Eventually, last week I've obtained a free email account to try this service. If you've never heard about it, it's an email provider based in Switzerland that claims to be immune from eavesdropping.

ProtonMail offers 500 MB of space for your mailbox, the possibility to set an expire date for sent messages (this feature is similar to the one provided by DMail and it has the same problems) and a strong cryptographic system under the hood. In addition, it doesn't require any of your personal data.

At present, only the webmail is available but they say mobile apps for Android and iOS are on the way. Update: apps for Android and iOS are available.

Compose a new message

How It Works

The first thing you notice when creating an account (and every time you log in) is the double password: one is needed for the authentication, while the other is used to decrypt your mailbox on-the-fly in the browser. This last feature ensures the end-to-end encryption of your messages, preventing anyone to read the emails - even the ProtonMail team, they say.

(To be honest, I have some doubts on this last assertion but maybe it's merely because I don't know how it has been implemented.)

The end-to-end encryption of course works well between ProtonMail users but what about emails exchanged with users of other providers (Gmail, Yahoo, etc.)? For incoming messages there's nothing you can do, but for the outgoing emails ProtonMail has a surprise.

Of course you can send standard unencrypted emails but you can also choose to encrypt them with a password. The recipient receives a link with an hint to guess the password and a textbox to insert it. If the password is correct, the addressee can see the message and reply in an encrypted way.

Possible Problems

About this last situation, the drawback is that there should be some form of preliminary communication between the sender and receiver to share the password, otherwise the hint may help someone else to guess the password and read the email. At that point, an attacker can reply and pretend to be the legitimate recipient.

Another thing to consider is that, even if all the servers are located in Switzerland and are subject to Swiss laws about privacy, there are treaties with other countries for certain types of infringement. As an example, on 2021, "French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users".

Conclusions

In my opinion, complete security in the world of digital communications cannot exist, but ProtonMail seems to be close enough. The biggest threat here is the company itself: you have to trust it.

Resources

Post last updated on 2022/07/24