in security Technology ~ read.

Replacing Gmail: Protonmai, Tutanota and Mailbox.org

I've been interested more and more lately with replacing Gmail.  It's actually pretty difficult to do since the entire suite of Google products does quite a bit but one thing I'm interested in lately is subscribing to services that do not mine my data or do not use my engagement with their platform to better run ads against.  Don't worry, the irony of a marketing analyst not wanting ads run against them is not lost on me.

I started researching different email providers and I had a few criteria.

  • Secure
  • Two-Factor Authentication
  • Usability

These were really all that it comes down to.  I tried several services.  

  • Protonmail
  • Tutanota
  • Mailbox.org

Protonmail

Protonmail is one of the most popular suggestions when you start researching alternatives to gmail.  It was featured on Mr. Robot and gained a following associated with cryptofans and people of varying security needs.  

A couple of selling points featured heavily are that they are A) located in a bunker in Switzerland and B) End to End encrypted.  

Protonmail is great if your primary concern is the privacy of your communications between other members of a community that is concerned with the privacy of their communications.

My use case and threat model are slightly different than Protonmails.  99% of the people I need to communicate with are on free emails and nobody is interested in clicking a link to decrypt a message I sent.  True story, in testing these my wife responded to an encrypted email I sent to her with "Who do you think you are, James Bond?"

Protonmail is actually great though, I wasn't too bothered about the inability to have IMAP support since the iOS app is smooth.  The downside for me, as I eventually found, was the price.  It is about 5x the price of the next two I treid.

Tutanota

Tutanota is a secure email provider located in Germany with a heavy emphasis on privacy and security.  Browsing the site you get the feel that they are a lean company that is heavily engaged with their audience with consistent posts on social media and an active update calendar.  These are great signs.

Another awesome thing is their 2FA capability.  Tutanota support U2F which means you can elevate your security game with a hardware security token.  

At about $1 a month, I thought I had found my service.  Except there were a couple of things that sort of made it difficult for me to jump in headfirst.  

The iOS app is slow.  As in it lags and loads and generally takes a long time.  As I went back and forth between the Tutanota app and Protonmail app I longed for a Tutanota app that was as quick as the Protonmail app.  If they supported IMAP I could get past this and use a different mail client but I just can't live with slow loading apps in 2019.

If this were the only thing, I could probably live happily ever after with Tutanota, but there were just a lot of extra features, I realized, that I could also have at a similar price point.

Mailbox.org

I am not sure where I first heard about Mailbox.org but and my wife was getting very tired of me changing my email address every 3 days so it was coming down to the wire.  

Mailbox.org is an email provider based in Germany that emphasizes privacy but also provides a suite of other products.

Cost

For about $1 a month you get 2GB of email storage and 100MB of cloud storage that can be used across their Google Drive competitor (think spreadsheets, documents, etc).  They also offer a CalDAV calendar and a contact book.

At this point I'm starting to think that this is something that can completely carry me off the Google ecosystem.

2FA

But let's talk 2FA for a moment here.  Mailbox.org, you have some odd 2FA practices.  Their 2FA is sort of like combining both of the F's into 1.  In that if you want to use a TOTP or a hardware security key, you have to type a pin+TOTP into your password field upon logging in.  So both factors are completed in one step...which is fine but not the best.  I would love to see some U2F support out of Mailbox.org to elevate it. Also the password you create when you first start the account is now used as the general purpose APP password for your iDevices and other things that aren't as 2FA friendly.  This is less than desirable because you are reusing the same app password that grants the same scope to pretty much every app.  This was almost enough to make me move on.

Encrypted Mailbox

However we get to encrypted mailbox.  Mailbox.org allows you to have an encrypted mailbox so that even if an attacker is able to access your account by, let's say entering your app password into a mail client, your entire inbox is encrypted with PGP.  Since my threat model is more about random hackers and less about targeted state attacks, I can sleep soundly knowing that even if someone manages to breach my account, they'll be greeted with a series of messages that are encrypted with my private PGP key.  The only thing they can see would be the sender and the subject, which for me is perfectly fine.

You might wonder, if your inbox is encrypted, how does that work with iOS?  As you might expect, yes just IMAPPing your account on your phone will result in you receiving a bunch of encrypted emails meaning you cannot use default apps to receive your emails unless you like copying and pasting attachment contents into a PGP decrypter with your key.

This is where Canary comes in.  Canary is an app for iOS and MacOS that allows you to store your PGP key locally so that it can decrypt your incoming messages on the fly.  You can now read the contents of your encrypted inbox on your phone.  They also have a desktop client but Thunderbird accomplishes the same thing and is free so I tend to just use that.

Disposable Emails

Another awesome feature is disposable emails.  While they do offer plus-aliasing and catch-alls on custom domains that you can use for sorting and cataloging your inbound emails, sometimes you may be required to provide an email to a less-than trustworthy site.  In these instances, Mailbox.org lets you create a disposable email address that is good for 30 days that funnels emails back to you.  

Productivity

I mentioned the calendar and spreadsheet apps briefly but it truely is a selling point in my opinon.  When you log in to the web client you are seated at a hub containing snapshots of your inbox, calendar, tasks, appointments, storage quota and a few other items you can customize.  The ability to quickly see everything at a glance is very nice and prevents me from having to open up multiple windows to parse through my day.

Conclusion

In the end I opted for Mailbox.org.  The wide range of products offered with the confidence instilled in their combination of encrypted inbox/multifactor authentication along with the great pricing made it an easier choice.  I still have love for Tutanota because I am behind the spirit of what they are doing 100% so I'll keep my paid account with them for a while but for getting things done and general productivity I am optimistic I have found my workhorse.