information to the signup page and also list it on your support pages. Those are the places for this important piece of information. <i>Almost nobody reads the terms of use on any website.</i><p>Quote from the Terms of Service page (typo "Guaranty" ought to be "Guarantee"):<p><i>> Money Back Guaranty<p>> You may cancel your account with a full refund within 14 days of the initial purchase. Refunds or credits beyond the 14 day window will be considered, but at the sole discretion of ProtonVPN. The Company is only obligated to refund in the original currency of payment and refunds will be processed within 14 days of the request. To request a refund under our Money Back Guarantee, send an email with your request to support@protonvpn.com.</i><p>[1]: <a href="https://protonvpn.com/terms-and-conditions" rel="nofollow">https://protonvpn.com/terms-and-conditions</a>
Great that there's more options out there. Will there be an option to signup over TOR, and pay with ETH or BTC?<p>I run free privacy/security classes for journalists, and some of them have said that their sources can't use paid VPNs because they're afraid of the purchase showing up on their credit card statement.<p>TOR is great, but doesn't yet work for things like video chat (yes i tell them not to use Skype...)
Would you trust a service that knowingly pays ransoms to protect your personal data when it really counts?<p><a href="https://arstechnica.com/security/2015/11/crypto-e-mail-service-pays-6000-ransom-gets-taken-out-by-ddos-anyway/" rel="nofollow">https://arstechnica.com/security/2015/11/crypto-e-mail-servi...</a>
Looks the time has come for a small country to create a <i>data haven</i> like the fictional <i>Sultanate of Kinakuta</i>. I believe that the idea will attract foreign investment quickly.
Does anyone know why they require existing ProtonMail users to enter their account's password AND the decryption password? Fair enough, they're linking my account, they require the account password. But the key that encrypts the email data too?
Too bad they're focused on new and shiny at the expense of real (paying) email users. After a year of Visionary, I finally went back to Google. PM just isn't designed for large mailboxes, real search, or navigation. Plus they still have not provided any way for you to export your emails out. They're locked up forever, unless you want to forward each one, one at a time.
With the small number of nodes they can offer (compared to the tor network exit nodes), traffic analysis seems relatively easy, especially with standard VPN software that may have no fake traffic generator capability.
From their security page: "We exclusively use VPN protocols which are known to be secure (OpenVPN and IKEv2)."<p>OpenVPN and IKE both have terrible track records in terms of implementation security.
I've been using the beta now for many months. For my use case--hiding from ISPs / other malicious non-government actors who want my IP--it's been pretty good and plenty fast. Not really sure what they plan to do with our beta plans, but I'd pay a couple of bucks a month for their speed / reliability (haven't been knocked off once). Or maybe this is just normal service and all the other VPNs I've tried in the past have been shit. Hard to tell really.
For anyone wondering, their speed claims aren't inaccurate. I ran a quick iperf test on a server in Hurricane Electric Fremont 2 with a gigabit port and it did ~500Mbit/s. DSLReports backs it up: <a href="http://www.dslreports.com/speedtest/17167172" rel="nofollow">http://www.dslreports.com/speedtest/17167172</a><p>This was to their us-07 server in SF.
What are security features of their VPN or email that are not in other VPNs or emails, that I can measure? I.e. I don't care how military grade is their server side encryption or I don't care that they decrypt in my JS, as long as threat model remains the same.<p>What they changed in the model? Is it trustless?
I'd pay for a VPN with integrated tracker / ad blocking. I currently have a low cost VPS with a VPN where I set the hosts with a couple of block lists, but I think it could be good to have a proper VPN service with that option.<p>The reason is using it on mobile unlocked devices, rather than desktop.
Anyone knows how to use Protonmail to send/receive attachments encrypted by a different PGP key than Protonmail uses for one's account? It never allows to download such an attachment and I surely won't upload my private key there...
A bit OT, but the kerning on the headline font in iOS safari is awful, especially between the 'o' and 'w'.
It looks like a 'missing' font in a PDF.
I'm currently using hide.me under Linux and even though the speed is great, I have issues all the time.
Will try this during this month to see how it compares.
Been using the beta for a while now, it's been excellent to the extent that I leave it permanently on, even for watching video. Will be subscribing.
I saw that they use OpenVPN protocol[1], then I stopped reading other things. Although the encrypted connections can not be decrypted, the OpenVPN protocol is easy to be detected and banned in some highly censored network.<p>I recommends the shadowsocks protocol[2] which I used in the censored network, which is hard to be detected and decrypted.<p>[1] <a href="https://protonvpn.com/secure-vpn" rel="nofollow">https://protonvpn.com/secure-vpn</a><p>[2] <a href="https://github.com/shadowsocks" rel="nofollow">https://github.com/shadowsocks</a>