Tutanota drama, what do you guys think?

1 Like

I am not sure a random post with 3 comments on their Reddit constitutes “drama”

1 Like

Did you click on the inner links of the post?

1 Like

Their response sounds reasonable to me.

7 Likes

One more open-source fanatic trying to raise a stink about nothing.

If you think Tutanota is not open-source enough, don’t open an account at Tutanota. Go use an encrypted email provider which is politically-correct enough relative to your open source religion.

Is there even one ? Can someone name a Tutanota equivalent whose server is open-source ? I’ve seen plenty of such anti-Tuta posts. Strangely enough, I don’t remember anyone saying the only thing that would be helpful there, if you accept the premises : use X instead. They are as secure, as powerful and as easy to use, and they are 100% open source.

5 Likes

I’ve scoured around for years and haven’t found any that quite match up with Tutanota. The closest I’ve found is ProtonMail, but I consider them quite different from each other. Tutanota(it also encrypts more of the data than ProtonMail) being lightweight in price and size, while ProtonMail being quite the opposite.

Although they do make some good arguments, it’s really hostile, making me lose respect for them.

1 Like

Yes, and Proton Mail does not even claim to be open source at all, except, I think, for its iOS app. Tutanota is more open source than Proton.

And of course the hostile tone of the post is what betrays it. It’s not a scientific post trying to evaluate objectively the security of Tutanota against a theoretical model. It’s part of a slander and conspiracy campaign.

Some people need to think that everybody around them have malevolent intentions and hidden agendas.

2 Likes

Even if a mail provider claims to use 100% open-source code on their servers, it is really hard (if not impossible) to verify this claim. But does it matter?

If you don’t trust your e-mail provider at all, don’t use it. Besides, there is still the (old-school) possibility to locally encrypt/decrypt your messages using tools like gpg (https://infosec-handbook.eu/terminal-tips/#gpg-as). In general, most users get more secure/private means of communication by just using a modern end-to-end encrypted instant messenger.

3 Likes

Absolutely. Messaging is the modern way to do encryption. That’s what top government officials use around the world.

Encrypted email does have its uses, though, because it offers something that messaging does not : universal communication. Just like with the telephone network, you can reach anybody in the world with email, without asking first : what is your email provider, and is it the same as mine ?

Also, let’s be frank : encrypted email means, above anything else, not scanned for ads. I’t be curious to know the percentage of actually encrypted email flowing through so-called encrypted email providers’ servers. My guess would be 10 %, if that.

2 Likes

It’s probably pretty low, but overall I certainly trust Tutanota or ProtonMail over Yahoo, HotMail or Google mail.

They’re both really good providers, and I think people ask too much of them without realizing how hard it is to maintain and continue to develop such projects. Some people complain about these email services not being open-source enough, or not having such and such features.

I have a question for those people. Why not build your own email provider? Or contribute to an existing one?

2 Likes

Some news regarding Tutanota:

https://www.sueddeutsche.de/digital/tutanota-verschluesselung-e-mail-ueberwachung-polizei-1.4676988 (German newspaper)

“Tutanota is forced by German authorities to provide unencrypted e-mails to authorities in real-time.”

Affected are all e-mails that are not end-to-end encrypted, so likely all e-mails that aren’t encrypted/decrypted on the client side of the sender and recipient.

Furthermore, Tutanota has to pay €1,000.

(P.S.: The German provider mailbox.org offers a similar feature. You can upload your public OpenPGP key and all incoming, unencrypted e-mails are encrypted using this key. So the previously unencrypted e-mails is stored in encrypted form in your inbox. Therefore, mailbox.org and other mail providers could also be affected.)

2 Likes

Hmm, I never knew about this. Thanks.

1 Like

Is there anything bad to know about posteo.net?

" All Posteo servers exclusively use open source software , for security reasons."

Please, Mr. White Hat Hacker, verify? :smile:

https://posteo.de/en/site/about_posteo

One important take away is that in the end, email is one of the least secure ways in which you can message someone. Tutanota is doing nothing wrong because they are a business inside a country with its own laws and they have to follow those laws. We all know this when signing up w/ them and using their services.

What most people don’t consider is that if I email a Gmail account from Tutanota, that email is not “Secure” in any sense of the word. Even if authorities can’t access my account, they can just access the Google users account and boom, they have my email.

For the German gov’t to ask for this, they (should) have a reason for needing it, as in they sense an immediate threat. What they are hoping for, is a “criminal” to be dumb enough to use an insecure messaging system unknowingly and they can catch them in the act.

There’s a reason you’ll not get an email, even ProtonMail to ProtonMail account from someone like say, Snowden. They know if you need to send that no one else can see, to a trusted contact, email is the worst way to do that.

3 Likes

One thing that’s constantly overlooked is the threat model. One of the major uses for encrypted email providers is to help freedom of speech. Including in Western, so-called democratic countries, where freedom of speech is more and more at threat.

In a great many cases, such users don’t need the contents of their emails to be secret. They need that their government (or anyone else) cannot know who they really are. They need anonymity, not privacy.

But what they actually say ? on the contrary : they want as many people as possible to know about it. Including their government !

Tutanota is probably the best provider for such a threat model, because it allows total anonymity.

What pollutes the privacy debate is that Edward Snowden looms large over it. Everybody assumes that Snowden’s threat model is their own. It almost never is, unless you a) are a traitor to your country, b) work for its intelligence services, c) plan to defect to a foreign hostile power with some of your country’s most valuable military secrets.

It’s a safe bet that the number of people with this threat model is close to zero.

However, the number of people who think they have Snowdeny problems obfuscates the debate, and spreads fear and doubt over such legitimate and useful providers as Tutanota.

As a result, the people who would most benefit from them are scared away, further undermining freedom of speech – and plain freedom, which are at the core of the Western democratic idea.

That’s one more way in which the information war operation waged by Russia over the West, with Snowden, has been spectacularly successful.

1 Like

I think @jonah already planned to write something about threat models in future.

We (InfoSec Handbook) also plan to address this since many people follow recommendations or implement suggestions without knowing what they want to protect. This bears the risk of forgetting important aspects.

4 Likes

Tutanota is probably the best provider for such a threat model, because it allows total anonymity.

Posteo has this too.

https://posteo.de/en/site/privacy#anonymisedpayment

Posteo is better than Tutanota for anonymous payment, because it has a cash option (which is very rare). However, they don’t seem to accept crypto-currencies (Tuta doesn’t either at this point, but it plans to), and you need to trust them about their “anonymous” bank deposit scheme (I’m not sure this is even possible).

However, they don’t have a free plan, which means that, overall, they are less private than Tuta’s free option.

Does Posteo allow opening an account through Tor, without asking any personal details such as a phone number, or an alternate email address ?

1 Like

Does Posteo allow opening an account through Tor, without asking any personal details such as a phone number, or an alternate email address ?

Yes. IIRC. Their encryption of stored emails, contacts and calendar also looked more private. They warn they cannot recover if you forget your login.

What makes you think Posteo’s encryption at rest is more private than Tutanota’s ?

If anything, it’s less private and very much so, since what is on their servers is unencrypted by default. You have to activate encryption deliberately if you want it.

As for non-recoverability, it’s the same thing with Tutanota, security-wise. You cannot reset your password. You have a recovery code, which you can use in lieu of your password if you forget the password, or in lieu of your 2FA TOTP if you lose the 2FA secret. But that does not make any difference in terms of security. Tutanota cannot reset anything for you.

1 Like