I see Skiff also advertises itself as "end-to-end" encrypted. This is the same misleading advertising as ProtonMail is guilty of. Traditional email <i>cannot</i> be E2E encrypted because of protocol limitations. You <i>can</i> technically achieve E2E encryption if using PGP, but if the private keys are not in your control then it is effectively pointless.<p>ProtonMail can only guarantee E2E encryption without PGP if you are sending email to another ProtonMail user. I don't know if Skiff also offers this special kind of encryption. Either way, they should be more upfront about the level of privacy they can offer.<p>I had a read of Skiff's page on E2EE. It is very carefully worded and, from a skim read, is not upfront about the fact that un-PGP'd email sent and received through Skiff can be read by Skiff.<p><a href="https://skiff.com/blog/end-to-end-encryption-email" rel="nofollow">https://skiff.com/blog/end-to-end-encryption-email</a><p>Oh, one more thing. Skiff's SMTP server (inbound-smtp.skiff.com) is running on AWS in the United States which means it will be beholden to US warrants. Skiff does not have a warrant canary. Getting big Crypto AG vibes from this.
Great read, I have seen this myself in the last 4-5 years with services surfing on the privacy wave - I mean, not just email, but also cloud drive. My conclusion, even regarding established privacy-focused email providers, is that it’s not worth the hassle, really. I use trusted and reliable email providers (according to me), and I just don’t use email for anything sensitive. That’s just right for me.<p>I know some people do need more privacy and/or security. But a lot of people think they need the same but really, they don’t.
Forward Email team here (<a href="https://forwardemail.net" rel="nofollow">https://forwardemail.net</a>), we have a write-up and comparison @ <a href="https://forwardemail.net/en/blog/docs/best-quantum-safe-encrypted-email-service" rel="nofollow">https://forwardemail.net/en/blog/docs/best-quantum-safe-encr...</a><p>We've considered adding a E2EE comparison column as well (with the issues such as Proton rewriting your emails @ <a href="http://jfloren.net/b/2023/7/7/0" rel="nofollow">http://jfloren.net/b/2023/7/7/0</a> highlighted).<p>Privacy Guides Discussion @ <a href="https://discuss.privacyguides.net/t/forward-email-email-provider/13370" rel="nofollow">https://discuss.privacyguides.net/t/forward-email-email-prov...</a><p>Unlike Skiff, Proton, and Tuta... we're _actually_ 100% open-source. Those providers that advertise as open-source really only open-source the front-end, when the back-end is the most sensitive part of an email service.
Interesting read. I will point out that having seen <i>"security audits"</i> done by top tier well known security companies, they aren't worth the paper they are written on. They are selling you a pen test script run, the output of which is farted into a document for the least amount of time they can expend on it.<p>If you want security, you have to do it in house with competent people who understand your business domain. So when I see people with regular pen tests I know they don't really give a shit because they are doing minimal ass coverage.