0

Recently I found out about ProtonMail, which has been promoted as a more secure email service than services like Gmail.

According to the creators of ProtonMail, Google can read all Gmail emails, and often does (in an automated way) in order to present targeted ads to its users. Google could also release all of a Gmail user's emails to a government agency or read all the user's emails for other purposes. Also, the emails are not encrypted, so any computer between sender and receive can intercept and read the emails.

If I switch to a service like ProtonMail, what will be the practical implications?

Do people I communicate with also need to use a similar service in order for me to get the security advantages? If I send an email from a ProtonMail account to a Gmail account, will it just send it unencrypted like a normal email, able to be intercepted and read easily?

  • 2
    Possible duplicate of [Wrapping my head around Protonmail](https://security.stackexchange.com/questions/72158/wrapping-my-head-around-protonmail), [Security of emails from ProtonMail to Gmail](https://security.stackexchange.com/questions/186448/security-of-emails-from-protonmail-to-gmail), [How are Proton Mail key Encrypt and Decrypt for the non-proton mail service providers?](https://security.stackexchange.com/questions/145731/how-are-proton-mail-key-encrypt-and-decrypt-for-the-non-proton-mail-service-prov). – Steffen Ullrich Aug 14 '18 at 02:40
  • @SteffenUlrich: Note that information in [How are Proton Mail key Encrypt and Decrypt for the non-proton mail service providers?](https://security.stackexchange.com/questions/145731/how-are-proton-mail-key-encrypt-and-decrypt-for-the-non-proton-mail-service-prov) that you can't send encrypted email to recipients outside of Protonmail seems outdated. According to [this](https://protonmail.com/support/knowledge-base/encrypt-for-outside-users/) now there is a way for premium customers. – Ktator Aug 14 '18 at 07:17
  • ...and you can use [PGP](https://protonmail.com/support/knowledge-base/how-to-use-pgp/) with external parties. – Ktator Aug 14 '18 at 07:31
  • Also services like Tuta.io offer end to end encryption, via a link that is protected with a password. To do this though, you need to give the other person the key by some other means. – RocketSEA Aug 16 '18 at 19:50

1 Answers1

1

It's a little misleading to say that Gmail emails are not encrypted during transfer, because they only are not encrypted when the receiver doesn't have TLS enabled (see this link). Gmail and all of the other major email services have TLS enabled, meaning that your email is encrypted during transfer. This does not mean that the emails are always encrypted on the mail server or client, or when transferring between you and the mail server. Gmail does not do the encryption on the client before sending to their mail servers, all encryption for them is done on the mail server.

This is where services like ProtonMail and Tutanota come in. They do the encryption on the user's machine, before the packet leaves the host. This means that someone cannot successfully complete a man-in-the-middle attack by sniffing out that packet with your email in it.

These services offer end-to-end encryption if sending to someone also on that service by default. Also offered is the option to send a link to the service's website to someone not on that platform, and they type in a password to decrypt the email once there. They assume that you give this password to a person in advanced, preferably in person.

Yet another benefit of using one of these two services is that they are not based in the United States, making them less likely to cooperate with the US Government for whatever reason. Even then, because the emails are encrypted by the user and not the server, it is nearly impossible for even the service owners to read your emails.

Some real-world scenarios of where this might be useful is sending business related emails with unannounced IP, sending credit card information (still not a good idea even with these service), sending personal information, or if you're trying to not allow your country's government access to your email.

RocketSEA
  • 1,150
  • 1
  • 7
  • 9