ProtonMail can only guarantee E2E encryption without PGP if you are sending email to another ProtonMail user. I don't know if Skiff also offers this special kind of encryption. Either way, they should be more upfront about the level of privacy they can offer.
I had a read of Skiff's page on E2EE. It is very carefully worded and, from a skim read, is not upfront about the fact that un-PGP'd email sent and received through Skiff can be read by Skiff.
https://skiff.com/blog/end-to-end-encryption-email
Oh, one more thing. Skiff's SMTP server (inbound-smtp.skiff.com) is running on AWS in the United States which means it will be beholden to US warrants. Skiff does not have a warrant canary. Getting big Crypto AG vibes from this.
> All emails between Skiff users are end-to-end encrypted, including both subject and contents. External mail is encrypted with your keys on receipt, keeping it private.
Additionally, Proton Mail uses OpenPGP internally, so Proton-to-Proton messages are always protected by PGP. Even for external messages, contacts don't necessarily have to set up PGP encryption manually; the email client can do so, enabling the use of end-to-end encryption between different providers with minimal hassle.
I know some people do need more privacy and/or security. But a lot of people think they need the same but really, they don’t.
We've considered adding a E2EE comparison column as well (with the issues such as Proton rewriting your emails @ http://jfloren.net/b/2023/7/7/0 highlighted).
Privacy Guides Discussion @ https://discuss.privacyguides.net/t/forward-email-email-prov...
Unlike Skiff, Proton, and Tuta... we're _actually_ 100% open-source. Those providers that advertise as open-source really only open-source the front-end, when the back-end is the most sensitive part of an email service.
A PGP encrypted email doesn't get "decrypted" when it's being transferred. That's the whole purpose of PGP encryption, to encrypt it before it even gets transferred or stored, which is what we do. If you set up a PGP key, use WKD, then your emails will be stored as encrypted (not only is your database encrypted with your password, but the emails themselves can be PGP encrypted this way), and any sender attempting to send to you will automatically have their message PGP encrypted to you, if it is not already (in case their mail client doesn't use WKD).
https://forwardemail.net/en/faq#do-you-support-openpgpmime-e...
If you want security, you have to do it in house with competent people who understand your business domain. So when I see people with regular pen tests I know they don't really give a shit because they are doing minimal ass coverage.
But I'm pretty sure in this case the scope was bad. Like they coukd have had audits on "Do I use OpenSSL well?" and then misrepresent that all their privacy claims were audited.
Now it seems like Skiff conveniently didn't allow Trail of Bits to publish their reports, they are usually here: https://github.com/trailofbits/publications/tree/master/revi...
Disclaimer, I have used Trail of Bits service in the past (and 2 other auditors for an security campaign on a blockchain, cryptography + networking product).
I can’t speak to Cure53 but I feel like I’ve seen that name on a few failed cryptocurrency thingies.
