Hi All,
I am building something and looking for some advice.
If you want to send an encrypted message or email to another person. Which protocol/app you would use if you only have the user email?
This excludes all apps or protocols depending on phone number.
PGP can be misconfigured, and is a pain to deal with. Not only that but there’s a fundamental weakness in the server design for PGP which is allowing someone to flood the certificate servers and cause lots of problems.
If you want easy-peasy completely encrypted email have you and your friend get free Protonmail accounts.The free tier gives you 150 messages/day and 500Mb storage.
As for encrypting Zipp, DMG files and the like, my concern is that once a unauthorized 3rd party gets a hold of the file they can spend as much time and resources as they want without anyone being able to stop them or even knowing that it is going on. After all they can run the cracking tools off line on a local machine. Or rent some super computer powers from Amazon…
It all depends big of a target you are and the sensitivity of the files. Some information should never go online or on a computer for that matter.
Any handling of email / cloud storage by a 3rd party requires trust. Protonmail has a great reputation and has great core values but still one has to trust…
Alternatively one could setup a local (mail) server and only allow trusted partners connect via VPN to your own server. Witch however puts all the pressure and responsibility on you to keep it secure. Frankly this is a task that entire teams of highly skilled individuals barely can keep up with and even then one is never 100% certain.
After all the centrifuges that were off the grid in Iran got hacked. It just took enough resources and time to get in.
Having said that, Protonmail is a very good bet for most mortal beings…
Ditto what others are saying about proton mail – it is the simplest solution for most people. I consider myself a Mac Power User and I wouldn’t touch PGP with a ten foot pole when Protonmail makes it dead simple to have highest level security.
FYI, one of my friend’s is US special forces and he said protonmail is the only mail service they can use. If it’s good enough for him…
Having spent a lot of time in privacy-related fora, the worst I’ve seen about Protonmail is that (a) they use anonymized crash logs via Crashlytics (which is located in the USA) - like virtually every app does on your phone fyi, and (b) ProtonMail requires text message activation for any account created through TOR, in which case premium/donation option is intentionally disabled – which does not affect privacy, only anonymity.
You can see the Swiss-based company’s Transparency Report here.
If DoD has concerns about Protonmail, I suspect it largely involves the Dept’s loss of control over seeing employees and contractors pass through the service.
It’s not about the vulnerabilities, but more about policy. The data centers are not DoD owned or operated or sit on US soil, they don’t have a DoD/Federal certification, and what approved authority has verifies their implementation of OpenPGP. One thing I can tell you is that the DoD understands that email is probably their most important threat vector, having been an incident handler for them. Maybe your friend meant that they like what protonmail has done?
Reviving this thread to ask two questions about Proton Mail:
Is it possible/safe to setup one’s Proton mail in Apple Mail and delete the native Proton Mail app for iOS?
Will it still have the same security through Apple Mail as through the native app?
Is it considered more safe to send sensitive emails and documents from a Proton mail address to non-Proton emails than to just use regular email addresses?
I mean, is there more security in doing that than just regular email? Even though the recipient is not with Proton?
But my question was not regarding third-party email clients for iOS. It was about having Proton Email set up inside Apple Mail on iOS and Mac.
Do you know if the second question:
Is it considered more safe to send sensitive emails and documents from a Proton mail address to non-Proton emails than to just use regular email addresses?
I mean, is there more security in doing that than just regular email? Even though the recipient is not with Proton?
No. Unencrypted email is neither secure or private, regardless of your email provider.
To send an encrypted email both the sender and the recipient must have software on their devices that can encrypt and decrypt messages. And they must have previously exchanged public keys. Most non-technical users aren’t willing or able to do this.
Proton Mail’s main selling point, IMO, is that they simplify this process.
IMO the solution to your problem is to have your recipient sign up for a free Proton Mail account.