Hacker 10 – Security Hacker

Tag: ProtonMail review

  • Is ProtonMail Safe? 6 Hidden Risks of ProtonMail and ProtonVPN Exposed

    Is ProtonMail Safe? 6 Hidden Risks of ProtonMail and ProtonVPN Exposed

    As much as Proton tries to market itself as a foundation they are no different from a big corporation when it comes to profits and marketing. Let me give you some examples of this:

    • They lure paying users with steep introductory discounts available for new customers only and prices surge significantly after the first year. This “bait-and-switch” tactic leaves many users facing renewal rates 2-4x higher.
    • Posts in ProtonVPN’s official subreddit are not visible without moderator pre-approval and they frequently remove critical comments under vague pretexts like being off-topic or already posted, this creates an echo chamber where positive experiences dominate.
    • Proton pays money to influencers to promote some of their services, the pay for sign up model leads to biased endorsements.

      Reference: YouTuber “The Hated One” Exposes Proton’s Shady Tactics: In his November 2025 video, he reveals Proton offered him $70 per signup to shill their services—but after rejecting the deal and requesting a CEO interview instead, Proton ghosted him completely, ignoring all follow-ups.
    • ProtonMail has cooperated with law enforcement in several documented cases where they hand over the recovery email address you enter when you open your account with them, Proton is fully aware that the recovery email is not encrypted and handed over when they are subpoenaed, they justify themselves by saying that the user entered it and what not but the fact is that they know about this security hole and do nothing to address it.

      Reference: Encrypted services Apple, Proton and Wire helped Spanish police identify activist
    • Swiss privacy laws are comparable to those of the European Union, you are not safer by Proton being based in Switzerland instead of Germany. As an example in 2021 ProtonMail was forced by a Swiss Court to do real time IP logging of a French climate activist occupying buildings.

      Reference: ProtonMail Gives Up Logs on User, Then Scrubs Website of No IP Logging Claims
    • And finally a politically charged argument: Proton announcing in their X account that they had donated $100,000 to the Palestinian Red Crescent right when Israel was defending itself from Islamic terrorists, as European who stands 100% behind Israel this feels like a betrayal, I want my money to be spent aiding Israeli civilians and not on Gaza under Hamas control, I won´t be supporting any company that gives money to Gaza.

  • Review encrypted email service ProtonMail

    Review encrypted email service ProtonMail

    ProtonMail is a Switzerland based privacy email provider, the company stores your data encrypted in their servers and they claim that computer IPs used to connect to the account are not logged. I looked at the email headers sending myself a test message and I could see that ProtonMail does not include sender’s IP inside email metadata.

    When you first open up and account (took me a few days to get an invite), you will be asked for two different passwords, one is the email login password and the second one, not known to ProtonMail, is the password used to encrypt email messages in your browser before uploading them to the server. There is no password length check or anything forcing people to use a complicated passphrase to stop new users from being negligent and making up a short guessable pass.

    I also noticed that there is no automatic logout, you can easily forget about logging out of your account in a public computer and the person behind you could get access to your account two hours later.

    Encrypted Swiss email service ProtonMail
    Encrypted Swiss email service ProtonMail

    If you correspond with other ProtonMail users, encryption is end to end, messages never leave the ProtonMail server network, they will not travel the Internet where encrypted messages could be intercepted by the NSA international fibre optic cable wire-tapping operation to attempt postliminary cracking with their supercomputers.

    To interact with an external email account, like Gmail, you have the option to send the message in clear text, with no protection at all, or send a password protected link where the receiver will have to click on to read the message directly from ProtonMail encrypted servers. The link can be set to expire after just a few hours or two weeks, the message will no longer exist once the expiration date is reached.

    There are a few weaknesses to sending emails in this fashion, one is that you will need to transmit the password to the other part, this will slow you down and is open to interception.  Another security weakness is that there isn’t any kind of brute force protection, after somebody has read the message it will not be automatically self-destroyed as it should be. I could not see any counter on the page letting you know if the message has been previously displayed before you read it.

    The good part of sending email messages with password protected links is that the receiver only needs javascript enabled in their browser to be able to read them and that the messages can’t be scanned en route.

    ProtonMail settings and compose screen are simple but enough to get the job done. I appreciated a button to permanently delete all account and messages, regrettably this did not work for me when I tried it, it would do nothing when I clicked.

    ProtonMail security model is based around owning their own hardware, storing it offshore outside USA and European Union laws, and fully encrypting their disks with the decryption keys split in between various individuals, with server integrity checks to detect illicit changes in the software, like somebody installing a key logger, but those checks can not stop a hardware keylogger in the data center, although since data is encrypted by the user browser, the most an unauthorised third party could do is to monitor computer IP connection logs.

    This is an easy to use email service, perhaps the only free email service that claims to keep no user logs. The company implements well known open source cryptolibraries and they allege to be audited by computer security staff at CERN (European Center for Nuclear Research). The only problem I have with ProtonMail is that there isn’t a built-in system to send messages with your own PGP keys, this is the main reason why I can’t use them as my primary email provider.

    PGP is the default standard for email encryption and I can’t ask anybody to stop using PGP encryption keys and switch to a ProtonMail account for javascript OpenPGP encryption, ideally, my perfect encrypted email provider must be able to import a PGP key from one of my friends and use it to secure data.

    Visit ProtonMail homepage