Email has been driving me crazy.
Perfect is the enemy of good. – Voltaire
I’ve been trying to figure out what I want to do about personal email. The rough requirements rattling around in my brain are:
- Stay anonymous. I have taken reasonable efforts to make sure this identity isn’t tied to my real name (mostly as an academic exercise and for fun). I don’t want the email provider to know who I am.
- I care a lot about security of the provider
- I care a lot about privacy
- I want to be able to use GnuPG with keys I manage to encrypt my email (entirely academic)
- I prefer zero-knowledge / trust-less systems (impossible to be perfect with email but best efforts would be nice)
- I prefer the option of using native email clients (Thunderbird, K-9, …)
At the moment, I’m considering the following providers:
My initial email account was with Disroot. They provide a handful of internet services (including XMPP and email) without a whole lot of questions. Perfect for bootstrapping that pseudonymous identity. They also provide IMAP/SMTP so I can use native mail applications, and manage my own GnuPG keys. They are fantastic!
However, I don’t trust my email at Disroot. It’s not that I think they are nefarious (I don’t), nor do I think they are incompetent (I don’t). From what I understand, Disroot is not a zero-knowledge system and the admins could have access to my email. In addition, securing services is hard and I’d feel more comfortable with a service with a larger dedicated security team. It’s not so much that I’m terrified about someone reading my email (if it’s sensitive, I’ll encrypt it or use Signal or something), but rather that because email is often used for password resets, a compromise of my email account can have other consequences. I would also like to be reasonable protected from a future server breach compromising all of my previous emails.
Protonmail is interesting. They claim to be zero-knowledge and supposedly my email is encrypted with keys that I own. In theory, nobody at Protonmail should have access to my email. I do realize that this isn’t perfect:
- They could copy/log my email when it enters their system from external mail servers (before they encrypt it with my keys)
- They could modify the source code of their web UI to copy/leak my encryption keys (heck, it might already do that)
- They do generate and store the encryption keys (encrypted with my password)
That all said. I think it’s fairly likely that Protonmail isn’t malicious. Their business model is providing paid privacy focused email accounts. Much of their platform is open source and audited. They have dedicated security teams. Their model makes me feel fairly comfortable that:
- A future compromise of the service won’t lead to a compromise of my historical email
- A rogue admin probably can’t just read my email
- It would be difficult for someone looking to gain access to my other accounts to exploit Protonmail to perform a password reset on that other service.
I like their web-based UI, and really like the availability of the Protonmail Bridge which lets me use Desktop MUAs. I like the ability to use custom domains, etc. I can pay them with Bitcoin. They support 2FA (although TOTP and not U2F…).
It’s so close to what I want…
The Protonmail Apps for mobile are (sorry guys), not great. They feel second class. They feel buggy. I’ll archive messages in the Web UI only to have it stay behind in the mobile app. I am absurdly picky when it comes to mobile apps. I have fallen in love with K-9 mail and I’d MUCH prefer to use that.
I am tempted to run the Protonmail bridge on a Linux box somewhere and allow my phone to connect to that so I can use K-9. I’m worried, of course, that the Protonmail Bridge isn’t designed to be exposed on the Internet in that way. Hiding it behind a VPN seems like a pain.
I spent a bit of time playing with Mailbox.org and it honestly looked pretty interesting.
I really dislike the UI and scope of features. I just want mail. It’s so busy.
The price is good, but unfortunately they don’t accept payments via. crypto. I’m not about to pay them via VISA or paypal (see earlier comments about anonymity).
They do have Mailbox Guard which allows incoming email to be immediately encrypted with a GnuPG key. This gets pretty close to what Protonmail offers but has the advantage of allowing you to use your local MUA to handle message decryption (you can connect via. IMAP and rely on your MUA for decrypting messages).
It’s… almost… exactly what I want. I just don’t love it.
I know I’m making a big deal out of something that doesn’t really matter that much. I’m hung up on making a decision because nothing is perfect.
I think the TL;DR; is:
- I don’t trust Disroot with my mail (again. No reflection on the people!)
- I just don’t love mailbox.org and paying them anonymously seems hard
- Protonmail is so close to what I want
I think I’m going to go forward with Protonmail as my mail email provider, but I need to think about / resolve the following:
- How can I use my own GnuPG keys without making a mess? (using my own GnuPG key with the local MUA seems to break things)
- How can I use K-9 on my mobile device with Protonmail and avoid using their Android App?
If you have been going through some similar struggles with email providers and have some thoughts / comments, don’t hesitate to get in touch!