The mail service has to be affordable (around 10 euros per year). Tuta was an option but their plans are somewhat overpriced for me. Anyone using their (Tuta) free plan? How is it?

  • Saki
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago
    • Tuta (free): you can send only like 6 email per day. Otherwise, Tor-friendly. No onion. Support forum on Reddit 😞 Germany.
    • Posteo.de: 1 €/mo affordable. Nothing fancy. Support via PGP like that’s common sense. Germany. Non-crypto anonymous payments w/ various options (e.g. a prepaid CC): they don’t even ask your name (much less address, cell phone number).
    • Disroot.org: Free, pop/smtp, community-based, trusted even by the Tails team. w/ onion. Netherlands.
    • Cock.li: Free, pop/smtp etc. Very Tor-friendly w/ fast onion. It’s good if you think it like disposal. Irresponsible in a way (aka Freedom), but actually 10-year-old & stable. Romania.
    • Proton (free): bloated, very mixed opinions, yet better than Google. w/ onion (slow). Switzerland. A simple feature like Plain Text view is missing (HTML by default: not serious about privacy).
    • Saki
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      1 year ago

      Don’t worry about e2ee: Even if you get the most expensive plan from e.g. Proton, it’s not e2ee unless both parties use Proton. There is a free, “easy” way to realize true e2e: OpenPGP in Thunderbird (convenient), GnuPG (more secure), etc.

      As for mailbox.org: I used it before but it showed Google reCaptcha, which was an obvious red flag:
      cf. [Security and GDPR Issue] ProtonMail includes Google Recaptcha for Login, every single time. #242

      Also, technical score of mailbox.org has been relatively low, not improving: https://internet.nl/mail/mailbox.org/1080449/ (Don’t worry too much about this score, though. It’s only technical; human factors (philosophies, trust, etc.) are more important when it comes to privacy.) This is not a recommendation. DYOR; ultimately, believe your own intuition.

      • catacomb@beehaw.org
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I agree. I use Proton and I have exactly one service which supports GPG. It’s a cherry on top but it’s not all that useful.

        The big thing is to use a trustworthy service that you pay for. It’s not bulletproof but at least the incentive is there to keep your email private and away from advertisers.

        • Saki
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Actually, Proton + your local key = don’t work very good. Usually you’ll have to use a key pair generated by Proton—sharing your sec with the provider is not good.

          Nevertheless, Proton is 100 times better than Google to be sure. Those who are trying to ditch Google, Proton and Tuta are two good options to consider, also recommended by PrivacyGuides. For those who had ditched Big Tech and now starting to wonder if Proton is okay… that’s a bit tricky, still I say Proton is nod bad. I had recommended Proton to my friends until the French activist incident, followed by a few more bad incidents. Yet it’s understandable that Proton must obey it if they get a valid court order… If you’re a normal, daily user, Proton is good enough (if not the best), albeit a bit overpriced.

      • rush@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Note that Proton does support OpenPGP and maintains one of the largest OpenPGPY implementations

        • Saki
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          If you share (upload) your secret key, that is. A seasoned PGP users would never even imagine that.

          Another related problem is, Proton assumes that it’s supposed to automatically decode a PGP encrypted text by itself, and as such, if a classical PGP/GPG text (manually encoded/decoded offline) is received, it will show an error message saying basically they don’t have a key to decode it. This is annoying but harmless; you can still manually decode it offline.

          That being said, I’d highly recommend Proton and Tuta if anyone is still using Gmail. If you’re a classical PGP user, maybe Tuta is more convenient because it doesn’t try to decode anything by itself. If you’re not so privacy-aware, thinking that sharing your secret key with a third party is fine, then Proton is more convenient because it will automatically decode a PGP message you received, for you.

      • Saki
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        Not a recommendation but I too trust Disroot pretty much. You can get a custom domain there without “buying a paid plan” once you make a donation. Would that be an option for you?

        Using multiple providers (having multiple accounts) is a good idea, though. Don’t put all the eggs in one basket. I’ve never heard the two providers you mentioned, so I can’t tell. If you can sign up anonymously via Tor, if they’re Google-free + not behind CF, and (most importantly) if you feel them “good” (subjective but gut feeling…), I think they’re usable.

        If their support use PGP, that’s a good sign too. (Proton even doesn’t share its pub key iirc.) If they also accept the privacy coin like Disroot and Tuta do, that’s nice too. Ultimately, though, believe your gut feeling, because everyone has different priorities, different threat models, etc.