Stop Using Encrypted Email
— Blog — 1 min read
This provocative post, Stop Using Encrypted Email, came in the middle of my current migration away from Protonmail to self-hosted email, contacts, and calendar.
I've used Protonmail for 2-4 years now, and been a full supporter of their product and vision. Unfortunately their development velocity has been extremely slow, features and products (especially Calendar) have fallen months and years behind, often launching barely at the feature set or reliability to be considered Alpha, let alone public release.
In addition, the above post goes into how Protonmail, along with other encrypted email schemes, primarily play into the desires of users to LARP (live action role play) encrypted communications, not to actually make email thoroughly secure.
As primary example, consider all the ways (below list from the above post) that a secure messaging app (like Signal) is unarguably superiorly secure in comparison with the best encrypted email.
- If messages can be sent in plaintext, they will be sent in plaintext.
- Metadata is as important as content, and email leaks it.
- Every archived message will eventually leak.
- Every long term secret will eventually leak.
In contrast, Signal addresses all of the above problems with encrypted email by default making it safer and more secure for all communications.
I certainly feel more confident in phasing out my use of Protonmail, though their features of password protected and expiring messages I will continue to use when required to send scans of government documents to insurance companies, for example, and don't want a scan of my passport living on their servers forever. This feature works outside of standard email protocol and makes it an exception to the above list (and also too inconvenient to ever consider using every day for all messages).