Everyone I have talked to those past 5 years has told me at least once that they want to move away from Google's ecosystem of services. More precisely, most of them believe that this is too much of a Google world. And I'm not talking only about tech enthusiasts. Literally everyone.
Of course, there are quite a few alternatives depending on the service that you use. When it comes to email, one of them is ProtonMail. But it's not as easy as it seems at first glance. Mailvelope also is in the balance. And using both combined is the best solution I have found. Here are a few thoughts - mainly for myself, on both products.
I have had my ProtonMail account right from the beginning. When it came out, I was quite excited. If I remember well, I was actually trying out the Mailvelope extension which basically added a way to write and receive encrypted emails right from any popular webmail services. A year after the launch, I interviewed Andy Yen and he explained how he wanted to build a secure product that does not suck. I believe it was the first time he talked about offering a true Gmail alternative in terms of features.
Both products have pros and cons and by writing this article I'm trying here to figure out which is the best solution for me. Though a tech enthusiast, I am not a security expert per sé. Therefore I'm looking for a non conventional product that still retains a certain ease of use.
Those past 5 years, I've been closely following the evolution of the service and a couple weeks ago, I decided to try a switch from Gmail. To be fair I'm very happy with ProtonMail. It works great. But of course, I'm never satisfied and that's probably why I will sound a bit picky because I want the service to be perfect.
To be honest the whole migration process has been quite tricky. I have had a free Google Apps/Suite account for 12 years with my family name as a custom domain. I can't really move all my family to ProtonMail so I bought another domain, signed up for the ProtonMail Plus subscription and added 5 more gigs of storage to import all my Gmail messages with the ProtonMail import/export tool.
I have tried the ProtonMail Bridge which enabled me to use my account over macOS default Mail app but I do really like the web interface of the webmail. It's feel very responsive to me. I encountered a few freezes in Google Chrome. Yet in Firefox it is amazingly fast.
I can easily publish my ProtonMail public key and anybody can use it to send me encrypted messages in ProtonMail. But I can also upload the public key of one of my contacts who is using another PGP solution like Thunderbird and Enigmail for instance. It's not easy to find though, you have to go in the edit mode of a contact and click on the gear icon next to the email address in the contact details. When sending an email to this person the paddlock next to the recipient's email address will be green.
If the contact is using ProtonMail, be it with a @protonmail.com/ch or a @pm.me email address or with a custom domain, the paddlock next to the recipient's email address will be purple.
I am using the iOS ProtonMail application and, though it may again sound a bit bitter, I'm quite disappointed by its usability. To be honest, I believe it looks like a mere encapsulated mobile website. It just does not look and feel native. When compared to Yahoo! Mail, Outlook.com ou Gmail, the iOS ProtonMail app looks like a second-class citizen. The message list is not very clear to me and for several reasons :
In fact, if you resize the desktop window of ProtonMail then you get exactly the iOS mail app. A bit lame. True mobile applications should be a priority in 2019.
It is important to note, however, that ProtonMail nevertheless makes it easy to send an encrypted message right from your smartphone without having to setup your ProtonMail account on a dedicated client as you would do with a regular PGP solution.
Let's be honest, the real life of a switcher is to send messages to people who do not use ProtonMail. Sure you can send a non-encrypted email message but you can also chose to encrypt the latter.
As stated before, in this case, the person will receive an email inviting him/her to view a webpage hosted on Proton Technologies' servers. They will have to decode your message on this web page by using a specific code that you will have previously sent him/her by another means of communication (like a text message).
I'm not a fan of the email they received. It has a big ProtonMail banner and a sentence that says "I'm using ProtonMail to send and receive secure emails. Click the link below to decrypt and view my message". I think it looks too much of a promotional email to me. I do understand that ProtonMail needs users - and more especially paid users. Yet, I believe that when subscribing to a paid account, you should be able to customize the default email that is sent to non-ProtonMail users. At least there could be other templates looking less promotional.
One limit that I have observed is that because messages are encrypted on ProtonMail's server, then one cannot perform a search within... a message. It's quite logical but I'm not sure how the company can be on par with Gmail on this one... You will have to remember either the name of the sender, the date the message was received or the subject of the email. Thankfully, ProtonMail has an advanced search engine which makes it easy to perform boolean queries. If you make use of the bridge on a desktop client then the search works fine, but I do not really like using a dedicated software.
The default ProtonMail theme is OK, yet maybe a bit dull. I personally use the GM Theme made by user amdelamar and published on Github. He's done a great job ! I also have a 5-line userscript to optimize the inferface a little bit. The message list, for instance, is a bit too large for me compared to the message preview pane on the right side. Anyway I wish the ProtonMail team would make it easier to build custom themes.
Mailvelope is a browser plugin which I tried both in Chrome and Firefox. It basically adds a security layer on top of tradional webmail services like Gmail, Yahoo! Mail or Outlook.com. The integration is quite well done and transparent. In fact you can manage yourself the domains onto which the Mailvelope message composer should show up. For no real reasons, I tried, for instance, to make it appear in *.iCloud.com and it worked fine.
The main advantage of Mailvelope is that you only have to share one email address with everyone and your public key for those who wish to send encrypted messages to that same email address. In my case, it's quite important as I've had my email@example.com email address for over 10 years. So I would not have to juggle with two email addresses.
However, Mailvelope being a browser extension, the system only is available on your computers and not anywhere else. If you receive an encrypted message on your tablet or smartphone into the Gmail app, then you can't read it. You will have to set up your account on a specific PGP-enabled application.
Also using Mailvelope means that you are not moving away from Google, which was the inital idea...
One could simply ask : what about Google's Confidential Mode ? That's a good question. For years, Google and Yahoo! had been promising an E2E encryption mecanism published on GitHub and which never was published. Google instead, and Microsoft as well by the way have been natively implementing an encryption mode.
At fist glance, it sounded a bit weird. When Google presented their efforts in building an encryption mechanism, the first question that arose was : how will they be able to scan the content of my messages to display target advertising ? Then they announced that they would no longer scan my messages. But that was no the entire truth to the story...
Gmail's Confidential Mode is a bit similar to ProtonMail's system which enables you to send encrypted email to non-ProtonMail users. But there is a big difference. After my message has been encrypted and published on Proton Technologies' server, I can choose the password that I will share with the recipient.
In Gmail's Confidential Mode, Google will tell you that THEY will generate a passcode that will be sent to the recipient's mobile phone. Then Google wants the phone number of the recipient. In other word, Gmail's Confidential Mode is encryption made the Google way... Not only does Google want to collect phone numbers from your contacts, they can now associate those with their email addresses and build up on the previously collected data.
It turned me off right away.