I think we had a similar thread not too long ago. Nobody should think of e-mail as intrinsically secure, so it is best to start by asking what are your specific requirements for your e-mail service?
For example, you can send private mail over any service by making use of public-key encryption. A plug-in like Enigmail suffices for this, but, yes, both parties have to use it (use the crypto system, not necessarily the identical plug-in or app).
If you like web mail but don’t trust the provider not to read or leak your messages, there are services like ProtonMail where everything is stored encrypted and only you have the key/password. Nothing special you or your correspondent needs to do. But, again, as soon as you message anybody they get a copy of whatever you sent, so you need to trust them to keep it secure, and the message should be encrypted during transit. Same for received messages.
In short, it is a no-brainer to do better than Google or Yahoo without extra effort, but you need to evaluate your security requirements carefully before relying on e-mail for anything important.
ETA: mostly ninja’ed, but not completely.
Depends on what you’re trying to secure against.
Both of those use https between your browser and the host. So you’re not at much risk of somebody reading your mail by snooping as it goes by.
Both logins are only as secure as you choose to make your password. Gmail’s two-factor authentication can make it stronger. In any case, once somebody logs on as you all your privacy is lost. Which would also be true if you used some secure messaging service that acts sorta like a walled garden of email.
Once an outgoing email of yours is on the recipients’ computer(s) you’re pretty much at their mercy. They can forward it, or be hacked, or anything else bad you can imagine.
So what risk(s) are you trying to protect against? I’m not suggesting your intent is wrong; just a little unfocused just yet.
Downloaded Thunderbird. Tried to set it up. Yahoo seems to be causing some sort of trouble. I will look at tomorrow, or perhaps I will forget the whole thing.
I would be surprised if Yahoo Mail is incompatible with Mozilla Thunderbird; here are instructions on the Yahoo web site for configuring an IMAP client.
There is also an (open-source) plug-in for Chrome and Firefox here that supports the OpenPGP standard.
Yahoo has repeatedly shown that they are unable to secure their systems so that is pretty much out as far as secure email goes. Plus Yahoo is now owned by Verizon and Verizon is not really big on customer privacy. Google does not seem to have the systemic problems that Yahoo has. But Google’s business model is selling information about you to advertisers. You can use some other service like ProtonMail whose business model is people paying them to be an email provider so you are the main customer instead of the product.
The Enigmail mail plugin that DPRK talks about while it works well but is basically useless because nobody you send or receive email from will use PGP encryption on their mail. PGP encryption of email is a pain to use in a web browser and it is even more of a pain to use on your phone.
If your concern is privacy against petty hackers and despotic governments, Gmail is a great choice as long as you set it up securely (i.e., use 2-factor authentication and a strong passphrase).
If your concern is (or also includes) corporate robots reading your email, then something like protonmail is a good choice.
If your concern is the NSA reading your email, don’t send anything you don’t want them to see by email. Use something like Signal instead.
PGP isn’t really practical. Most people you’ll be emailing aren’t set up for it, and there are some issues with implementation–especially if you’re not gung-ho about learning the technical details.
Thank you all. Frankly I am losing interest. Thunderbird was just a tad too hard to use. PGP is much to hard to use. I will glance at protonmail and Signal before I go to work.
Most of what I can think of has already been covered. A few added observations:
Enigmail provides somewhat simplified integration of PGP into a Thunderbird e-mail client (allowing you to send secure* e-mail using any e-mail provider); however, that “somewhat simplified” may still amount to “too much of a PITA to get myself and all my secure-message correspondents on board”.
Something like ProtonMail (email) or Signal (text messages), with security more inobtrusively integrated, is probably more practical, but you still have the problem of getting your circle of correspondence to use the same program (you can still communicate with them if they don’t, but without the security features).
*“Secure” in this context means "secure up to the point where somebody is willing to bypass your message security by planting physical or software bugs on your machine, planting hidden shoulder-surf cameras, intercepting and reconstructing the electronic noise from your keyboard and display, just grabbing you and using ‘enhanced interrogation techniques’ to get you to give up your password, etc.
Proton is free for up to 150 emails a day. 150 emails a day seem like it should be adequate. But there develops a certain amount of spam that is generated by using your email for purchases. So 150 may not be enough.
If free is what you want then Google or Microsoft are probably your best bet. Yandex is another free provider that I have seen mentioned favorably but I have not used it.
Thunderbird is sort of orthogonal to the question of provider as you can use Thunderbird as a client for any remotely decent email provider.