Secure Email Questions

[Jerry1]

I've started to tighten up my overall internet security and one of the things I want to do is use a better/more secure email for my financial interactions - Fidelity and my Credit Union and possibly things like my utility bills. In my research, I've come across Proton Mail and it seems good but I have a few questions on their plans.

I'm looking at a plan that cost about $4 per month and it has the following benefits, a few of which I don't fully understand. Hoping someone here might be able to help.

• 15 GB storage
  No problem here. I understand storage
  
  
• 
  1 user
  I understand one user, but I'm wondering if that would keep me and DW from using the same account? I don't see how it would. Since our finances are all combined, we would only need 1 email address. Similarly, today, we just use one gmail account to both logon to Fidelity.
  
  
  
• 
  10 extra email addresses for you
  So I get that it lets you create 10 different email addresses. So, similar to above, wouldn't this allow me and DW to share a main account and still have a different address for some of our personal stuff like say our general personal correspondence?
  
  
• 
  Support for 1 custom email domain
  I have no idea what this is. I know what a domain is. Does this mean I could have an address like Bubba@mylastname.com? And then have other addresses at XX@mylastname.com?
  
  
• 
  Unlimited folders and labels
  I understand this one.
  
  
• 
  10 hide-my-email aliases
  I kind of understand this one but wondering how this is typically used. I'm guessing it wouldn't be much use to me in this case because I wouldn't be using this account to sign up for things like garbage web sites. I'd just use my junk gmail account for that.
  
  
• 
  Priority customer support
  I guess if you pay a little bit you get better support. I doubt I'd ever need email support but whatever, I get it.
  

Any help would be appreciated. TIA.

 

[braumeister]

I've used that one (Proton Mail Plus) for a couple of years now, and I like it. I don't use a lot of the extra features, but as a basic email client it has been very good.
I still use Apple Mail as my basic account for most things, and have always been happy with it. I have a seldom used Gmail account as well.
I think it's good to have more than one.

 

[gauss]

I've started to tighten up my overall internet security and one of the things I want to do is use a better/more secure email for my financial interactions - Fidelity and my Credit Union and possibly things like my utility bills. In my research, I've come across Proton Mail and it seems good but I have a few questions on their plans.

• 
  10 extra email addresses for you
  So I get that it lets you create 10 different email addresses. So, similar to above, wouldn't this allow me and DW to share a main account and still have a different address for some of our personal stuff like say our general personal correspondence?
  
  
• 
  Support for 1 custom email domain
  I have no idea what this is. I know what a domain is. Does this mean I could have an address like Bubba@mylastname.com? And then have other addresses at XX@mylastname.com?

Yes -- you will be able to send and receive email from something like Bubba@mylastname.com and XX@mylastname.com.

Note that the actual "mylastname.com" domain is already taken (ie registered to someone else) so you would have to come up with something unique and "purchase" it (really lease it) from a domain registrar.

Typical rates for domain registration are on the order of $15/year.

This page at Proton talks more about it.

-gauss

 

[Jerry1]

Oh. So I’d have to own mylastname.com and then I could use their service as an email server. I’m not going to do that. Plus, my actual last name dot com is already taken. I tried to acquire it early on but I didn’t get it.

 

[RetMD21]

I like aliases. I'm using unique ones for my financial accounts. I send those emails to their own folders. I do forward subscriptions to a folder using their own alias. I'm not sharing the new email with them. FWIW I use Tuta which is pretty similar to Proton.

 

[Jerry1]

Tuta got good reviews in my research.

Can you describe how an alias works? Assume I set up a new email at proton. Call it main_email@proton. What would I do to use an alias at Fidelity? Would the system set up some random address and then forward everything to me sent to that address? I’ve heard my daughter talk about this but never really paid attention or tried to use one.

 

[jim584672]

The only way you have secure email is to use GnuPG and create a public and private key pair. Encrypt it before it leaves your machine. The other party also must create a key pair and you must exchange public keys. Use an email client like Thunderbird that has encryption built into it that can use GnuPG.

GNU Privacy Guard

The GNU Privacy Guard

Thunderbird

Thunderbird — Free Your Inbox.

Thunderbird is a free email application that’s easy to set up and customize - and it’s loaded with great features!

www.thunderbird.net

 

[Sunset]

I always assume email is visible as it travels across the internet.

For secure email, I use the web site secure messaging, built right into message centers at various brokerages and banks. Otherwise I don't consider it safe to send confidential info, like account numbers. I'd never send password to anyone.

I've had employees at various places tell me to just email it. Amazing how even at financial institutions, the help folks are ignorant of how email is not safe.

I do have my domain names, so unlimited email addresses.

 

[Jerry1]

I always assume email is visible as it travels across the internet.

For secure email, I use the web site secure messaging, built right into message centers at various brokerages and banks. Otherwise I don't consider it safe to send confidential info, like account numbers. I'd never send password to anyone.

I've had employees at various places tell me to just email it. Amazing how even at financial institutions, the help folks are ignorant of how email is not safe.

I do have my domain names, so unlimited email addresses.

I’m not so worried about my communication being secure. Frankly, I don’t correspond with Fidelity that way. What I’m worried about is having my accounts associated with my gmail account. It seems like too easy of a path to my financial accounts if my main gmail account gets hacked. I’m looking for some separation for my financial accounts.

 

[RetMD21]

Tuta got good reviews in my research.

Can you describe how an alias works? Assume I set up a new email at proton. Call it main_email@proton. What would I do to use an alias at Fidelity? Would the system set up some random address and then forward everything to me sent to that address? I’ve heard my daughter talk about this but never really paid attention or tried to use one.

You can be JerrySmith@proton.me but make an alias at Proton and tell Fidelity that is your new email. You could even use have use a random string of characters like sikduje837394994@proton.com. If you get some alarming Fidelity email but it is to the wrong main email name you will know it is spam. It sounds like you plan to restrict the use of your proton email so you may not get spam or phishing email.

 

[RetMD21]

The only way you have secure email is to use GnuPG and create a public and private key pair. Encrypt it before it leaves your machine. The other party also must create a key pair and you must exchange public keys. Use an email client like Thunderbird that has encryption built into it that can use GnuPG.

GNU Privacy Guard

The GNU Privacy Guard

Thunderbird

Thunderbird — Free Your Inbox.

Thunderbird is a free email application that’s easy to set up and customize - and it’s loaded with great features!

www.thunderbird.net

Proton has a solution

 

[jim584672]

Proton has a solution

Proton requires you to trust Proton with the solution. My solution requires no trust, other than the code is correct.

 

[RetMD21]

I don't think your method solves the meta data problem. Also vulnerable to future quantum computing.

 

[gauss]

The only way you have secure email is to use GnuPG and create a public and private key pair. Encrypt it before it leaves your machine. The other party also must create a key pair and you must exchange public keys. Use an email client like Thunderbird that has encryption built into it that can use GnuPG.

GNU Privacy Guard

The GNU Privacy Guard

Thunderbird

Thunderbird — Free Your Inbox.

Thunderbird is a free email application that’s easy to set up and customize - and it’s loaded with great features!

www.thunderbird.net

I have been aware of PGP and the likes for probably 30 years. The tools at the time always seemed to rely on the other individual using the same email setup -- ie it seemed more like a point-to-point solution.

Rolling forward 25 years, do business entities support this yet? IE Can I register my GnuPG public key with Fidelity and they would encrypt my email before sending? If so, that would be a big win that has been below my radar.

Thanks in advance for any update on this.

-gauss

 

[jim584672]

I have been aware of PGP and the likes for probably 30 years. They always seemed to rely on the other individual using the same email setup -- ie it seemed more like a point-to-point solution.

Rolling forward 25 years, do business entities support this yet? IE Can I register my GnuPG public key with Fidelity and they would encrypt my email before sending? If so, that would be a big win that has been below my radar.

Thanks in advance for any update on this.

-gauss

I wish they would but they don't. If you are using the Fidelity web portal that is secured with the browser encryption and 2FA (optional).

 

[jim584672]

I don't think your method solves the meta data problem. Also vulnerable to future quantum computing.

Almost all public key systems could be quantum vulnerable. There are people working on that now to make public key systems quantum resistant. If you want quantum secure use AES256 or a One Time Pad (OTP). Both of these are not public key so you have to exchange keys through a secure channel. Only the OTP is totally unbreakable and quantum unbreakable.

 

[gauss]

I wish they would but they don't. If you are using the Fidelity web portal that is secured with the browser encryption and 2FA (optional).

Thanks for the confirmation on this.

Back in the day, I kind of knew a guy, professionally, who went on to become a grad student of Gene Spafford. I always thought it would have been cool if I could have gotten my key signed by Spaf.

-gauss

 

[RetMD21]

I wish they would but they don't. If you are using the Fidelity web portal that is secured with the browser encryption and 2FA (optional).

Email is inherently insecure. Which is why Jerry1 and Fidelity don't use it for secure communication. I'm assuming that Jerry1 gets communications from Fidelity like the ones I have had from my brokers over the years. Routine messages telling you that a transaction has executed or that a statement is available and that you need to login to see the actual details. On occasion there might be a message about a password reset. I don't want that going to an email address known to every marketer and spammer on the internet.

Proton has an end to end encryption option for people who like that. I like their other secure email option. You do have to trust Proton but the recipient gets an email with a link to the Proton message. There is no metadata connecting me.

Is there any practical use for encrypted email? I think that the point that gauss was making. Businesses won't use it and, for me at least, there is no interest among actual people whom I might email.

FWIW, Tuta says that they have post quantum cryptography.

 

[jim584672]

Nothing wrong with getting an email to sign into a secure web site to see the message. I just wish that the email that gives you that notification was encrypted with GPG as well.

My point is if anything leaves your machine in the clear then you are trusting another party with your info.

It may not bother you to send personal email in the clear. I just think any data is precious and needs to be protected because the Internet is forever. Encryption with signing also provides protection against your message being altered or replaced without your knowledge, it defeats the man in the middle attack.

 

[target2019]

Defense-in-Depth (DiD).

There are tradeoffs. Adding email account(s) requires more admin time. Gmail performs better than our other email accounts in weeding out the bad stuff. But a new account will certainly isolate the use cases for you.

FWIW, I segment my uses cases by provider - gmail, comcast, yahoo. Your actual password and other security layers provide additional DiD.

A password manager is another layer. You can store very long pw's or security keys, and actually manage them in a rational way.

There will be failures, and you may want to look at what backbones are used by your providers.

 

[Jimmie]

I've been a customer of Proton for almost 10 years. It's excellent and really good at stopping spam emails before they hit my inbox. I own my own domain and have my proton account integrated with my domain hosting provider. I created one email account for the vast majority of purchases & services , another email account for my financial services needs, and third account for family & friends. When I'm traveling, I religiously use Mullvad's VPN service on my laptop & phone.

I use my desktop browser when home for accessing emails. When I'm away from home, I use the Proton Android client. They just released a new version of the Android client this week that can now secure my account with hardware security keys for 2FA, along with other new features. Overall, Proton's been great for me.

 

[RetMD21]

Nothing wrong with getting an email to sign into a secure web site to see the message. I just wish that the email that gives you that notification was encrypted with GPG as well.

My point is if anything leaves your machine in the clear then you are trusting another party with your info.

It may not bother you to send personal email in the clear. I just think any data is precious and needs to be protected because the Internet is forever. Encryption with signing also provides protection against your message being altered or replaced without your knowledge, it defeats the man in the middle attack.

Even if Fidelity encrypted the email, doesn't the fact that you are getting email from them make it obvious that you have an account? It may not bother you but I think it would be better if they just sent a notification through an app.

Tuta, Proton and others let you send encrypted email from the app. My problem is my receivers. The folks I still email in 2025 are not at all tech savvy. There's little hope of getting them on board. Communication with others is through messaging apps. Some more secure than others.

To Target 2019's point, my Outlook account gets a tremendous amount of spam but also newsletters I want. I am gradually creating rules to forward some email to my new account.