This is what made me finally completely switch my email and docs to proton. I’m so close to being able to delete my google account now.
Well this and the docs live collaboration feature they recently added.
Doesn’t really mean much to me, personally. OpenAI, Mozilla, RaspPi, and the NFL all did the same thing. Not until the entire company becomes a non-profit.
I wish it worked in the (iOS) app or had its own. A browser only experience isn’t good enough for me to use it.
Switched mail and I’ll switch VPN once my old sub expires.
Ya know, you may have just helped me finally make the full switch. Thank you
I thought it’ll take many more years until the acquired Standard Notes
90 a year though? That’s taking the piss. Notesnook has all their features and more for 49.99 And that’s on top of Proton’s main fee. That’s one option I won’t be taking.
Is this the standalone annual price? I see 120$/y for all of proton’s premium products
That 90 for Standard Notes is on top of the plan you are on. 90 per year for somethings that is available elsewhere for half that is a non starter for me. I’m on unlimited now, not putting another 90 onto it.
This is definitely great news and refreshing to see from a company, but this came out two months ago.
Published on June 17, 2024
Is this going to be the same kind of non-profit as OpenAI? With a mission to improve the world? Yeah, let’s see how that goes. Another Proton marketing play on their set track to enshittification.
OpenAI is now for-profit since they got funded by Microsoft.
It’s not really that simple. They’re both:
Proton is doing the same thing.
Of course it is good news, and I’m an happy Proton customer since over an year, but this Proton blog post dates back 2 months now…
They just pushed an email announcement out, which is probably where OP heard about it.
And that makes it irrelevant because…? I’m a subscriber and I wasn’t aware of this until this post…
They literally sent the email out within the last 36 hours. My work account got it this morning, and my personal last night.
The email was more of a summary of past changes.
The actual donation of shares to the Proton Foundation was a little while ago, and anyone directly subscribed to the Proton Blog probably already saw it (myself included), so seeing it show up again as if it was new news probably just felt a bit jarring to some people.
I feel like nonprofits are more like we won’t leave anything behind.
They still pay very high sallaries on non profit organisation and many of them pay a lot of money for lobbying. In the end, its more like money laundering
This is old news. Why are you posting this just now? I mean I don’t really care much. I transitioned to Posteo as soon as I learned that they stored the private key. They don’t even let you use your own GPG key, useless honeypot. Their recent bitcoin wallet supports this. If they cared about privacy, they wouldn’t go with Bitcoin. They have been ignoring requests for monero since years.
They also are getting into the AI hype, so I can’t trust my data with them.
You can use your own GPG key (https://proton.me/support/importing-openpgp-private-key or using the bridge), whatever tool does the signing needs the key (duh) so I am not sure what you mean by “they store your private key” (they stored it encrypted as per documentation https://proton.me/support/how-is-the-private-key-stored), their AI was specifically designed as local, exactly to be privacy friendly, plus is a feature that can be disabled (when it will reach general subscriptions).
I don’t care about cyptocurrencies, but I suppose they started with the most popular, nothing to do with privacy as they just let you store your currencies.
Anyway, use what you like the most, of course, but yours don’t look very solid motivations, quite a lot of incorrect information, I hope you didn’t take your decision based on it.
You upload your private key to the cloud. Encrypted or not, this is a bad idea. No thanks. They can do the signing and encryption with my public key and then I’ll do the decryption with my own private key locally without them storing it.
You upload your private key to the cloud. Encrypted or not, this is a bad idea.
An encrypted key is a useless blob. What matters is the decryption key for that key, which is your password (or a key derived from it, I assume), which is client side.
They can do the signing and encryption with my public key
They can’t sign with your public key. Signing is done using your private one, otherwise nobody can verify the signature.
Either way:
and then I’ll do the decryption with my own private key locally without them storing it.
You can do it using the bridge, exactly like you would with any client-side tooling.
It’s still insecure. They decryption process is still in the proton company hands and they could add some client specific code to log the password on the fly. Proton is obliged to follow the swiss law and I can imagine situation that police asks proton (+ gag order ) to log certain data for specific clients like passwords and ips. Still private keys are better to be stored separately. You can sync them easily if you with with either rsync or rclone
It’s not “insecure”, it’s simply a supply chain risk. You have the same exact problem with any client software that you might use. There are still jurisdictions, there are still supply chain attacks. The posture is different simply by a small tradeoff: business incentive and size for proton as pluses vs quicker updates (via JS code) and slower updates vs worse security and dependency on a handful of individuals in case of other tools.
Any software that makes the crypto operations can do stuff with the keys if compromised or coerced by law enforcement to do so.
In any case, if this tradeoff doesn’t suit you, the bridge allows you to use your preferred tool, so this is kinda of a moot point.
The main argument for me is that if you rely on mail and gpg not to get caught by those who can coerce proton, you are already failing.
I used bridge for many years. It was totally unusable - 1) you cannot delete emails with it ( deleted emails were coming back ), 2) synchronization issues so it made me move to another “plain and simple” email provider offering pop3 and imap and also gpg integration ( but without that e2e hype talk )
I can’t comment on this, since I don’t use the bridge for a while. But it’s just an IMAP/SMTP server, so not sure why certain features wouldn’t work. What service did you end up using which has gpg integration?
Exactly. There’s no justification for them storing the private key online for “convenience”. And key generation happens in the browser with JS. Which means it is possible to send backdoored JS to easily copy the private key.
There is a reason: simplicity. Either you do all the key management yourself, which in practice means 98% of the people won’t do it at all, or you implement a solution like they did and increase the risk of a small % (see my other comment) but you cover every customer.
That simplicity introduces security and privacy issues.
endof
Especially with the fact that: 1) deminificafion of the javascript code is not simple 2) you cannot “freeze” the code version you use. Still your computer does allow it ( minus the windows which follows the Microsoft thinking way, kidding about windows updates )
This is old
“I know this. Why doesn’t everyone else know this? They should be me, I’m the smartest man alive.”
I really don’t care much
proceeds to type an entire paragraph as to why you don’t care
Just wanted to point out that it does not change anything from privacy and security perspective about their products.
Also they are still operating as a normal company internally (they still offer their vpn through a third party provider and they still work to achieve the highest income from their products).
Then they should transition away from multi-level marketing pyramid Ponzi schemes too. I deleted my Protonmail account when Proton began peddling crypto“currencies”.
What’s wrong with splitting eggs in different baskets ?
Immoral baskets that incentivize greed are to be avoided.
Them holding a reserve of a cryptocurrency in case something happens to their financial accounts is not the same as peddling crypto.
It gives credence to greed incentivizing unethical contraptions.
greed incentivizing unethical contraptions.
Crypto is a tool, just like anything else. Is the internet a greed incentivizing unethical contraption? Because the internet spawned Google, Instagram, Facebook, 4Chan, and various other shady and illicit sites and services. Should we hate the internet because of this?
Crypto isn’t inherently bad. It’s the people trying to take advantage and duplicate the “success” of Bitcoin that make crypto bad. I’m telling you this as a person who used to believe in “crypto” and was an early adopter.
A hammer is a tool because no one but the hammer merchants gain financially if everyone were to buy a hammer. Crypto“currencies” are not purely tools but instead multi-level marketing pyramid Ponzi schemes because as soon as one has it they have everything to gain the more people buy it after them.
“Thirdly, early adopters mine or buy large proportions of the total supply at negligible costs while late adopters mine or buy negligible proportions at large costs. It follows that holders immediately have every incentive to get as many people to buy after them. Like stocks? Like stocks, but without the dividends or anything tangible in the real world [10]. Congratulations, you got yourself a pyramid scheme †.”
“† The stock market has largely become a pyramid/Ponzi scheme as well since most of the money does not exist and profits come from buyers or new entrants, i.e., the greater fool [16].” —Money corrupts; bitcoin corrupts absolutely, https://www.cynicusrex.com/file/cryptocultscience.html
Good for them, I love being able to play Windows games on Linux.
They’re unrelated to Valve’s Proton
y’know, just in case
c/whoosh
To be honest that’s what I thought the post was about until I read this, so thanks.
I’m happy to see this announcement. However, just transitioning to a non-profit does not make an organization good. They can still be greedy and take advantage of their user base. That being said, it seems Proton’s mission statement resonates with a non-profit type structure. When you are accountable to the shareholders, they become the priority.
If I remember right, OpenAi started with this model too, and they do lots of shady stuff. Not that this is the plan for Proton, but I completely agree that simply creating a nonprofit that owns the for profit brand doesn’t guarantee good behavior.
Yes Mozilla is a good example. They’re run like any other Silicon Valley company and spend more in C-suite develop their damn product.
Bad example. There are plenty of non-profit FOSS services that do well and serve the community.
“don’t let perfect get in the way of good” or whatever that saying is. One step at a time, yeah?
“Perfect is the enemy of good.”
Bad, also, is the enemy of good…
I think maybe good walked into the wrong damn neighborhood.
Generally you’d want to strive for perfection, but not go crazy over it and mantain a balance in all things, risk vs. benefit, that sort of thing, hence the saying
If so, will they re-think tiers? Or maybe they could give the option for users to choose what they need exactly and what they’re willing to pay? (i.e current Proton plan that costs 8-12€ per month is too much for me, but I would gladly pay like 5€ monthly for little storage, VPN and few email aliases)
I would gladly pay like 5€ monthly for little storage, VPN and few email aliases)
Includes VPN with P2P and streaming, Drive with 15GB, Proton Pass, etc.
I don’t think this plan supports P2P. You’re still on the free plan with the VPN
This is correct
That is incorrect. Here is a link: https://proton.me/mail/pricing#compare-plans
Is this for Mail Plus or Proton Unlimited? I pay for Mail Plus, and have continually gotten the “P2P is blocked” page whenever I try to redownload the Ubuntu 22.04 ISO–maybe I should complain
Although looking at the VPN section, it does appear that the Free and Mail Plus plans have the same checkboxes, so perhaps I am reading it correctly
The column with the ticks is for Plus not for Free, so yes you should definitely complain to support.
Now this is fascinating–I’m seeing no ticks in Plus! Maybe it varies by country (located in Canada, but I think I pay in USD)
Yo I see you on your link that you are right. I stand corrected. Maybe. This link says something different and so I’m not actually sure what’s correct. Let me know what you think. It seems like there’s some conflicting information
Interesting. That’s a support article so is less likely to be up-to-date than the pricing page, but that being said I’m on Unlimited and don’t know what the Plus plan provides with certainty.
Yeah you must be right with that pricing page. I think it’s also unclear what is offered in terms of VPN when you actually try to purchase the Mail plus plan. At any rate, lots of ways for people to be confused about what plan includes what.
I have asked. You only get VPN Free: https://mastodon.social/@protonprivacy/112988334950564963
Cool. I switched to Tuta because it fits my use case better (2 domains, one for my personal email and one for everything else). I don’t need any of the bells and whistles Proton has, and I also don’t want to pay extra to get more domains. The Tuta app kinda sucks, but it gets the job done. I’m hoping my wife and kids will be interested in private email, but they don’t seem to care, and I don’t think they’d like the tradeoffs.
Now, if Proton revises their tiers, I might be interested. Give me something like the Tuta tiers, and I’ll probably switch to it. I prefer the UX of Proton, but $10/month is a bit steep for me, especially since I’m not going to use the other stuff they’re bundling in (I use Bitwarden for PW manager, have my own NAS, and I prefer Mullvad over Proton for VPN).
That said, it’s super cool that they’re going non-profit. When that’s done, I’ll give it another look.
They also have mail-only tier at 4.99.
Does that include the IMAP bridge and multiple addresses?
I don’t know, you’ll have to check yourself. Multiple addresses yes, though, 10 of them.
Yup, but only one custom domain. I really want at least two domains, one with tons of aliases for various accounts, and the other for personal communications. I could use a proton.me address for it, but then it becomes a huge pain to switch to another service should I need to.
Are you me? Lol I feel the same about tuta, yet I such with them. I am waiting for my wife to care for her privacy and switch to a family bundle with tuta.
Got my own NAS and a Bit warden server for PW. I changed Mullvad over AirVPN once they stopped supporting port forwarding, though.
Problem with Tuta for me is its too closed off.
Proton at least offers an IMAP bridge, Tuta utterly refuses to let you use your email outside their apps, which makes it more of a messaging app. And the fact there’s no way to export everything easily or even forward messages rubs me the wrong way. I tried them and have been using them for about 2 years but I’d definitely love to get away from it.
I’m tired of these walled gardens. I don’t give a damn how secure it is, if I can’t leave it with my shit, then no thanks.
Did you also maybe go outside and touch grass before you wrote this? Are you breathing heavily and need someone to call emergency?
what’s with the hostility?
Looks like some are fortune telling and seeing enshitification.
Not all companies go to shit. Valve is an example
Touch grass.
?
I think Proton is a cool project, I’m just a little disappointed at their pricing tiers. It’s probably fine for a lot of people, and hopefully becoming a non-profit encourages them to improve the value at each tier.
I actually used to pay for Proton when I was consulting. I think it’s a fantastic service, but now that it’s not really a business expense, I find it’s a little to expensive. So I have my business domain, my personal email domain, and a “junk email” domain all at Tuta, and I like that setup. But it’s not worth $10/month for me, it’s worth about $3-4/month, so I use Tuta. Privacy is really important to me, but price is also important, and Tuta checks both boxes.
I know I’m an outlier, just giving my 2c that Proton is a good service, and I hope they adjust their pricing with their new non-profit model.
FWIW Proton does offer a mail only plan that’s $5/month, 4 if you go for yearly
Right, but it only supports 1 custom domain. With Tuta, I get 3 for €3.60, €3 if I pay yearly. I could probably make it work, but why pay more for something that I’d have to make concessions for? If they supported more email addresses, I might just use their proton.me domain or whatever (I like separate email addresses for different services, so I can quarantine a breach; so I’ll do
<name>-<type of service>@<domain>), and only having 10 is a little limiting.I know I have specific and kind of weird requirements, but Tuta is currently doing a better job of providing what I want at a price I’m happy with.
Gotcha, that’s totally fair. Thanks for elaborating!
Your requirements are totally fair tbh.
That said, I think you can use aliases for the use-case you have, you don’t need full addresses. Proton supports “+ aliases” as well, so
name+service@domainworks, and most importantly they support catch-all addresses if you have your own domain. I now use actual aliases (the ones from simplelogin), which I generate on the fly, but if you can usewhatever@domainand it will be redirected to your configured address. You don’t even need to create this beforehand, so many times I was around and had to give an email address for some reason and I just made up an address on the fly. As long as you use your domain, the catch-all will get the email.So the 10 addresses only include actual addresses, the ones you can write from. You can have as many as you want to receive emails (which is generally the use case for signing up to services, right?). Just a FYI in case tuta supports the same and you are making more effort than needed!
Yeah, I already do something like
<name>-<category>@<domain>, and I’ll probably end up changing<category>to include a+for each account of that type. For example, all banking apps go to<name>-banking, which maakes it really easy to move emails automatically into folders. If I get an email from a bank without that-bankingpart, it’s spam. I do this with various categories (bills, shopping, etc). I have something close to 10 email addresses right now, and I’ll probably add more in the future.But basically, I have three domains:
- personal contacts -
me@family-domain- I only give this out to family and friends - work contacts -
me@work-domain- printed on business cards and any services related to my side business - everything else - all of those categories above; if this gets full of spam, I’ll just get a new domain, move my accounts over, and then let the domain expire
So far it’s working pretty well. To get that same setup w/ Proton, I’d need to pay $10/month, whereas it’s just $3-4 w/ Tuta. I’d be okay with combining the personal and everything else, but I really want to keep my work stuff on the same account (low volume, but high priority).
Interesting! That’s very close to this blog post I read long time ago (unfortunately medium.com link)! Are you actually sending emails from those addresses? Like if you need to drop an email to your bank, do you use the banking one or your personal (or something else)?
Fwiw, I do something similar. I use a mix of domain aliases without address (e.g. made-up-on-the-fly@domain.com) and actual aliases. Since I have proton family (and the same when I used ultimate) I have unlimited hide-my-email aliases, so I have it integrated with my password manager, and I generate a random password and email for everything I sign up now. These though are receive-only addresses. In fact, with this technique I probably use 3-4 addresses in total, but I have probably 30 domain addresses that go to the catch-all one.
Spam on these addresses are basically non-existing and you can still create folders based on recipient without having a full address (e.g. bank1@domain.com, bank2@domain.com). You can make folder categorization based on recipient regex and this way you also have the “stop bothering me” option: if some email gets into the wrong hands, you can create a spam rule for that dedicated address. However, my approach is that all of these are used just to receive emails, to send I have just a handful of actual addresses or -if really needed- I can create on-the-fly an address from a catch-all one, send the email and then disable it again (so it doesn’t count towards the limit, but I still get inbound email to the catch-all).
Nice setup anyway!
- personal contacts -
I’m sorry I took this username before you got it. Clearly you deserve it more with posts like that.
Your response makes it sound like you’re responding some kind of rage-rant. But from my reading, the post you responded to basically just lists a few things they like and dislike - clearly given as personal opinions. So your response reads as unprovoked hostility.
Wtf
Did you respond to the wrong message?
You say you use Bitwarden. Is that self hosted by any chance? If so, how do you handle the potential for an outage or server failure, where you’d presumably need some of the passwords to fix the problem in the first place.
I also self host vault warden, it’s pretty straight forward. Like the other person said, it caches locally.
The Bitwarden client has all the data cached, so the server can be down and you still get access to the passwords (same for internet connection).
Thanks for the reply! That makes sense. I’m still weary of the client somehow losing the cache while the server is down (two holes in the Swiss cheese lining up) but that is overly paranoid I know that
You should definitely be! I take backups every 6h for my self hosted vaultwarden (easier to manage and to backup, but not official, YMMV). You can also restore each backup automatically and have a “second service” you can run elsewhere (a standby basically), which will also ensure the backup works fine.
I have been running bit/vaultwarden now for I think 6 years, for my whole family and I have never needed to do anything, despite having had a few hiccups with the server.
Don’t take my word for it, but the clients (browser plugin, desktop app, mobile app) are designed to keep data locally I think. So the term cache might be misleading here because it suggests some temporary storage used just to save web requests, with a relatively quick expiration. In this case I think the plugin etc. can work potentially indefinitely without server - something to double-check, but I believe it’s the design.
The local cache solves this problem mainly. Mine also replicates to one of my other servers occasionally.
How do you set up local caching? For non-phones?
Edit: TIL there are windows, Mac, and Linux apps for it. Sheesh.
Yep, the browser extensions also have an encrypted cache, although it is less consistent imo. I’ve had times where my server was down and the extension just completely logged out then couldn’t authenticate so I couldn’t access the cache.
Mine isn’t currently, but I’m working on it. The main complexity is that my wife and I share some passwords, and I want to make sure I do it properly so that transition is as smooth as possible. Vaultwarden is what you’d use to self-host.
But as others have said, I’m really not worried about it. Passwords are cached locally and only touch the server when syncing to the server. I want to self-host to protect against breaches, not because I’m worried about connectivity loss.
You can always backup your passwords (there’s an export feature) if you’re worried about it. I haven’t done it, but I imagine it wouldn’t be too hard to have a KeePass backup or something that you update manually every so often.
I switched to Proton Mail in 2019, and recently started switching to their VPN service to use port forwarding. Glad to see Proton is putting their money where their mouth is.
I’ve been too critical of them in the early days and will admit that many of the issues that plagued their VPN service years ago have now been fixed.
Good. Profit and privacy are mutually exclusive in this industry.
Proton is still a for-profit company and has shareholders who expect to to make money. The change is that the largest shareholder of the for-profit company is now a separate non-profit organization. It is still a positive move, but not entirely what the marketing makes it seem.
That’s roughly the opposite of what the article says.
You mean record breaking profit and privacy. Edit: actually I bet drug cartels are probably do both, at least some (\s)
I would imagine any privacy measures cartels take are seen as overhead more than anything else
Switched from gmail to Protonmail and Outlook to Tuta.io and love it! Companies that put privacy and the individual first.
How is spam filtering compared to gmail.
Afraid to switch as gmail spam filtering is excellent
I’ve been using proton for a few months now with a yearly Mail Plus subscription and I have yet to receive an actual spam e-mail. Your experience might be different than mine since I take precautions not to invite spam in the first place, but even then, Proton looks to be doing an excellent job
I’ve been using Protonmail as my primary address for a few years now. I’m yet to have a single spam email make it to my inbox. In comparison, I use my gmail less and I’ve had a few blatant crypto scams make it to my inbox.
I’m not saying for certain that it’s better than Gmail’s, but that’s my experience so far.
