I’ve started using ProtonMail for email, as a paying customer. Here are some of my thoughts on it.
ProtonMail is a secure Swiss email hosting service and while it’s not cheap it does optionally come with a VPN. I did a comparison with other email services (e.g. FastMail) before committing and while it lacks features such as a calendar it fitted my use case well.
I also wanted to support what they’re doing. They provide free secure accounts, albeit with fewer features.
First Impressions
It was a rocky start when I decided to upgrade to a paid account. Attempting to pay got my credit card blocked, the first time this has happened. Perhaps a lot of stolen cards are used to buy this service?
Once you have added a card it can’t be removed. This is annoying and means you have to trust ProtonMail to keep the card details secure. If you purchase a paid account then I would recommend a single use disposable virtual card (or a cryptocurrency such as BitCoin).
The web interface is pretty good and like most modern services it support MFA. The second factor is a time-based code so you can use a standard authenticator app and avoid the connectivity and security problems of SMS.
The Android app is not quite so good. It works fine but they haven’t given enough thought to backwards compatibility. I discovered that it was silently broken (not receiving emails) and only an update to the app would fix it. I have auto-updates disabled as that causes way too many problems.
It must be pretty difficult to break something as established as email with a server update. However, unfortunately they’re not using standard protocols.
A Bridge Too Far
In order to use a standard email client with ProtonMail you need to run their custom bridge software to convert their API to IMAP. This normally works fine but it doesn’t exactly feel like a polished piece of software, although it is cross-platform.
It has a very annoying upgrade flow that incessantly bugs you to install the latest version almost every time you open your computer. Also when you get to the end of the installer you can’t close it and have to kill it or reboot. However, since 1.1.0 the upgrade process has improved and pushing 1.1.1 is less disruptive.
Virtual Insanity
The paid options can also come bundled with an upgraded ProtonVPN. The desktop app for this is pretty good and appears much better than the bridge. The VPN is also cross-platform, which is handy because I use all the Operating Systems, although my daily driver is Linux.
There is an Android app for the VPN and this works well too. Both desktop and mobile solutions allow you to make your connection appear to come from a large selection of countries. There is also an optional “secure core” and Tor support but I’m not convinced how much value these add.
Unfortunately, both the desktop and mobile applications have sessions that expire and require you to re-authenticate regularly. This seems like an antiquated option when you are used to OpenVPN and key files.
A VPN is great for when you are on an insecure public WiFi network or don’t trust your ISP or WiFi provider. For example, they may wish to snoop on your data for advertising purposes or you could be connected to a fake hotspot (such as a pineapple) that could steal credentials or inject malware.
If a WiFi network doesn’t have a password (or has a well-known one) then the traffic is trivial to sniff. If you don’t solely use services that have encryption (e.g. websites over HTTPS) then the data is all exposed in plain text. Even if TLS is in use, then you may still leak DNS queries unless you secure them too (e.g DNS over HTTPS using Cloudflare).
Depending on where you travel, a VPN may be essential for accessing certain core services. We are spoilt in the West for having a relatively uncensored internet. However, the blocking of sites we get in the UK is far more extreme in the East and elsewhere.
Tax Doesn’t Have To Be Taxing (but it is)
You may think that a VPN would allow you to access region restricted content, for example BBC iPlayer. Unfortunately, in an antisocial move the BBC block VPN IP addresses, but this is hardly the fault of ProtonVPN.
If, as an honest TV tax / license payer, you want to watch your cash at work while on holiday then you will need to set up a proxy on your home internet connection. A Raspberry Pi is well suited for this role and can also let you block ads while out and about (via Pi Hole) but I’ll write about that another time.
ProtonVPN is purely a backup tool to allow me to do business wherever I am and fortunately I rarely need to use it. A cheap Raspberry Pi takes care of most jobs and you could easily set up the same system on the free tier of AWS or Azure. Get in touch if you’d like a guide written up of how to do this.
Verdict
Unfortunately, I can’t recommend ProtonMail or ProtonVPN at this time. It’s a nice idea but it feels far too much like alpha quality for a (quite expensive) paid service. If you are technically inclined then you could set up your own equivalent services at a much lower cost.