Protonmail is propaganda, as it encourages centralization. Yes the self-host VPS provider can see it, but so can proton. This puts all eggs in one basket, which is a corrupt and easily accessed basket. Please see the following I wrote earlier:
~
First, Proton is NOT end-to-end encrypted. As per own their blog:
https://proton.me/support/proton-mail-encryption-explained
(Please note, I only changed the CAPS)
Quote:
"The email is encrypted in transit using TLS. It is THEN UNENCRYPTED and re-encrypted (by us) for storage on our servers using zero-access encryption. Once zero-access encryption has been applied, no-one except you can access emails stored on our servers (including us). It is NOT end-to-end encrypted, however, and might be accessible to the sender’s email service"
</end quote>
Second, they do scan it for spam and phising.
They repeat this with:
Source: https://proton.me/blog/encrypted-email-spam-filtering
"Emails that come from third party email providers obviously CANNOT be delivered with end-to-end encryption, but upon reaching our mail servers, we will encrypt them with the recipient’s public key before saving the messages(new window). All this is done in memory so that by the time anything is permanently stored to disk, the email is already un-readable to us. This gives us a very limited window to perform spam filtering on incoming messages."
Then they further elaborate,
"Secondly, the message is passed through our customized Bayesian filters which marks suspicious messages as spam.
Next, we generate checksums of incoming messages and check them against a database of known spam messages. If there is a match, we mark the message as spam. The checksums are done in such a way that it is also effective against mutating spam emails."
</end quote>
So they claim to have it unencrypted, then have a "limited time" to stop spam, but then also claim to encrypt it, and then after compare the hash to spam hash. If their own claims were true, then why do they only have a limited time?
Third, they hand over huge amounts of data. If it's encrypted, then what do they have to hand over?
From their own transparency report:
https://proton.me/legal/transparency
"2023
Number of legal orders: 6,378
Contested orders: 407
Orders complied with: 5,971
2022
Number of legal orders: 6,995
Contested orders: 1,038
Orders complied with: 5,957"
</end quote>
While as with a self-host VPS,
With a large amount of effort, the VPS provider could in theory snapshot memory to get access to emails. But this data is being sent through SSL encryption, so passive general surveillance is protected against. It would have to be work (and money wasted) for them to get the data.
SimplifiedPrivacy.com Podcast / SimplifiedPrivacy.com
npub14s…jt5d6
2024-10-06 13:15:24
in reply to nevent1q…07tj
Author Public Key
npub14slk4lshtylkrqg9z0dvng09gn58h88frvnax7uga3v0h25szj4qzjt5d6Published at
2024-10-06 13:15:24Event JSON
{
"id": "77ae541692d00e50f5c5777a420d93da15ba41c34307da88e7a8eae98c60b552",
"pubkey": "ac3f6afe17593f61810513dac9a1e544e87b9ce91b27d37b88ec58fbaa9014aa",
"created_at": 1728220524,
"kind": 1,
"tags": [
[
"p",
"7a69e5f62fcc20e81beea7461a945e6531f8c7944200d0b3cb4cc63556c44106"
],
[
"p",
"1cf75683d02b4ec0aa4d2127ff45d335fe2ef5a884b5794775d608bace006a16"
],
[
"e",
"14c038753d0a54a4e0dadf961f5a788d353c8082b5b31afcde210bdf0dcca370",
"wss://a.nos.lol/",
"root"
],
[
"e",
"cb47582673f5087d69c9425a439244321e83db3b52a63e6bd3d22928489ce24b",
"wss://e.nos.lol/",
"reply"
]
],
"content": "Protonmail is propaganda, as it encourages centralization. Yes the self-host VPS provider can see it, but so can proton. This puts all eggs in one basket, which is a corrupt and easily accessed basket. Please see the following I wrote earlier:\n\n~\n\nFirst, Proton is NOT end-to-end encrypted. As per own their blog:\n\nhttps://proton.me/support/proton-mail-encryption-explained\n(Please note, I only changed the CAPS)\n\nQuote:\n\"The email is encrypted in transit using TLS. It is THEN UNENCRYPTED and re-encrypted (by us) for storage on our servers using zero-access encryption. Once zero-access encryption has been applied, no-one except you can access emails stored on our servers (including us). It is NOT end-to-end encrypted, however, and might be accessible to the sender’s email service\"\n\u003c/end quote\u003e\n\nSecond, they do scan it for spam and phising.\nThey repeat this with:\n\nSource: https://proton.me/blog/encrypted-email-spam-filtering\n\n\"Emails that come from third party email providers obviously CANNOT be delivered with end-to-end encryption, but upon reaching our mail servers, we will encrypt them with the recipient’s public key before saving the messages(new window). All this is done in memory so that by the time anything is permanently stored to disk, the email is already un-readable to us. This gives us a very limited window to perform spam filtering on incoming messages.\"\n\nThen they further elaborate,\n\n\"Secondly, the message is passed through our customized Bayesian filters which marks suspicious messages as spam.\nNext, we generate checksums of incoming messages and check them against a database of known spam messages. If there is a match, we mark the message as spam. The checksums are done in such a way that it is also effective against mutating spam emails.\"\n\u003c/end quote\u003e\n\nSo they claim to have it unencrypted, then have a \"limited time\" to stop spam, but then also claim to encrypt it, and then after compare the hash to spam hash. If their own claims were true, then why do they only have a limited time?\n\nThird, they hand over huge amounts of data. If it's encrypted, then what do they have to hand over?\n\nFrom their own transparency report:\nhttps://proton.me/legal/transparency\n\n\n\"2023\n Number of legal orders: 6,378\n Contested orders: 407\n Orders complied with: 5,971\n2022\n Number of legal orders: 6,995\n Contested orders: 1,038\n Orders complied with: 5,957\"\n\u003c/end quote\u003e\n\n\nWhile as with a self-host VPS,\nWith a large amount of effort, the VPS provider could in theory snapshot memory to get access to emails. But this data is being sent through SSL encryption, so passive general surveillance is protected against. It would have to be work (and money wasted) for them to get the data. \n",
"sig": "658a033c8f4cf2ba77b9c5afdeab9d0e31fb3c749de974083c7a099e3da29aa64282436ad2da8329a6a433fe917c01da44acd3e4ecda2f77b81f52e1673d372b"
}