Is it worth it to make the move to ProtonMail & VPN?

I am about to do it, the only worry I have is, is it really worth it? PLEASE HELP! Im willing to do it in the following hours if worth it.

​

1. I don’t know much about encryption and keys and all the rest of it. All I want is to stay away from the big guys, however when you look at the prices its going to be around $100 per year to use mail and VPN so the question arises, is it really worth it?
2. All my contacts have either gmail,outlook or their own domain which is often used in O365 as a client. Thus what difference does it make to me? I mean if I interact with them the big guys will read my emails won’t they?
3. If you still think that I should make the move, can you please suggest me what is your set up? I was thinking something like [email protected] for the important stuff and then [email protected] as alias to less relevant stuff. Would that work? I see people using Simple Login and other stuff but I don’t quite get it and seems confusing to me when I can just use an alias provided by pm?
4. The VPN doesn’t seem to be working properly on Linux which is a big throw back, should I get another VPN for Linux or hope that Proton will work fine?
5. Finally would it be a good idea to create the account by accessing remotely to another PC in a different location and what is your set up in terms of PM mail privacy guys?

​

Thank you!!

TL;DR version: Mail is worth it, VPN depends - but probably not worth it. You do not necessarily need both.

Regarding mail: Mails are for some people sensitive, for others it might not be important at all. If you use mail actively for communication, non-privacy oriented providers which do not provide zero knowledge services are able to “read” your mails whenever they want. Google does that in gmail. It is plausible most other free e-mail services does the same. They do that to gather information about who you are and what your interests are, so they can sell this information for marketing purposes - something Google does extensively through their search engine - the search results you get are tuned to match your interests and companies paying for Ads on the Google search and other Ad platforms they provide. So if a random website sells some spots on their site for ads and connects to the Google Ads platform, advertisement there are also adjusted to match your interests.

Zero-knowledge providers (such as ProtonMail, Tutatnota and CTemplar, to mention the most well known ones) does not have that capability. And this is also why you typically need to pay to get more features in their services. Their income is from users using the service, while with Gmail you “pay” with your mail data.

Zero-knowledge providers does also not have the capability to “read” your mails, even if they want to. PGP based providers (ProtonMail, and CTemplar IIRC) will not have everything encrypted, due to how e-mail data are managed and how PGP works. PGP encrypts the main mail message (aka “body text”) and attachments, while mail headers (mail metadata such as To, From, Subject, etc) are not encrypted. When you read mail from such providers, the decryption happens entirely on your own device and the service provider does not have access to unlock your private key needed.

The challenge with Zero-knowledge providers is that they cannot easily provide direct IMAP/SMTP access without either requiring users to configure PGP locally - or how ProtonMail solves it via the ProtonMail Bridge, where the Bridge application runs locally and gives a local IMAP/SMTP access and the Bridge does all the encryption work behind the scenes on your behalf.

I’ve used both Tutanota and ProtonMail for a while and moved completely over to ProtonMail for my main mail accounts over a year ago. For me, ProtonMail has a very good balance between usability, good user experience and privacy features. Tutanota deploys more encryption to the mail data (they also encrypt the mail metadata), but they do not have any other access to their service than through a web browser or their own apps. There are no Bridge functionality (and it is not planned), and it is harder to import/export mails.

One key thing with mail: I suggest using your own custom domain. “Buy” your own domain and use that via ProtonMail. If you later on decide to move away from ProtonMail, you just swap the mail service on your own but keep all the mail address with the new mail service.

When it comes to VPN: This is a very dirty market segment driven by lots of hype. I would say the vast majority of VPN users may not really need it. Consumer VPN solutions (like ProtonVPN, ExpressVPN, NordVPN, Mulvad, Private Internet Access etc, etc ,etc) does not really give you any privacy nor much enhanced security. These services are more or less a virtual Internet provider, where you shift whom can inspect your Internet traffic from your local ISP connection to the VPN service provider.

Consumer VPNs do have some use cases, like avoiding people on public networks you share with random unknown people to be able to see what you do online. Or to get a more “open” Internet, to avoid certain blocks the local Internet provider imposes (content blocking, port blocking) or to avoid region blocking.

So bottom line is: If you trust the local Internet providers you make use of and are not blocked in what you want to do, there is little value of a consumer VPN service. If you do not trust your internet connections, then a consumer VPN service may make more sense.

But: You need to fully trust the VPN provider of your choice. Because when you use their service, you grant them access to all your Internet traffic.

I personally trust my the Internet service provider where I host one of my public facing servers and the Internet provider I have at home. However, I do not trust various random networks outside my home. So I have set up a VPN server on my public facing server where my computers and mobile devices have a constant connection to when I’m not at home. All my traffic looks like it comes from my VPN server, no matter where in the world I am. So I achieve much of the same as a consumer VPN service could offer, but I decided to rather trust the Internet service provided by my the hosting provider of my server.

With VPN’s it is all about who you trust and who you are willing to pass your Internet traffic through.

Of the consumer VPN service providers I would be willing to trust other than my own VPN setup, ProtonVPN comes high up on the list. But I might also consider the OpenVPN Cloud service (the free plan is fully featured, but limited to 3 simultaneously connected devices), where I would need to provide my own “exit point” for the Internet traffic. The latter one is more initial setup work and requires maintenance of a server running a VPN client only (connecting to OpenVPN Cloud, using one of the three free connections). The former (ProtonVPN) is far more convenient if you want less maintenance.

If email is 100 percent a commodity to you. You don’t care about anything but the most basic features (and don’t mind missing even a few of those). You chuckle to yourself when hearing recurring requests (and promises) of upcoming key features you know in your heart will never materialize.

Then and only then will you be content with ProtonMail.

To answer #3

People use SimpleLogin because Protonmail promised us a way to have unlimited aliases per for our custom domains or a way to generate a random aliases.

This is used to register to multiple services without them being able to track us across them.

​

SimpleLogin allows us to achieve what Protonmail promised year after year but have always failed to deliver.

1. for protonmail it’s totally worth it. you pay for all the goods features proton have. you pay for the privacy of your emails. you pay the fact that proton cant shutdown your account without reasons, contrary to “free” accounts (like gmail outlook etc…) that can suspend your account if they want, without reason. also, it’s like a donation to the privacy world as proton is very engaged to change the internet privacy, and you allow everyone to have a free, encrypted email account. you support digital rights

2. the emails can be read by the sender and the recepient, so yes if you send a mail to [email protected] microsoft will have acces to it, exept if you use encryption (like the encrypted email for non-proton users)

3. I suggest you to use simplelogin for sh*tty websites only (like when you are forced to sub to a newsletter or something). and i encourage you to use a [email protected] for online accounts, as .ch is the safer they can provide. of course when you give your adress to a friend, you can give the short @pm.me

4. if you really need a vpn i encourage you to test protonvpn by yourself. you can cancel (and getting remboursed) at any time

5. I don’t think. if you want to hide your IP from protonmail (i don’t speak for protonvpn here) you can use their onion adress. but why would you hide your IP from them?

I hope I have helped

Does your current mail provider have support for hardware security keys? Changes are, in 2021, that it does. Whereas ProtonMail does not. That’s a big step down in security.

id say free protonmail and a vpn (nord, express)

I moved my domains to email and vpn. Works well. Im not a cheap ass and want free - im willing to pay for quality.

VPN and email, both for personal use, are my two priorities.

I could get by with free offerings, with the exception of some sort of protection while using bittorrent. I tried various products, but after researching them I was unhappy about the shady nature of their ownership. I switched to proton, and while it cost a bit more, I got the bonus of additional mail services and more storage. The VPN works well on Linux for me. Sometimes it needs a bit of configuration depending on the distro. I’m using it mostly on raspberry pi and Lubuntu. It’s been a few years now, I’ll churn if it benefits me, but so far it’s been a happy relationship.

There’s a lot of technical answers here, far better than I can explain. But the technicalities aren’t what made me switch. The real world expectations did.

This is what I wanted and what I got:

Mail that doesn’t read my personal content just to sell me off like a product.
A VPN that didn’t just log my activity so they can sell me off like a product.
A VPN that can mask my online activity from my ISP so they can’t sell me off like a product.

Things to consider:

Look into getting your own domain to customize your email. I didn’t do it at first, but there really isn’t a reason to do it (other than catch all emails are reserved for the upper protonmail tier).

You are giving up some convenience for security.
I think the hardest shift for me was the lack of contacts integration. PM has it’s own contact list, which is separate than your phones contact list. And guess what, you don’t need a phone number for an email only client. So I ended up using Etesync to sync my contacts to PM and signal.

I use two main addresses. One as the primary is for family, friends, and important web sites, such as brokerage account. I never intend to change that address ever.

I have a second that I use freely for web signups and giving out to people without worrying about getting on mailing lists and spam. If the second address ever gets too much junk then I can always dispose of it and set up a new one. I probably won’t ever do that but at least I have the option.

I find this simpler than the various other approaches even though it’s not perfect. I find it good enough.

1. If you have basic email needs and don’t plan to use VPN for movie streaming you can start with free plans. I’ve been using PM since it came out and only recently switched to paid plan because of their calendar (but I’m taking advantage of plus mail features as well). I share a paid VPN account with parents and siblings so it’s not that expensive at all!

2. Right but you are ready for the future, plus you state something. Think of this: what’s the point of driving an electric car if everyone else still run on gas?

3. I use a main account for mail and core services and another one for anything else. Never got spam or anything like that.

4. Sorry can’t help.

5. Doesn’t make difference. Policy? Random password +2fa and backup in password manager. Never login from someone else’s device. I always bring my TAILS pendrive with me.

You’re answer is much appreciated man, altought I didn’t understand half of it, I take it I should go ahead with ProtonMail and have a think about the VPN to see whether I rather give my information to the internet provider or to ProtonVPN. If I were to choose ProtonVPN do they store my information as in what I visit, how often etc? Or do they delete it.

Thanks again for such answer, I wish I had the knowledge to do what you have seems pretty convenient and sustainable once there.

Thank

Where/how do I buy my own email domain?

Where can I buy my own domain?

so yes if you send a mail to

[email protected]

microsoft will have acces to it, exept if you use encryption

You mean if you send an email from?

This is utter nonsense.

You mix U2F with encryption keys used for decrypting data stored in hardware. They are not connected at all.

The fact is that the vast majority of users will be pretty much fine and secure by enabling TOTP based 2FA. Yes, U2F is much better, but it is not killing the security of ProtonMail as you seem to claim. And yes, being able to store the private PGP keys on a hardware token would bring the security even a long step further.

If you want to be more careful with the private key which ProtonMail stores encrypted, enable “Two password mode” in addition.

Also, ProtonMail went through a security audit in July 2021: https://protonmail.com/blog/security-audit/ If the lack of U2F would be important, I’m pretty sure they would have highlighted that in this report, as lack of 2FA in general are most commonly highlighted in other reports done other places I’ve read through.

From your point of view, what advantages does a consumer VPN solution give you?

It’s pretty amazing the ignorance you pay to the big data collection done by the bigger corporations through various free services. Such posts like this may actually do more damage than help.

Let me suggest some literature on this topic: “Dragnet Nation” by Julia Angwin.

The ProtonMail blog contains lots of reasonable information. It is, naturally, very pro-ProtonMail. But what I’ve read so far is factual correct.

A few posts, which might explain it easier:

• Why ProtonMail is more secure than Gmail
• What is zero access encryption? (aka zero-knowledge)
• How to keep your e-mail safe