[dejan]

end-to-end encryption? yes, if both users are on Proton - but don't call it email then.

Storing encrypted makes only sense when keys are not in their hands. Plaintext password enters their system on each login which means they can have your decryption key at any point if needed.

smoke and mirrors marketing...

[notepad0x90]

if they use the email/smtp protocol then it's email.

plaintext password does not enter their system. For example I still have to enter a second password for the in-browser decryption (although these days they use the same password). Most of security feels like theatrics, but small measures that add difficulty for a potential threat actor add up.

[dejan]

I think you are misreading my comment: they are the threat actor themselves, tricking users in believing they are better off via Proton.

SMTP does not encrypt messages and they arrive at Proton's inbound relays unencrypted, are scanned in plaintext for spam etc. At this point they can Bcc anything to another relay/account and keep a copy of all inbound messages BEFORE anything gets encrypted.

Access to historical messages? One line of code for logging, and let's not forget GPG does not encrypt the metadata which is readily available. How about FTS indexes, are they also decrypted on the fly in the browser?

Email is complex and not many have the patience to understand the monster behind, but lying about it, as Proton does - I find it just insulting to our profession.

Also "Swiss neutral", this is even more offending. Swiss execute US orders regularly.

Translated: https://daslamm-ch.translate.goog/ueberwachungsoase-statt-da...

Original: https://daslamm.ch/ueberwachungsoase-statt-datenschutzparadi...

What we really need instead of such shams is a new mail system that does not depend on trusting providers and especially not a SINGLE provider.