But you just posted the following quote from their website, which is clearly misleading. Imagine a non-technical user reading this, and trusting secrets to ProtonMail.
With Proton Mail, emails are encrypted at all times, so we can never access your messages. The content of your emails is encrypted on your device before being sent to our servers, meaning only you and your intended recipient can decrypt it.
Not PGP (see footnote in article). PGP is actual E2EE. Rather this is about services such as ProtonMail that don’t make the difference clear enough
Here is a reference from ProtonMail: https://proton.me/support/proton-mail-encryption-explained
The email is encrypted in transit using TLS. It is then unencrypted and re-encrypted (by us) for storage on our servers using zero-access encryption. Once zero-access encryption has been applied, no-one except you can access emails stored on our servers (including us). It is not end-to-end encrypted, however, and might be accessible to the sender’s email service.
This is exactly what this article addresses. ProtonMail does NOT encrypt on the client side unless you use PGP or email other ProtonMail users. Imagine sending an email to a gmail user. To actually send the email, ProtonMail’s servers have to read the full un-encrypted contents to post over to Gmail’s servers. The gmail user, and by extension Google, has full access to the email’s contents unencrypted.
This is not disputed by ProtonMail, but unfortunately they hide it behind secondary pages on their website. It’s not just ProtonMail either, but really all E2EE email services
I know it seems paradoxical, but the argument is all email is unencrypted anyways! It’s only encrypted after being seen by the server, at the provider’s word. So just like unencrypted email, a server vulnerability can leak your emails even in a service like ProtonMail (Well, unless using PGP or in-platform encryption which is very rare). To me this is misleading to the everyday user and a really dangerous issue that I want to bring more attention to
I agree, the article could be clearer and I think the blanket statements made about encryption by these service can be dangerous to users who may not understand what PGP even is