Please excuse my ignorance, but I have a question about email alias providers. I understand they help users remain anonymous online and protect their main inbox against spam and phishing, but are the emails they forward secure?
Maybe I am not understanding how encryption works in practice, but addy.io say they will encrypt emails before forwarding them if you give them the recipient mailbox’s public key. On simplelogin.io they say they do not include PGP encryption in their free package (!), but not to worry if the recipient email address is a ProtonMail address because Proton “already encrypts all emails with the public PGP key of your ProtonMail account and store your emails with zero-access encryption.” My interpretation of that statement is that they are reaffirming a ProtonMail mailbox is encrypted, which I am already aware of, but what I am questioning is does simplelogin.io transmit/forward emails unencrypted to ProtonMail and other email providers (in the free package)? They seem to dance round that point by talking about Proton’s mailbox encryption.
Also, I can’t seem to find any mention on simplelogin.io or addy.io that they themselves are zero-knowledge providers. It’s mentioned that emails that fail to be delivered are stored on a server. I presume these companies can be forced to hand over any emails they have stored in Poland, etc, but is it possible that if a user is being targeted (by law enforcement, for example), the alias providers can be made to make copies of any subsequent emails they receive before forwarding them?
While encryption in transit is a given, they indeed do not specify if they encrypt your emails in a zero-knowledge manner. They do encrypt all the data at rest in their databases as stated in their privacy policies, but again, no information if they can decrypt it if needed.
So everything you’re assuming can be considered technically possible.
This topic might be interesting to you, though it doesn’t answer your exact questions.
Ultimately, all “zero knowledge encryption” for emails is based on trust. As 99.9% of emails are not PGP-encrypted, they are sent unencrypted (just with transit encryption) between email providers. When you receive an email, it’s unencrypted and you have to trust your provider that they don’t make a secret copy before saving it with encryption in your “zero knowledge” inbox. Same when you send an email - they have to send it without encryption if you send it to a “normal” recipient like Gmail or Outlook.
Here’s this Reddit post I found with a quick search. Oddly enough Reddit seems to be down on my end (probably some NextDNS config acting up again) and Archive.org has blocked archiving Reddit pages.
There’s a Techlore Clip on this if you’re interested there are a few things that some people forget about regarding the security/privacy of aliasing services:
