Tutanota is the secure email service, built in Germany. Use encrypted emails on all devices with our open source email client, mobile apps & desktop clients.
it is a shitty E2EE implementation in JS incompatible with the email standard OpenPGP.
but I like that they wrote this post, even if it is for marketing purposes, because Tutanota is based on the EU and hopefully the EU Parliament will listen if enough people tells them.
They have a JavaScript version, it’s true. But they also have apps. Meaning you don’t have to rely on JavaScript security. If you want to lock it down.
Encrypted email, should never be considered end to end encrypted. This includes protonmail which does implement PGP. Email is a clear text protocol. Encrypted email providers provide encryption at rest for the email.
The issue with protonmail, and PGP in general, is the metadata is unencrypted, to from subject. Metadata gets people killed. Metadata is valuable data.
So you have to choose for your data at rest do you want everything encrypted, then you go with Tutanota, if you only want the body of the email encrypted then proton mail/ PGP.
Since most email is clear text anyway, and if you want end to end encrypted you should use signal or simplex, I think full encryption at rest is the better option here.
All of that’s to say it’s not a shitty implementation, it’s an implementation with different trade-offs than what you value
Tutanota is end and encrypted between different users of tutanota. But any external email you send or receive is unencrypted. They do have an option to send an encrypted link to the other party, but that’s cumbersome.
The big thing about this mail service, is the data is stored at rest encrypted with your key. So once it’s received clear text, it’s encrypted and stored on the disk only with your key. After that they can’t decrypt it.
Uhm question, how is Tutanota E2EE? Other than making PGP setup easier. Afaik they just use a different protocol for client-server
it is a shitty E2EE implementation in JS incompatible with the email standard OpenPGP.
but I like that they wrote this post, even if it is for marketing purposes, because Tutanota is based on the EU and hopefully the EU Parliament will listen if enough people tells them.
They have a JavaScript version, it’s true. But they also have apps. Meaning you don’t have to rely on JavaScript security. If you want to lock it down.
Encrypted email, should never be considered end to end encrypted. This includes protonmail which does implement PGP. Email is a clear text protocol. Encrypted email providers provide encryption at rest for the email.
The issue with protonmail, and PGP in general, is the metadata is unencrypted, to from subject. Metadata gets people killed. Metadata is valuable data.
So you have to choose for your data at rest do you want everything encrypted, then you go with Tutanota, if you only want the body of the email encrypted then proton mail/ PGP.
Since most email is clear text anyway, and if you want end to end encrypted you should use signal or simplex, I think full encryption at rest is the better option here.
All of that’s to say it’s not a shitty implementation, it’s an implementation with different trade-offs than what you value
They don’t use PGP.
Tutanota is end and encrypted between different users of tutanota. But any external email you send or receive is unencrypted. They do have an option to send an encrypted link to the other party, but that’s cumbersome.
The big thing about this mail service, is the data is stored at rest encrypted with your key. So once it’s received clear text, it’s encrypted and stored on the disk only with your key. After that they can’t decrypt it.