I wish we had better words to describe encryption and the specific tradeoffs of each approach. I did not know purelymail, but knowing IMAP I had a gut feeling that things were a bit more complicated than a blanket "fully encrypted on their servers".
Sure enough, reading between the lines of their documentation they can pretty much decrypt any email on an account by just using the password given by the client when connecting to their IMAP server. Since most clients either connect regularly to fetch emails or maintain a long-lived connection to the server, they can pretty much decrypt anything, any time. So it's back to trusting them just like it emails were stored in plain text.
I don't want to pick on this small player, I applaud their effort in pushing email forward, but I have enough with companies using encryption to handwave security concerns. A big example of that is Apple iCloud.
Well said. In their docs they actually call out this exact issue, and mention that they'd like to improve it in the future, but it would require significant work and that's not necessarily worth it for them.
It would be nice to see a lot of competing small-fry players innovating in the email space. In an ideal world, I could just shop around between mail providers with my domain and pick whichever option provides the best price:features ratio for my needs. I was pretty keen on Proton for a while but they're diving deep in the VPN space, and their approach to encryption makes it nearly impossible to use them with simple mail apps like K9 and Apple Mail.
Much like the browser space, it's not healthy for Google to run a near-monopoly of email. We need a healthy number of alternatives out there so they can't push consumer unfriendly standards and creep more and more advertising into their email product.
There are a couple of players in town, namely MXRoute and Migadu (that I know of). The only thing that keeps me off switching to them is, well, bus factor and support. I was on Proton too, and the encryption finagling is what made me switch to Fastmail. Unfortunately for most people, Google IS the internet.
I wish we had better words to describe encryption and the specific tradeoffs of each approach. I did not know purelymail, but knowing IMAP I had a gut feeling that things were a bit more complicated than a blanket "fully encrypted on their servers".
Sure enough, reading between the lines of their documentation they can pretty much decrypt any email on an account by just using the password given by the client when connecting to their IMAP server. Since most clients either connect regularly to fetch emails or maintain a long-lived connection to the server, they can pretty much decrypt anything, any time. So it's back to trusting them just like it emails were stored in plain text.
I don't want to pick on this small player, I applaud their effort in pushing email forward, but I have enough with companies using encryption to handwave security concerns. A big example of that is Apple iCloud.