The trivial attack is based on them sending you compromised code, right? Because that seems to comparable to an attack on GPG where their downloads are compromised.

I get that there's a difference in degree, i. e. GPG binaries being checked against hashes and having a long track record as an organization, but is that fundamentally different?

I could see ProtonMail evolving to, for example, using a browser extension that allows you to use a known-good version of the crypto library, and informing you of changes.

Point being: it isn't perfect and I'd prefer something based on standards. But e-mail encryption has failed, even though it is often more personal than websites where TLS has been successful. ProtonMail is a legitimate attempt in a space that seems to need a new approach.

I think it's different, because Protonmail can target you, individually, at any time. Like, for example, upon receipt of a NSL.

GPG is used asynchronously. In many cases, everyone would need to be compromised to go after one person. That raises the chance of discovery.

A browser extension is a fantastically better idea. Google previously prototyped most of the work for this: https://github.com/google/end-to-end

The difference is that, any time you check your email, a basic TLS MitM could exfiltrate your entire inbox without your or ProtonMail's knowledge — exactly the same threat model as Gmail or any other webmail provider.

Further to that, I'd trust Google's infrastructure to withstand compromise much more than I'd trust a datacenter run by a small company that I know much less about. (Tinfoil hat: sure, I have to assume that the NSA has a copy of my Gmail inbox, but god knows who else may have owned ProtonMail.)

When's the last time you downloaded GPG? For me: years ago.

How often do you download ProtonMail's Javascript code? Several times per second, as long as you're using it.