One of the main uses of email is communication with companies. And they won’t have a signal account just to exchange passwords with you

No. Email is just a non-centralized protocol. While not everyone uses it the same way, most normal people never use email to communicate with companies, who are increasingly forcing people to use chatbots anyway. So it's not even a reasonable point to make. Password protected emails are meant to be between people who have an established relationship. If a company needs someone to send them encrypted message, they'll have a platform for that, just like Wikileaks or ProPublica, so you're not making a valid argument about that.

If some Youtuber is someone that does anything privacy-related enough that they should be receiving encrypted emails, their public PGP key should be on their YT profile and you can send them an encrypted message anyway with that. Protocols and methods exist already to accomplish what you're talking about. You need to complain to the Youtuber for not practicing good security and privacy, not to Proton for not creating some mind-reading Diffie-Hellman scenario. Really, do you think that you can just send some random person a message that says "click link to open secret message!" and not expect it to just look like phishing?

If you'd rather use signal, use signal and send them an attachment encrypted with their PGP public key. This isn't hard, I don't even know why you're trying to argue all these weird non-existent edge cases like they're everyday issues.

OK. Well, respectfully, I think it would be beneficial to find out more about how encryption, email servers, and encrypted messaging works. I think you're quite confused about the details here, and just getting a sense of the parts will help you in the long run. People use email differently - I don't use FB, so my main means of communication with family that is not Signal messages is email.

By "just use signal" I mean for sharing a password for a password protected email. Which you should only be sending to people you know already and can coordinate with. You're not sending password protected emails to random people or the government because it's not necessary for the reasons I explained earlier. If someone needs an encrypted message from ANYONE they will provide the method. Otherwise, they don't want encrypted messages and can't be trusted with data that should be encrypted.

Proton is secure, and I know because I had an old account I wanted to get access to and lost access to the recovery email, but had one on the same domain. I spent about a week doing back and forth emails with some guy who was trying to ask me to verify aspects of the account, which was my spam shield and dummy social media account and I hadn't used it for about a year. All he could see, when pressed, was header info: sender/receiver, date, time, ip address, sending agent. All things that are needed to route the message. It ended up being me able to confirm IP address and sending agent and access (I sent an email to my recovery address from an IP in this range on this date, last logged in on on this date, etc.). It was a pain for both of us.

Tuta has no IMAP, vendor lock-in, bad.

Proton has IMAP with extra steps, almost vendor lock-in, bad.

Gmail has IMAP, good. So, we can use it with our own libre app, with GPG, but first we need an account.

Making a new Gmail account is not private. Also, paying for paid Gmail is not private.

sh.itjust.works/comment/208023…

Drunk & Root

2025-09-04 01:38:13

GPG and mailbox.org or anothet "just" email service

Kind of tired of beating the dead horse on that story, but part of privacy is that you need to trust the company that you're dealing with.

He's out there openly praising on authoritarians move to install a puppet government and open the gateway to corporate corruption. If our privacy companies are going to be sneaky and dirty, we want it done in the shadows. All he had to do was stay quiet. But he got noisy, then the PR department started gaslighting, and none of that's a good look for a privacy company.

The thing is, Trump doesn't give two shits about anybody, and the guy running the company should have known this.

But now it's old news, it can die. He can prove that he can run the company by good faith measures and doing the right thing instead of by trying to gaslight people through PR.

You have to trust that:

 They're not logging your IP on their VPN and coorelating it with output traffic.
 They won't dox you to motion pictures houses because of your torrents on their VPN.
 They wouldn't slip you some javascript in their client at the request of a foreign government to dox you without letting you know.

Code in the face of no malice wouldn't be a large worry. They rolled over on a French activist and doxxed them for the French government. Those logs should not have existed in a privacy company.

Again, this is all old news now. Let's see him make hard decisions to protect the clients and turn the PR side of things from "the empire did nothing wrong" to hey, let's have an open dialog.

i don't care about their VPN. the issue you describe is very real, but it's inherit to all vpn providers. what i care right now, is their email service. you can switch vpn providers in less than 15 minutes, but email takes days. so i wouldn't want to go around doing all of that every time some employee says something stupid.

and btw, if you use native installed apps, then the worry of them serving malicious javascript goes way down because any change they make on the complied package would be very likely to be very obvios to someone, because its open source ( i won't go into detail here).

Sounds like you don't know what you are talking about. 😀 That's fine, but unless you know something about the topic, you shouldn't really be judging...

I know exactly who is looking. And I would also know if anyone tampers with the passwords. I guess you don't have the skills, and that's fine. You might even think that there's anything in the world that is totally secure. There's not a single thing that is secure.

Oh, what is this? - forbes.com/sites/zakdoffman/20…