Q: Is email encrypted or private?
A: Let’s take a step back and learn how the web works. Domains point to IP addresses or physical locations. The physical location registers encryption keys with a certificate authority. Then when an email is sent, it looks up what IP address to send it to and the public encryption key. When it gets to that physical location, it’s then unencrypted. So it’s only encrypted in transport.
Q: That’s absurd to only encrypt it server-to-server in transport. Why don’t you register the public encryption key with the domain registrar instead of having the physical location register it?
A: That’s how Session messenger works! Except their “domain registrar” is the blockchain. You assign on the blockchain which public key goes to your name, so the relays (physical locations) are powerless, and you have self-sovereign control. But that’s NOT email! So until you and me can convince these bone head clowns to let us register all our accounts and do all our businesses on Session & Nostr, we’re stuck with email.
Considering you need email to function in society, you have 2 choices. Either blindly trusting Protonmail/Tutanota, or self-host.
Q: What does “self-hosting email” even mean?
A: It means renting a 1 core VPS in a datacenter for under $10 a month, and running open source email software on it. Also once you have the VPS, you can get other use out of it, such as chat (XMPP or SimpleX) and replacing Google docs with Cryptpad. So a VPS doesn’t have to be just email, you can connect VoIP phone lines to XMPP, you can collaborate with all kinds of docs/spreadsheets, and have much more control over all your data. Also your friends and family can use the VPS too. Not only is this economical, but if the communication stays on the same server, it’s even more private.
Q: Why don’t I self-host email in my residential home?
A: Unfortunately, most email providers block messages from homes as spam. So if you host in your house, you can receive email, but you can’t send outgoing. Also then people will know where you live just by seeing your domain.
Q: So Protonmail is NOT encrypted?
A: As we just discussed above, ALL email uses TLS (transport only). TLS gets unencrypted when it arrives at its physical location. Protonmail then claims to encrypt this after they scan it for spam. But this is a conflict of interest as they are encrypting it to protect from themselves.
Q: What are the advantages of self-hosted VPS email over blindly trusting Proton?
- More control and privacy.
Proton is running the software, compared to you running the software. This means there is no passive surveillance. There is no AI scanning. The only time your emails would be read is with an active court order. Even if there’s a court order, whatever you deleted in the past would remain deleted.
Think of this with the analogy of renting your own private condo, compared to using someone’s bunk bed, for free, in a tiny room jammed packed with other roommates masturbating. Yes in both cases the landlord can get to what’s stored in the room, but with your own condo, it’s kept hidden until he takes serious action.
2. Proton is the target for thousands of court orders a year.
Just by using them and wanting to be “private”, you’re a heavily scrutinized target. It’s no effort to automate the court order process for them. In comparison, to when you run the services yourself, it’s a bigger time commitment and costs more money to get data from that VPS.
Yes, if it was truly critical to law enforcement they can get it. But they have to first win over this unique and different VPS company in a different country. Then the VPS company has to find an IT guy who knows how to snapshot memory and retrieve emails from your particular unique email software. Remember, that each self-host is using different software, which is all adding more cost to get to. I’m not saying it’s impossible, I’m saying it costs money and time. Which completely kills passive surveillance, and is likely not worth it unless its real serious. Compared to Proton, where it’s all automated.
3. Proton hands over many thousands of emails a year, and the number is exponentially growing. If it’s all encrypted, why does law enforcement want it so bad?
4. Proton is slow as shit on Tor and restricts Tor signups. They want you to have an email already to sign-up. They don’t understand Tor Onions don’t need httpS encryption, so the Onion is so slow its unuseable.
5. If you’re going to use Proton, do a free burner. Why would you pay money to Proton, when you can have a VPS for nearly the same cost, and then get all this extra functionality on it? Such as chat or docs?
The real benefit to your own VPS is beyond just email. You can have your own website. Your chat completely under your control, as opposed to just blindly trusting some random XMPP server or the SimpleX developer servers. Replace Google docs with CryptPad with solid encryption and convenient file sharing and collaboration.
6. Branding and security for your small business.
If you have your own domain, people take you more seriously. But if you point your domain to Proton, you give up your autonomy. If you have your cloud collaboration docs on secure end-to-end encrypted Cryptpad, your clients collaborating on documents with their data will love the secure and professional treatment of their data. Compared to using public free infrastructure that makes your brand look homeless.
If you want save yourself time and hassle, consider Simplified Privacy’s VPS combo pack of Email, Chat (XMPP/SimpleX), and collaboration docs (Cryptpad) all on 1 single low cost VPS. This perfect for your small business to get cheap and reliable tech support, and look professional and secure to your clients. See screenshots and learn more here.