Based in | Germany |
Storage | 1 - 1,000 GB |
Price | €1.00/mo. |
Free Tier | Up to 1 GB |
Website | Tutanota.com |
Tutanota is a secure email service run by a small team of privacy enthusiasts in Germany. Although it may not be widely known, Tutanota is a serious player among secure email providers. It uses a hybrid encryption system instead of PGP, and is protected by the GDPR and other pro-privacy EU regulations.
In this Tutanota review, we’ll be posting hands-on test results while sharing our research findings and personal experience in using this email provider for the past few years.
The Tutanota team has a strong vision for their product:
In the future Tutanota will be the privacy-respecting alternative for Google with a calendar, notes, cloud storage – everything encrypted by default!
That being the case, we’re really going to put Tutanota through the wringer to see if they deserve your hard-earned money and attention. Let’s take a look!
+ Pros
- Messages (including Subject lines) Address Book, Inbox Rules and Filters, Search Index, encrypted at rest and stored on German servers
- Strips IP address from emails
- Open source code (including mobile apps)
- Great apps for mobile devices
- Free accounts with 1 GB of storage
- Encrypted calendar and contacts
- Discounts and additional support for non-profits
– Cons
- Does not support PGP
- Potentially delays with account approval
- Currently no way to import existing emails
https://tutanota.com
Tutanota features overview
Tutanota uses industry-standard end-to-end encryption algorithms for email and other user data. All data is encrypted at rest and only decrypted in your browser or email client. Because it does not use PGP encryption, Tutanota also encrypts the subject line of messages, which improves your privacy relative to ProtonMail.
Additional interesting features of Tutanota include:
- Anonymous signup process doesn’t require you to give them a phone number or other personally identifiable information.
- Open source code, including apps.
- Desktop clients for Windows, Mac OS, and Linux (beta).
- Android and iOS mobile apps, with Google-free access to Android App through F-Droid.
- Premium accounts with a range of additional benefits, including a brandable Business account.
- The ability to send encrypted emails to non-Tutanota users.
- Whitelabel and Secure Connect support in paid plans for additional fee.
- Dark and Light themes.
Tutanota launched in 2011 (not long before Edward Snowden began leaking information), and is based in Hanover, Germany.
According to their website:
With its unique open source technology Tutanota fights for privacy and freedom of speech online, allowing everybody including NGOs, journalists and activists to send encrypted emails on desktop and mobile. In addition, Tutanota’s affordable business version enables companies and organisations of all sizes to easily secure their email communication.
Germany has strong privacy laws, including the Bundesdatenschutzgesetz and GDPR. That said, as elsewhere in the West there is political pressure to reduce personal privacy rights to “counter terrorism”.
In addition, Germany is a member of the 14 Eyes intelligence alliance. This isn’t ideal, but Tutanota provides a detailed explanation of the laws that apply to them and the data they may be forced by law to disclose.
Tutanota technical specifications
Tutanota uses a couple of different encryption algorithms to ensure that your messages cannot be read or tampered with:
Tutanota uses symmetric (AES 128) and asymmetric encryption (AES 128 / RSA 2048) to encrypt emails end-to-end. When both parties use Tutanota, all emails are automatically end-to-end encrypted (asymmetric encryption). For an encrypted email to an external recipient, a password for encrypting & decrypting the email (symmetric encryption) must be exchanged once.
On top of its automatic end-to-end encryption, Tutanota uses STARTTLS with an extended validation certificate, Perfect Forward Secrecy, DNSSEC, DANE, DMARC, and DKIM to secure your connection to Tutanota to the maximum.
Check here for more info on Tutanota’s TLS encryption.
Tutanota ensures users that even they cannot access your inbox, due to the open source encryption standards they use.
AES-128 is more than secure enough for protecting your messages. Reportedly even the fastest computers in the world would need many billions of years to crack AES-128.
Tutanota is currently working together with Leibniz University Hanover to make their encryption standards future-proof against quantum computer attacks.
Tutanota hands-on testing
We’ve based this review on the browser-based client. If you decide to stick with Tutanota, you can easily upgrade to a paid plan, with similar functionality and more storage, email aliases, and other options.
Signing up for Tutanota
Signing up for Tutanota goes about the way you would expect. Click the Sign Up button on Tutanota.com to begin the process.
The first step will be to choose your service plan.
On the Subscription screen, click the red Select button under the plan you want to use. Although I have been using Tutanota since 2017, for purposes of this review, I have created a new, Free private account. This is the ideal way to test out the service. I suggest you do the same.
Next you will need to enter your account information. You’ll select an email address using one of the domain names Tutanota makes available for free users. You’ll also need to enter a Password, and check all the relevant boxes on the screen, including the one that confirms you are at least 16 years old.
Note that you are not required to give Tutanota a phone number or other personally identifiable information. This means you can have a truly anonymous free account. As we’ll see in a moment, Tutanota has a process in place to prevent spammers from taking advantage of the service. Unfortunately, that process can be a real headache for regular people.
Hit the red Next button to move on. There is one step left. That’s to record your 64-character Recovery Code. Tutanota doesn’t know your password (or the optional second factor you can set later) so the only way to recover your account if you lose either of these is by using the Recovery Code.
You can copy the code by hand, or click the round Copy or Print buttons. Once you’ve recorded your code, hit Ok and you’ll be ready to log in. Enter your Password and hit the Log in button.
An annoying automated delay
You are probably anxious to get into Tutanota and start exploring, but at this point you may run into that anti-spammer process we mentioned earlier. Your account may be automatically “marked for approval.” This puts a 48-hour hold on your ability to send or receive messages, as described below.
As Tutanota states in this blog post,
Sometimes accounts are automatically marked for [manual] approval to prevent spammers from signing up. This is often the case when you sign up via Tor or a VPN, for example, because unfortunately spammers like to abuse Tor. In case your account gets marked for approval, you will be able to start using it within 48 hours after registration once it has been approved.
They claim that your account will automatically be approved within 48 hours after registration. However, if your account has not been approved after 48 hours, Tutanota recommends you contact Support and give them the email address you are trying to register.
I ran into a problem with this system while working on this review. After waiting four days, I contacted Support about the problem, and someone got back to me within minutes. However, the account was not approved until the 5th day. Not ideal.
On a positive note, this manual account approval takes the place of more invasive verification procedures, such as phone verification, which many other email providers use. While the delay was somewhat annoying, I’d still take this over phone verification.
The look and feel of Tutanota
Once you click Ok, you will see a large welcome message, with the most important bit reminding you about not losing your password.
Welcome to your secure & ad-free Tutanota mailbox, protected with strong encryption. Even we, the developers, do not have the ability to access it. You are the only one who can decrypt your emails and contacts with your password. Please make sure you don’t lose your password as it cannot be reset.
I spoke with Tutanota Support about this and they acknowledged that this message is now out of date since the addition of the Recovery Phrase. As long as you have your Recovery Phrase, you can regain access to your account even without the password.
As you’ve seen if you got this far, Tutanota uses a standard, 3-pane layout like most other email programs. One feature you may like is the built-in support for a Dark mode, which looks like this:
If you happen to work a lot at night, or just get tired of the glare from the screen, this mode could be for you.
The folder list appears on the left, with messages in the center, and the content of the selected message on the right. A basic set of folders comes pre-defined in the left-most pane, and you can create more at will.
By default, Tutanota blocks images from appearing. If a message contains images, you can display them by clicking this icon at the top right of the message:
Note: Tutanota will automatically switch to a 2-pane view on smaller displays, such as tablets.
Composing, sending, and receiving messages
Composing messages works as you would expect. Click the Pencil icon at the bottom right of the Tutanota window to create a new message. While an early complaint about Tutanota was the lack of message formatting commands, today there is a full range of formatting options. To see the menu of formatting options, click the T icon next to the Paperclip (attachment) icon on the Subject line of the new message.
Click Send to transmit the message.
When you receive messages you open them normally, whether received from a Tutanota user or someone else. If a message is from another Tutanota user, all the encrypting and decrypting is done automatically in the background.
So far, so good. But what if you want to send a message to a person who doesn’t use Tutanota? This is where things get a bit more complicated.
Sending messages to non-Tutanota users
When you are composing a message, Tutanota checks to see if the recipient is a Tutanota user or not. If not, you have to specify whether you want the message to be sent encrypted or not. If you have this option, Tutanota will display a lock icon on the Subject line, like this, with a status message below:
Clicking the lock icon will cause Tutanota to send the message either in the clear as above, or end-to-end encrypted as shown below:
When sending an encrypted message to a non-Tutanota user, you must enter a pre-agreed password that is used for symmetrically encrypting and decrypting the message. Instead of receiving the message in its encrypted form, the recipient will receive a link to view the message.
Searching for messages
Tutanota has implemented a full text search feature for messages. This is actually a challenging endeavor since the contents of your inbox are stored fully encrypted.
When you enter a term to search for, Tutanota will create an encrypted search index. This might take a minute or two depending on the size of your inbox. Like messages and everything else in Tutanota, the search index is encrypted at rest. This prevents someone from hacking into your system and spying on you by analyzing the search index.
After the search index is populated, the matching hits (emails) will display below. Tutanota’s search feature also gives you the ability to search specific periods of time as well as custom fields (subject, email body, from/to, and attachment name). This is a pretty good system in my opinion.
Comparison: With ProtonMail, searches can only be performed on subject lines, which ProtonMail leaves unencrypted.
Rules and Filters
Tutanota offers both rules and filters for email, but they are pretty basic. Under the Spam rules you can designate individual email addresses as spam (put in the Spam folder), not spam (leave in the Inbox), or discard (send to the Trash folder).
Mailbox rules are more flexible, but are only available as part of paid plans.
Contacts and calendars
Tutanota supports both Contacts and Calendars.
These function as you would expect, but it is important to note that all Contacts and Calendars are encrypted when at rest. As we noted earlier, one of the main goals for the Tutanota team is for all your data to be encrypted, protecting you from snooping third parties.
The encrypted calendar was officially released in July 2019.
You can see the calendar features here.
Tutanota mobile apps (Android and iOS)
Tutanota has apps for both iOS and Android. I’ve been working with the Android app.
Whereas I had some issues with it when it first came out, it now functions well. At the time of this review, the Tutanota Android app had almost 3,400 reviews with a rating of 4.4 out of 5 stars. (Available on F-Droid here.)
Tutanota desktop client
Tutanota has a desktop client (currently in beta) for Windows, Mac OS, and Linux. I’ve been testing it out with my Tutanota account and I’ve found it to work well, basically giving you all the features of the webmail app. This should offer more security than browser-based email clients when it’s out of beta.
The Tutanota desktop client is based on Electron. They decided to use Electron, rather than build custom clients, for the following reasons:
- We are able to support all three major operating systems with minimum effort.
- We can quickly adapt the new desktop clients so that they match new features added to the webmail client.
- We can allocate development time to particular desktop features, e.g. offline availablity, email import, that will simultaneously be available in all three desktop clients.
You can learn more about the Tutanota desktop client here.
Is Tutanota really secure?
Tutanota is certainly more secure than the vast majority of email services. Is it bulletproof? No. No system is, so you have to think about your threat model and decide if any given service is secure enough for your purposes. So let’s take a look at potential weaknesses in Tutanota’s security.
- The browser-based version of Tutanota relies on JavaScript for encryption and decryption. Using JavaScript for these functions is generally considered to be less secure than other approaches. (Tip: use a secure browser when accessing your Tutanota inbox.)
- There are some cases where Tutanota is bound by law to disclose information about you. According to their Transparency Report, between July 1, 2018 and December 31, 2018, Tutanota released data to the authorities more than two dozen times. Understanding exactly what this means is complicated. If you want the details, you will need to examine the latest Transparency Report and related documents. It is important to note that in some cases, Tutanota may be forced to record IP Addresses by a valid court order, as well as the contents of messages that arrive unencrypted at a user’s mailbox.
- Tutanota implemented a recovery code feature in November 2018, which garnered some mixed reactions from their user base. While some were upset about the new feature, the security and logic behind it seem sound. This allows people to securely reset their password without using a recovery email (not secure) and not having to get Tutanota support involved. Keep in mind that Tutanota cannot see the recovery code and it is also open source.
Note: All email services must abide by the laws in the jurisdiction in which they are based. To have more anonymity when you use Tutanota (or any email service), consider using a good VPN service, which encrypts your traffic and hides your real IP address.
Tutanota business features
Tutanota also offers secure business email accounts designed to let you,
Save time and money by hosting all your business emails end-to-end encrypted on Tutanota’s secure servers based in Germany.
Here’s a partial list of the Business Email features currently available:
- Custom email domains with optional catch-all
- The Secure Connect encrypted contact form
- Multi-user support so you can manage all your users yourself
- Scalable shared storage for all your business accounts
- Zero-knowledge full text search of messages and contacts
- A large set of Whitelabel customizations
- Two Factor Authentication (2FA) available
Secure Connect encrypted contact form
One of the reasons I switched this website’s email over to Tutanota was the ability to incorporate an encrypted contact form that facilitates completely anonymous two-way communication. Before this was officially launched as “Secure Connect”, I was using it here on Restore Privacy. In May, 2019, Tutanota launched Secure Connect and made it, “free for news sites so that whistleblowers can get in touch with journalists securely.” Very cool.
Unfortunately, if you don’t meet the criteria to get it free (not a news site) then this feature will cost you €240 per year – certainly not cheap. I’ve been using Secure Connect for over a year now and highly recommend it for website owners.
Tutanota support
For this review, I created a fresh account and went through the setup process as an average user.
I contacted Tutanota Support twice during this review process. In the first case, I contacted them about the use of the Recovery Phrase to recover your account if you lost your password. I wrote to them more or less the middle of the night in Germany, and they got back to me early the next day.
The second time I contacted them was due to the delay in getting my new test account approved. Their claimed wait time is 48 hours, but I was still waiting 96+ hours later. (The account was approved on the fifth day.)
With Tutanota being a small team using internal support, I understand there may be some delays in support. Hopefully, this was a temporary hiccup (with the 5 day delay on account creation) and not the norm.
Over the past few years of personally using Tutanota, all of my support inquiries were responded to in about one business day – so overall very good.
How much does Tutanota cost? Plans and Pricing
Tutanota pricing has grown more complicated over time. They now offer six plans (three Private plans and three Commercial plans) along with a range of custom options. This allows you to create exactly the service you need for your personal or business needs.
At the time of this Tutanota review, here is a breakdown of the plans and prices
- Free Private plan, €0
- Premium Private plan, €12 yearly, €1.20 monthly
- Pro Private plan, €60 yearly, €6 monthly
- Premium Business plan, €12 yearly, €1.20 monthly
- Pro Business plan, €60 yearly, €6 monthly
Beyond the standard plans you can add more storage (10 GB, 100 GB, 1 TB), and more email aliases (20, 40, 100). As if this wasn’t complicated enough, the company keeps adding useful new features like Whitelabel and Secure Connect to their product. As a result, your best option is to scroll down the Pricing page to the Pricing Calculator and let it give you an exact price for the particular configuration you want.
Note: If you are an NPO (non-profit organization), you may be entitled to a reduced price on Tutanota. See here for details.
No cryptocurrency payment options!
Unfortunately, Tutanota has still not integrated support for cryptocurrency payment options, such as Bitcoin and Monero.
This has been on their Roadmap for a while now. You can donate to them with cryptocurrency, but standard crypto payments are still not an option. If you want more privacy with payments, you could use a service like Privacy.com, which allows you to create virtual credit cards and use any name/address you want for payments.
Is Tutanota the best secure email service for you?
Is Tutanota the best secure email service for you? Here is a summary of the factors to consider when switching to a secure email service, and how they apply to Tutanota:
- Jurisdiction – Tutanota is based in Germany and your data is stored there.
- PGP support – Does not support PGP (read about PGP problems).
- Import feature – While it has been discussed for more than a year, Tutanota still cannot import email messages. It can import calendar data and contacts.
- Email apps – A web-based client as well as desktop apps for Windows, macOS, and Linux, along with iOS and Android apps.
- Encryption – Emails and attachments can be sent end-to-end encrypted and everything is stored encrypted at rest.
- Features – Includes a built-in calendar and contacts along with full text search of messages.
Tutanota alternatives
If Tutanota doesn’t look like the secure email service for you, you may want to check out ProtonMail. The services are similar, although we like Tutanota’s approach to message encryption better since it encrypts the Subject line as well as the body of the message.
That said, either one of these services should be more than sufficient for normal users who want to protect their privacy while using email. Neither service can guarantee you protection against state actors like the NSA or the various domestic intelligence agencies.
You can also see our secure email roundup for a list of other providers.
Tutanota review conclusion
Tutanota is a strong choice for anyone who wants a secure email service for general use. For more security, you can use the desktop or mobile clients, or access the browser-based app through a good VPN with a secure browser.
While Tutanota may not get as much attention as some other email providers, we believe it is a market leader in the secure email space, if not the best option available for serious users. Check it out here.
Hey Sven —
Any thoughts on the past week’s blowout at /r/Tutanota over the big Premium-tier devaluation? It makes them more expensive (to get useful features) but they were unsustainably cheap anyway. It seems like more of a problem that they made such an egregious business decision and executed it so badly — can they stay in business with skills like that? And then it seems like MUCH more of a problem that through the whole debacle they were making one false statement after another, including a false claim, an edit to an old blog post to support the false claim, and then when that was caught an edit to the edit to cover up the coverup. Not too very attractive; they did not exactly cover themselves in glory.
I assume most subscribers won’t be too bothered, but to me it’s just as though they’ve said “The things we say are not to be relied on,” which pretty much wipes out their usefulness in a trust-based business. For me anyway.
Hi Philip, I did not see the controversy and have not had time to research what exactly happened. Feel free to fill other readers in on what transpired in the comments if you want.
Okay… I’ll try to keep it manageable. Late last week they announced a “new feature”, which was actually that a couple of Premium-tier features were being taken away and restricted to Business-class. There was a commotion; their next announcement was here:
https://www.reddit.com/r/tutanota/comments/lsu1zw/update_existing_subscribers_can_get_the_business/
After that, lots more commotion; a couple of the more worthwhile posts:
https://www.reddit.com/r/tutanota/comments/lsp1d9/a_suggestion_re_price_increase/
https://www.reddit.com/r/tutanota/comments/lts33j/we_should_give_the_tuta_team_time_until_next_week/
This one was interesting — apparently they never made the announcement about the half-baked compensation offer in German (nor did they ever send it out in email — only at Reddit):
https://www.reddit.com/r/tutanota/comments/luacle/bitte_aktuelle_situation_auch_auf_deutsch/
And then here is where they were caught out by a sharp-eyed person checking the permanent record:
https://www.reddit.com/r/tutanota/comments/lvbd3x/explanation_on_subscription_changes/gpbi0rx
I’ve seen that you’re a Tutanota fan — and with reason. But their misrepresenting themselves and monkeying with the historical record is just low behavior. Some people might judge for perfectly good reasons that this doesn’t matter for them. For me the good-faith relationship is essential; I think a privacy provider can’t work any other way.
Thanks for filling us in, Philip. It looks like they did not execute this change very well! Yes, we have liked, recommended, and personally used Tutanota over the years, but that also applies to ProtonMail, Mailfence, Posteo, CTemplar, and more.
Philip,
Thanks for the info.
While this is sad, it is not unexpected from what I have seen.
Appreciate the heads up.
First off, thank you so much for this website. Really great content.
I have a lot of emails that I’d not likely worry about sending e2e. What isn’t clear to me, is whether or not those correspondences are automatically encrypted once they land in my Tutanota inbox/outbox. In other words, is an “unencrypted” email safer in a Tutanota inbox than, say, Thunderbird?
The court case that was posted below seems to suggest that Tutanota encrypts everything on their servers, but they can somehow still provide messages that were sent to their servers unencrypted. I must be missing something.
I can’t stand the Tutanota aproach of 3-pane layout. There’s no option to turn to 2 panes. It’s the only obstacle to keep me from adopt this as main main email service. A so narrow folder subjects (the pane in the midle) is useles! Why dont theres a option to choose 2 panes with the full subject of the content of a folder (inbox for example). I can’t work with this, sorry.
Tutanota? Don’t use it.
I just tried to create a free account, my FIRST and ONLY one, but was blocked IMMEDIATELY. I was given NO waiting period – just told it could not be created due to abuse!!! (LOL). All I had done was enter a DECENT user name and password (some abuse!!!).
I read Tutanota’s blog on reddit and now other review sites and MORE WORRYING is that other people complained of having their Tutanota accounts suddenly deleted and other NASTY treatment. Can users RISK using Tutanota? My answer is a BIG NO.
I will continue to use Protonmail (a happy user now for 6 years) and my scoring is:
Protonmail 10, Tutanota 0
Tutanota = AVOID.
Sven,
What are your thoughts on this as for Tutanota being forced by court to have a backdoor; if they lose their appeal? Will they drop in your rankings of best email services, if they are forced by court order? I like Tutanota, and hate to see them lose their appeal. They have been a really good service.
https://techcrunch.com/2020/12/08/german-secure-email-provider-tutanota-forced-to-monitor-an-account-after-regional-court-ruling/
https://www.theregister.com/2020/12/08/tutanota_backdoor_court_order/
Yes we are monitoring this situation and will update recommendations accordingly.
@Sven,
Not sure of all the legaliese, but could they move to Switzerland, Iceland, Virgin Islands, etc. And re-establish?
It would be a bonus to them and whatever country they would go to.
Yes, I would think that is a possibility.
@Sven,
Thanks.
I do not recommend Tutanota at all, at least not an unpaid account. Firstly, I would repeatedly receive spam emails from supposed tutanota admin asking for verification of my account. When I would go to verify, the links very often were broken. I also was often unable to log into my account. Additionally, I would receive emails twice. Secondly, I could not search through my archived emails (which is only an option through premium). All of these inconveniences were worth it, however, as moving away from Gmail and mainstream online services is very important to me. Eventually, however, my email was hacked and as I was going to change my password, I was kicked out of the system and have not been able to log back in since. I have records of the original recovery code and have tried to use it to reset my password, but to no avail. There is no way I could have updated my recover code because I didn’t even know this was an option until this fiasco arose. The Tutanota time has done very little to help me or compensate in any way. They are very difficult to reach and pretty inaccessible. I have switched over to protonmail with which I am very happy. I would recommend avoiding this service.
For those of you with any doubt about the reliability of Tutanota check out their twitter:
https://mobile.twitter.com/TutanotaTeam/status/1296940311420248065?p=v
If you click on any of the tweets you tend to get irritable customers complaining about the downtime.It is sad that a service with such potential continually fails to deliver a reliable service.
Every month for the past year you can guarantee you won’t have access to your emails for at least 24 hours.
As of today, I’m quitting Tutanota. They twitted/blog an article about BLM solidarity. As any smart people would know, BLM is bu****it and it’s sad that tech companies in privacy use that.
Except for the price, it wasn’t very good anyway in terms of android app, always having notifications of emails that I had read on my computer, slow sync, etc..
@Joe,
Agree. This is the third time they have done something like this.
My answer to them because they ignored my email is this, and I hope they read this:
“Show up, shut up, and do your job. If and ONLY IF I want your opinion, I will ask.”
Haha well said.
Companies and entreprises should not be part of politics and surf on the ‘tendance’.. That’s why I despise social networks that have too much influence on people (Instagram to name only one)
I’m trying Protonmail again. The development is unfortunately less active than Tutanota..
Agree. I am proud to say that I have never had and will never have a Fakebook…errr…Facebook account.
Many are shocked at that but, no, I never have. Don’t want one either.
I am using Protonmail and while their development is slower, their stuff works when it comes out. I gave a link to a site to voice what you would like (I believe that link is under the Protonmail review) and it does get views from their developers.
Tutanota could be good. They could do a lot. But maybe I am jaded against them when I was first trying to set up a paid account and what I had to go through with them.
I opened a paid protonmail account for my business. I had a problem and a couple of questions so e-mailed them. It’s been more than 24 hours and I have not heard back anything. Very disappointing customer support. As a paid user and trusting them with my business e-mail accounts, I expect a response within 24 hours. I will be leaving them. A company with poor customer support is not one I am willing to work with.
@Ann,
Are you saying you opened a ProtonMail account, or a Tutanota? Your comment is under tutanota.
I will also say that I am sorry for the time. I am a Visionary Account holder with PM and they usually take a day or two to get back to me as well.
I would also say that if you are sending in requests to their main email, they generate a response that says it is usually very full and takes time. There is a quicker way to get a response, and I have done it a few times. I cannot guarantee a response time, but for me I have gotten a response in less than an hour. The link to that is here: https://protonmail.com/support-form.
Depending on your account level will really depend on their time of response. They will check that off your Username. Hope this helps.
BLM is bullshit if you are never affected by the thing people are protesting about. This comment is hilariously stupid.
A perfect example of Racial Equivocation (Key word here).
I am only going to give you the start and it is up to you to see the truth.
https://christianintellectual.com/racial-equivocation-serpentine-shepherds/
And
https://christianintellectual.com/structural-racism/
They are long reads, but if, and only if, you are willing to see truth, will you read.
Since this site is for the aspect of privacy and security, and Tutanota is supporting a group that believes in neither, our original diologe is pertenant.
However, this is as far as I am going to go out of that stream because it does not flow with the stated purpose. However, I do believe that truth should be declared and that ALL points (and not a predisposed ideological speaking point only) should be given a place.
Truth, objective truth, will always win. Narratives and ideology can only win by the use of force.
This is, by my choice, my only response that will be given and will not reply.
Sorry @Sven. I am being careful not to sidetrack here. Or trying to be.
Hi Sven, thanks for the very informative article. I’m still learning about these issues, so please bear with me – how do I exchange a password with someone outside the Tutanota system and still stay anonymous? The Tutanota ‘How To’ says to do it in person or via Signal. I don’t know what Signal is. But I’ve already sent an email to recipients outside Tutanota, and need to send them the password. Thanks!
Yes, this can be tricky. Signal is a secure messenger, like WhatsApp, but more secure and private (see our Signal review). And here’s our roundup of the best secure messengers.
I’m looking to (slowly) transition from Gmail to a private email like Tutanota (probably not 100% but certainly things like bills and receipts). In the interest of privacy, would it be better to use the different aliases Tutanota provides for different services? Like use one alias for Amazon, another for PayPal, another for eBay, etc.? I imagine that way it’d be more difficult to cross-reference between corporate databases, although 5 might not be enough in that case.
Yep, you’ve got the idea.
Hello @ psycho and Gerhard,
That’s the latest BAD hype in the headlines about any Germany email providers.
It’s meant for a purpose to shock and awe readers lured to their sites thinking of the worst.
But not a true definition in any case as an in-depth logic of an understanding yields to the concerned user.
–
First, so both you and others readers know it’s not a total surveillance scheme across accounts of any of the German email providers.
* As one of the Germany based email providers needs at one of their users accounts to have been flagged with valid order from a German court issued against it – for it to be affected and it’s only with that specific account that’s involved in the TGK action by said court order.
.
Second, messages encryption on an Tutanota account is there offered automatically as in two-fold parts of (sending/receiving) on a users account.
You have to deliberately sidestep the encryption for sending, or want to for the people you’d normally send messages to where an encryption form is not warranted as beneficial, or received well by the recipient…
Ex: Business accounts, professional correspondences say of your business contacts mail reply’s.
– Then when Tutanota accounts receives an e-mail from persons who does not have an Tutanota account – it’s at least automatically encrypted as soon as these messages lands on their servers. (Granted a valid German TKG court order is not in place for an account)
.
Correction: According to a ruling by the European Court of Justice in June 2019, e-mail providers are no longer seen as telecommunications providers and are therefore no longer subject to the TKG.
https://www.sueddeutsche.de/digital/tutanota-verschluesselung-e-mail-ueberwachung-polizei-1.4676988
– – I’d say worry of not being informed correctly and let smoke and mirrors headlines stay just that (BAD HYPE).
Greetings
“Même les e-mails envoyés ou reçus non chiffrés sont stockés chiffrés sur nos propres serveurs basés en Allemagne.”
It’s in the welcome email from them.
It means that even sent email or received emails not encrypted, are encrypted as soon as they are in your mail box on their Germany based servers.
Tutanota has very limited security model. Users should know, that every mail sent to or received outside Tutanota servers ARE NOT ENCRYPTED. So there is no brainer to catch and read all communication, with court order or not (e.g. hackers break into cluster). Tutanota can only encrypt mails between Tutanota users. This is also true with ProtonMail, but here you have option to use OpenGPG – so every incoming and outgoing mail IS ENCRYPTED.
Sven, Tutanota is no longer safe. They are forced to store their emails unencrypted for police or authorities.
https://t3n.de/news/gericht-datenschutz-gesicherte-e-mails-1220028/
Looking into this now, but Tutanota addressed this on reddit here.
I have few concerns about Tutanota:
1. They are very small company, so support is very limited. You have to wait for support reply few days as Premium user.
2. They are activits and ready to leave customers beacuse of demonstration. (source: https://www.reddit.com/r/tutanota/comments/d5xp0l/fridays_for_future_tutanota_team_joins_the/f0om4ic/)
3. Tutanota is developing since 2011 and still have ridiculous limitations:
– You can’t import emails,
– You can’t export emails,
– No conversation View,
– No labels,
– Unsuable filters and inbox rules
4. They have serious security holes:
– There is no restrictions in email address, so if someone register address: [sven.taylor@tutanota.com] you can register [sventaylor@tutanota.com] and make some phishing.
– For long time they don’t have custom domain ownership verification.
5. They product depends on 2 or 3 people. I don’t know who is responsible for servers security. If developers that’s not good, beacuse they don’t able to make application, supporting and managin servers at the same time.
Greetings, on Breitbart I just came across a story about the latest security report from Tutanota. It discusses the reality that the whole internet is just one big tracking engine geared towards a social credit system – like they are using in China, but is more “subtle” in the West at present. Anyhow, it’s a nice heads up for all privacy and security minded citizens, and well worth a read. It verifies the need for solutions provided by Tutanota and other reputable companies. Note that I am not in any way affiliated with Tutanota or any such company. The article link is:
https://tutanota.com/blog/posts/social-credit-system/
Hello Paulie,
Thanks for the heads up.
A lot of content there seems in what I’ve posted about herein throughout this site.
Not word for word but in generalities of trends and technologies pace.
I feel there’s a big adjustment coming to modern things in the digital nature as the internet and life advances around the world. Governments and big companies control much already and the working poor have had enough of their misconducts and bad leaderships rolls.
–
One positive thing of the digital age is I can address many people of the nations in sites as this. As we link minds it can become a large think+tank of ideals – to inspire others and simply conversing about digital privacy as say you did of the past about the weather to people.
Each persons ideals can build on the last or be vetted and honed by those who have grounded a better understanding, experiences, and results in an area.
***Knowledge is power and whoever banks the most detailed profiles data can actually control the money and commerce systems to an extent – once that it’s gone all digital in a cashless society system.
–
Poor thing about the Digital Age, is we as humans can’t get around our own personal faults enough to live peacefully together. Same types of people have the continuing controlling rolls in the governments and large businesses around the world. They should walk a mile in the peoples shoes of who their to serve.
– The digital age with spawn of the internet or vice-versa moves us all closer inward from life’s edge of rotation inward towards a higher spinning RPM of being out of control.
So a wide reaching reset seems natural to happen.
Thanks
Hello Sven,
First of all, thank you greatly for the informative work you do.
I have been using the Tutanota desktop client for a few weeks and the truth is that it works quite badly for me. It closes unexpectedly, does not update new emails… is there any email client (like Mozilla Thunderbird) that you know is 100% secure in terms of privacy?
Thanks a lot
I don’t know of anything that is 100% in privacy or security. Thunderbird is popular, but it won’t work with Tutanota due to the encryption. The desktop client has been working well for me, so I guess that leaves you with the webmail app.
Thanks, Sven!
Hi 4ld33n…
Without doing additional research, the only think I can think of that might work and is close to what you’re looking for is Protonmail’s “Bridge” app, which is available to paying users only. However, I can’t guarantee you will have a seamless experience with this program either. If you’re interested, please click on the link below…
https://protonmail.com/bridge/
Regards…
A.R.D.
Hi 4ld33n,
Monday Oct 7th all Tutanota clients were to update – has this helped any? This was to be automatic but you might insure your on the latest client for your platform.
I just use the web client – hows that work for you while the desktop has the troubles you mentioned.
–
@A.R.D. I don’t think 4ld33n wants to jump the Tutanota ship and they’d have to with your suggestion. I believe the trend for most is the other way around – AKA moving to Tutanota from Proton.
As things become known to them it’s not 100% secure in terms of privacy.
Proton’s encryption (public-key cryptographic system) would work with Thunderbird. To use PGP within Thunderbird requires two additional applications installed also – GnuPG and Enigmail.
– The Bat as an locally installed email client offers –
On-the-fly Disk Encryption:
During the installation, you can enable the On-The-Fly encryption, so all the data (messages, address books, configuration files) will be stored encrypted on your hard disk. In this mode, unencrypted data never appear on the disk. On-the-fly encryption uses AES hardware acceleration on modern Intel processors (AES-NI) and produces no noticeable delays.
Encryption to Mail Servers:
The Bat! email client protects your personal information thanks to its widespread support of authentication protocols and encryption while working with mail servers. It prevents intentional data distortion and loss of confidential data while sending messages via the Internet. The Bat! supports Secure Socket Layer (SSL) v3.0 / Transport Layer Security (TLS) v1.0; v1.1, without using any third-party library – The Bat! has own implementation of these cryptographic protocols.
Features – https://www.ritlabs.com/en/products/thebat/features.php
Hi Hard Sell…
Yeah, that was the only suggestion I could think of “on the fly.” I haven’t worked with The Bat! in a very long time and I had no idea it offered the privacy features that it does. While a great suggestion, depending on who the email provider is, the overall benefit could be reduced. Unfortunately, as you probably know, Tutanota does not support POP/IMAP. I hope the update to the Tutanota client you mentioned helped 4ld33n but if not, he or she might want to consider contacting Tutanota’s staff for help. This might require a subscription, though. 🙂
Take care…
A.R.D.
Greetings A.R.D.
Yes it’s all good advice, suggestions are always good granted they try to help, give insights and are honest…
Trouble – – I’m seeing is most of these secure – private – encrypted email offerings (in the box say), have their own Eco-Systems setups – as their needed to insure their secure functions (user to user on the same email service).
As I understand then the secure email eco-system server(s) holds message to deliver them personally over their own servers. Never going through any other email servers. This does lead to a closed off footprint say, but it also brings out their own imposed limits.
(People you know not using the same email eco-system – then mailing you).
Is this the only way ? Or for marketing growth.
–
I’ve ran across GoldBug, from a user comment on the site. 2016 seems to be when it opened it’s offering.
Not a lot I’m finding on it – but it’s interesting concept.
Enjoyed your comment.
Thanks
@4ld33n
I have been having this issue as well. Today my desktop app just completely uninstalled…for the third or fourth time.
Hard Sell is right. You may have to just use the web site. I have just decided to use my phone but that too has been having hiccups on me lately.
@Hard Sell,
I do appreciate your thoughts. I agree with a lot that trust is a necessity which then over time builds to faith.
For many, Tutanota may have been able to provide that. I, sadly, was not given that chance which I am sorrow for as I want to test each of my services.
Thank you again for your good thoughts and research.
Ditto and thank you kindly.
Your very welcome.
Really nice review, I like the attention to details and being down-to-earth (e.g. not fussing about AES being “only” 128 bit). Also I didn’t know that they could be ordered to monitor communication – thanks for pointing that out!
One remark though – I think it’s wrong to say that Tutanota’s desktop client offers better security over the web-based one. Electron just launches Chrome instance under the hood, so what you see is generated with mostly the same code that serves web-based client. Moreover Electron has its own security “issues” – some of the under-the-hood-Chrome’s security flags have to be disabled for Electron apps to work (I say “issues” for the lack of better word , they could be easily called “features” by some; what I mean is that Electron’s Chrome is significantly altered and one need to be aware of all these modifications for the system to stay secure)
Anyway, I’d love to see similar review of Mailfence some time in the future (I am currently split between Tutanota and Mailfence :P)
Good points, thanks for pointing that out.
Mailfence is on the To Do List as well.
Hi Cokolwiek,
Pretty interesting, tried to find the Electron’s Chrome thingy you talked of – koush/electron-chrome / Run Chrome apps in Electron. https://github.com/koush/electron-chrome
Is this it or something else that Tutanota uses, I noticed when trying to sign up ago starting Tutanota account on IE11 I had got ‘Sorry your browser is not supported or outdated – to use.’
– So is the issues only related to a Chrome Browser instance and not Firefox say?
–
Tutanota’s co-founder, Matthias Pfau MARCH 25, 2019
https://restoreprivacy.com/let-pgp-die/#comments
His reply comment – answered some of my questions – – one was {* Security of browser vs desktop clients.
The desktop clients are the most secure way of using Tutanota because we are able to sign the clients.
By verifying the signatures, you can make sure that you are using the exact version of Tutanota that we have published and no one has tampered with the code. For the web version, we have implemented DANE to reduce the risk of MITM attacks, check here for details: https://tutanota.com/blog/posts/dane-everywhere/
–
That’s the answer I bought but I don’t know if it satisfied your concern-
“One remark though – I think it’s wrong to say that Tutanota’s desktop client offers better security over the web-based one. Electron just launches Chrome instance under the hood, so what you see is generated with mostly the same code that serves web-based client.”
[Electron is open source with a community to work on security issues – – wouldn’t you think so and would security flags take priority.]
Again, browsers and then their functions are not well know to me. Answers appreciated : )
https://tutanota.com/blog/posts/desktop-clients/
Secure desktop clients based on Electron:
When we decided to build desktop clients for Tutanota, we carefully evaluated whether to build a native client for each OS or use Electron to convert our webmail client into desktop clients for Linux, Windows and Mac OS. We have opted to use Electron for the following reasons:
-We are able to support all three major operating systems with minimum effort.
-We can quickly adapt the new desktop clients so that they match new features added to the webmail client.
-We can allocate development time to particular desktop features, e.g. offline availability, email import, that will simultaneously be available in all three desktop clients.
.
Native desktop clients have a slight advantage towards clients built with Electron in regards to RAM, but this advantage does not outweigh the fact that with Electron we can support all three operating systems with minimal development effort. On top of that, we have put special attention to this issue when redesigning our new webmail client in 2017 and 2018 so that the current desktop versions of Tutanota need relatively little RAM.
–
At Tutanota we are a small team so we have to focus on how to develop the best product with minimal effort, and Electron enables us to achieve just that.
I found this to that may interest…
Is all of Tutanota Open Source including the server side?
” We plan to open source our server side as well. However, right now the server is not open source for the following reason:
With the client code being open source, everybody can build the client themselves, run it locally and verify that the open source code is being used. Even if we published the server code open source, this would not be the case: No one would be able to verify that the open source server code is actually running on our server – so publishing it is a bit pointless.”
https://www.reddit.com/r/tutanota/comments/ag08ba/is_all_of_tutanota_open_source_including_the/
Thanks
Tutanota Desktop Client actually offer BETTER security. There is one important reason: hackers or govs can’t replace client code, beacuse it is on yours hard drive. Electron vurnelabilities has nothing to do, beacuse using Tutanota Desktop you never open “external www sites” or another code.
I’ve been using the paid version of Tutanota for two years now and this year will be my last.
The downtime over the last year has been poor(a delay of an hour or more every fortnight- where it is impossible to access your emails!) while the constant crashing and updates for the desktop client make that unreliable.
Hello Greg Cash,
Have you contacted Tutanota support with this trouble?
[1st Year = OK, then 2nd Year = Downtime, Delays, Crashing ]
– Something possibly you changed/added (totally separate from Tutanota) on your system from the 1st to the 2nd year’s use with Tutanota that can explains this?
*Contacting Tutanota Support would maybe let you know if it’s on Their end or Yours.
For a paying customer their support is better ?
Can you comment on this and the other areas of Tutanota you found undesirable…
–
What OS version in the Decktop used – Windows ?
Out of curiosity does the web client give such trouble with it’s use?
Have you herd of GoldBug, I just have and looking into it.
Thanks
The downtime in the first year was sporadic(web version only as desktop client not yet released.)Unfortunately it has greatly increased this year.
It is not good enough to have no access to your mails for multiple hours every month.
I have contacted support about this matter several times and the replies have always been(usually after 24-36 hours)that it is a temporary problem which will be solved.The problem(unable to load desktop client or load the inbox on the web page)always returns within a week or two.When I contact support with this follow up information I have largely been ignored.
I have encountered this problem on windows 8.1(desktop client and web version)and also on the android app(and via the web.)
Quite simply Tuta have become more and more unreliable and it has become impossible to rely on continual access to my mails.Nowhere near good enough for a paid service.
Not heard of GoldBug.
Greetings Greg Cash,
I often believe that nothing said – is something said…
In Tutanota’s case on your troubles it may very well be ‘they don’t know’ and/or ‘have yet to run it down’ – to – ‘vetting of the solution is still in process of verification’ within the T team.
–
Maybe this week of Oct 7 after they have disabled Tutanota client(s) versions older than Version 3.59.8. – it may be a different arena.
[Tutanota stated with this news that their clients usually and automatically update itself].
* News was to insure your client version was at least 3.59.8. ]
–
If I was to go fishing from my memory – – ‘Tutanota’s Secure Search’ for the paid user (unlimited) may have developed in a taxing user option on Tutanota’s resources (server).
This Oct 7th client(s) update – implementing compression for emails so that your future emails will need less storage space – may remedy your downtime Greg – as a guess.
.
Do you know for sure the whole of Tutanota was down to the web or just for you?
Fishing:
Sites like “down for everyone or is it you” would confirm one or the other.
Then if it is you, where? / server handshake? , VPN you’ve used sets off some Tutanota alert (spam say).
– The Tutanota servers are located in secure and ISO27001 certified data centers in Germany.
https://tutanota.com/faq/#server-location
-I see ‘certified data centers’, as plural more than one. Maybe the server your on gives T the most trouble?
Maybe your location to Germany has something to do with connection or the hops – VPN encryption?
Thanks
Tutanota was inaccessible via 3 different ip addresses so it is very unlikely it was just me.Every other site I visited at that time was accessible!
History has shown them to be unreliable and if they can’t be trusted why use them?
The fact they said it was only a temporary error and then failed to elaborate after follow up questions also leads me to believe they aren’t reliable(particularly as the problem keeps reoccurring.)
This has been going on for months so the very least they have shown is that they are not good enough for time sensitive emails.
I’ve given them two years to perfect their system but,if anything,it has been getting worse.I won’t be giving them any more time or money.
Hi Greg Cash,
I totally emphasize with anyone having trouble. I’m not naturally with a digital skill set (cause old school), but I do understand logic, then of research in running something down. IF, Logic may be defined as the science of reasoning – liken to mathematics, in your case the reasoning to move on I see is warranted…
– No insult and nothing I’ve just said is personally reflected from me towards you as in a harming way. You do well in trying to help yourself. The other pieces of any relevant data just don’t materialize.
–
I’ve done a general search for ‘complaints of Tutanota down time’ and only reviews (sites) are listed.
(No caption of texts shown to users complaints – with all the search links being shown.)
Are there users personal comments that involve Tutanota’s down time in these review sites? – if there are the volume must be small, as nothing appears to me or in a pattern of prolong and re-occurrence to prove or disprove. I feel more users documentations are needed to raise an alarm or dismiss.
Sorry, I wished I was able to help – or better if I did help some…
Regards : )
No offence taken.
If others have somehow had better service from Tutanota then good for them.
This is the first time I have posted comments like this on a public forum about them and have only come across a negative app review.
There doesn’t seem to be any other comments about them at all!
Perhaps other paid users are ok with some downtime,after all it is only 12 Euros per year.I wouldn’t be surprised if my requirements are greater than most users as some of my mails are time sensitive so to not have access to them is unacceptable.
Anyway I am in the process of switching over to runbox now and hope I don’t have any such issues with them.
Hi , no service is 100% safe , but even Tutanota can find your i , so with good vpn you can stop that !
Bad is this they can see unencrypted messages !
So , always use best & secure ways
Vpn , encryption , secure connections … .
Hi lonna,
Hope you don’t leave with that impression of Tutanota you have.
I think I can clear things up, it’s in – ‘Is Tutanota really secure?’ the #2 part that you’d need to click through on the ‘Transparency Report’ link offered. https://tutanota.com/blog/posts/transparency-report/
Yet looking for another link on this page to – German data protection laws. https://tutanota.com/blog/posts/data-protection-germany/
That’s where everything is spelled out or defined to understand for the user as regarding your data – it’s privacy within Tutanota, their cooperation with the German government/authorities, and to what if any data they can give if so ordered to – – and what state the data’s in (encrypted-clear texts).
Key points are:
1. It takes a ‘Monitoring (TKÜ) order from a German judge to be issued to Tutanota of the mailbox for initiating their compliance action.
A German judge can either issue a seizure of a mailbox or a real time monitoring of the mailbox (TKÜ), or both.
An order for real time monitoring of a mailbox refers to all emails received and sent from the relevant mailbox starting with the time of the order until a specified date (usually three months).
– Emails that are sent end-to-end encrypted with Tutanota can only be delivered in encrypted form.
– – Emails that are sent unencrypted are delivered in plain text if they arrive after we have received a valid German court order for a real time monitoring (TKÜ).
2. Plain text emails that have arrived before that have already been encrypted on the server and cannot be decrypted by us.
3. Know the 3 kinds of data types as explained by Tutanota that several authorities are allowed to ask ONLY for in certain data types. (Inventory data, Traffic data, Content data).
4. By default, we (Tutanota) don’t record IP addresses of our users. Therefore, IP addresses can only be recorded for a single user account after we received a valid German court order for a real time monitoring (TKÜ), but not for the past. There is no data retention law for email providers in Germany.
5. German constitution guarantees right to privacy, and regularly being defended by the Federal Constitutional Court in Germany.
For instance, in 2008 German politicians introduced a data retention law.
The Federal Constitutional Court declared this law as unconstitutional in 2010. In 2015, a new data retention law was introduced. The law explicitly states that the German data retention does not include email communication. Politicians hope that by excluding emails from the data retention law it will not be declared unconstitutional this time.
***The Federal Constitutional Court has yet to decide about this. However, the data retention law is not being enforced because of a court ruling that the law violates EU law.
6. Germany has one of the strongest policies: the Federal Data Protection Act (Bundesdatenschutzgesetz).
[This law protects users of Internet services. It puts the user in charge of what should be done with their data: Companies (=Tutanota) are not allowed to collect any personal information without express permission from an individual (=you), (i.e. name, date of birth, IP address). In Germany there is no law that could force us to submit to a gag order or to implement a backdoor.]
*Additionally, the new European General Data Protection Regulation (GDPR), which came into effect on May 25th 2018.
This regulation requires that companies protect personal information they handle. Any sharing of personal information such as a private home address, bank details, or CVs of applicants could lead to fines under GDPR.
It is recommended to protect emails containing personal information with proper end-to-end encryption.
[I do believe Tutanota is referring to itself in the last sentence instead of their users because what leads before hand – {This regulation requires that companies protect personal information they handle.]
–
So can you understand lonna that where it’s written and somewhat hard to find for the new shopper/user of Tutanota. Hope it was indeed information that changes your mind.
Maybe Sven can edit the key points to his liking and throw something more to that vague #2.
Greetings
Hello,
TUTANOTA will disable Tutanota client versions older than Version 3.59.8. in the week starting October 7th, for implementing compression for emails so that your future emails will need less storage space.
–
ProtonMail listed as an Tutanota alternative, not that I found good in my trial of it. Sven, I’d try to do a ProtonMail 10 questions interview article and have the best five reader contributed questions added so 15 total.
Sure you’d have to solicit your readers but once known you’d have a harder time picking the best 5 of the multitude given.
*Sure PM has a nice interface and you have actual PGP encryption keys you use, but that all I can say good of it.
–
PGP encryption – if you update your PGP key e.g. from RSA 2048 to RSA 4096, you need to decrypt your entire mailboxes data with your old 2048 private key and re-encrypt it with your new 4096 private key.
– Then it was said here, “Tutanota private keys are generated from the password you create, and Tutanota is not able to access them.
It seems to be a tradeoff:
Proton can change your private keys, but Proton has access to your private keys, which may not be ideal.
Tutanota explains their position in this article.” https://tutanota.com/blog/posts/innovative-encryption/
–
ProtonMail – things I’ve found didn’t suite me.
1. To upgrade storage size – involves a new plan invoice having to be created and a credit applied/pro-rated for what I’d paid.
Basically it’s cancelling out your currant and starting a whole plan over again with storage added and not simply topping up your storage allotment and then charging based remaining main acc’s. time left with added storage.
If you bought during BF discount weekend like me, that deal you can’t upgrade the storage of your initial purchase, then you try later and with PM starting a new invoice that knocks you out of the BF pricing.
2. Having to use the me+alias@mydomain(.)com method for my aliases with my own my custom domain addresses. Then to delete one of my CD aliases – no mail (even trash folder) can be in my account addressed to it to do so.
3. Alarming of ProtonMail’s start is they’ve accepted money from Corporations and/or Governments to what end – in being a cooperative of the 14eyes nations jurisdiction.
*Here say has it –
They’ve flipped-flopped their official response in a couple of heated forum thread questions where they interact off the proton site.
*Bitcoin payments are delayed for a time.
*Support takes a couple of contacts to drill down in their understanding of a problem you have and a few more to fully answer – like pulling teeth.
I must say Hard Sell, your findings always prove interesting and useful at the least. Thank you Sven also for providing such an in-depth analysis of what is currently one of my top Email provider choices right now.
–
I have been reading from various information and opinions regarding Tutanota’s Private Policy, comparing it to the likes of Posteo’s, which I was considering my Email provider of choice.
–
Points such as using Braintree as the payment service provider and how they store your data, Mail server logs and IP address storage, how to share the end-to-end encrypted mailbox password securely and the avoidance of PGP, were all mentioned against Tutanota.
–
I understand Posteo uses PGP encryption methods, and because I rarely send emails, I look towards the ‘encryption at rest’, private policy and other, may i say “static” security standards when looking at the right Email provider, and Posteo has been praised in these areas more-so than Tutanota.
–
I guess what i’m saying is, what is your – or anyone’s for this matter — opinion on the comparison between the nitty gritty details of these two email providers security and privacy standards? Do the points brought out matter that much? (All comes down to each individual I guess).
–
Other ‘community based’ providers were mentioned here too, and praised heavily may I add, such as Disroot and RiseUp, but I’m not sure what to think on these.
–
https://digdeeper.neocities.org/ghost/email.html
More information can be found here. I respect any information and all the effort put into articles such as these and Svens, I respect them all equally.
–
Any information/opinions will be appreciated. The more you know, the better 🙂 Thanks all.
–
PS. Sven do this kinda review on Posteo 😉
> PS. Sven do this kinda review on Posteo
It’s on the To Do List, coming soon…
You’re the best. Appreciate your hard work and dedication! =)
OTT Sir,
That’s good logic, I mean you think as I do asking for opinions – answers.
I’m currently using both Posteo / Tutanota and that’s the only way to know in their practical applications to your needs in usage regardless of whats in print or mission statement and it’s encryption type and of the areas offered.
IF READING UP and things hit 3-4 out of 5 go for it a spell, treat as a burner account at first with tidbits of the real you.
–
There are things about both I care for and then don’t care as much for in my selves acquaintance knowing both.
– Posteo has seen the longest use, has a nicer fluid interface cept for your color choices. Tutanota has yet to change the mandatory election of the dark theme when signing in to see it – I see preferences or a global setting in your account making this permanent but where is that…
Can’t click-on a message and drag it up-down in tutanota must use the side window scroll bar and that’s annoying.
–
I’m on a slow cell’s data signal to my rig (dedicated hotspot) hardwired USB to my tower and at times posteo with some error pop-up does act as if it’s timed out to recover, recovers quick but this happens every minute or so some days.
*It gets confused when I log in with a no cookies policy allowed from other installed programs of mine (FIRST-THIRD) party. I have to hit my password manager filling the form that’s rendered in german the second time round.
–
IMPORTANTLY the encryption used in posteo isn’t automatic as that’s found being offered as with Tutanota.
https://posteo.de/en/help?search=encryption
Then this may inform too-
https://posteo.de/en/help?tag=end-to-end
That’s a real handicap to the novice users and brother I’m in the ranks as one, I just read to much and talk to much tying my logic to people questions in hopes to stimulate thoughts in them or answering point on.
–
The help section for encryption found here (both links above) leads this belief as I did’t set any on this account.
– Posteo, Supports two-factor authentication (2FA)
https://posteo.de/en/help/what-is-two-factor-authentication-and-how-do-i-set-it-up
–
Can’t use your custom domain with posteo as you can with tutanota – if now or planning on getting one.
– What I’ve done in the past is close out my account every year with posteo and about a month before that I’ll add credit funds to it enough for another year.
Then I’d open another posteo account from a different IP address, then create a Posteo credit/gift voucher code from the old’s accounts surplus – to – my funding the new account with.
https://posteo.de/en/help/how-do-i-use-a-posteo-voucher-code
–
If these hold true than that should never be linked to any thing but the voucher code that’s null of my info…
– Payment:
You can pay by PayPal, bank transfer, credit card or in cash. Personal information that we receive in connection with bank transfers, PayPal and credit card payments is not linked to your account. With Posteo, your payment is always, therefore, anonymous.
– Vouchers:
You can transfer some of your credit to a voucher, to give to others. Vouchers can be used, for example, to add credit to family members’ accounts.
. . .
Any of this insightful or possibly new ideals jump out at you?
Greetings : + SPACE-BAR and ) = : ) need a spacebar character in there.
Hello Sven and OTT
I did leave OTT a reply here some hours ago – after the MY MY Paulie reply.
I got the popups for both times in (Paulie and OTT), “your post is waiting for moderation or as such the notice conveyed.
I DID EDIT Paulie reply before hand a couple of times after getting the popups for submission – using my browsers page-back arrow.
Any affect of that loosing my Hi OTT Sir reply, not sure but I might of answered in another tropic’s page here between Paulie and OTT. Any chance it’s still held in memory and/or it’s waiting your moderation.
– If not so to a recovery, OTT should get a hands on of both – tutanota and posteo they both have pro’s and con’s with me. OTT you won’t know your’s if somebody else discourages you in the experimenting and experiencing process.
Tutonta’s has a free account and you’ll have to pay a year for Posteo at 1 euro a month but, 2 gigs is hard to use if you don’t live for emails. I’m at 8%.
@Hard Sell
Find that you have some good statements and I am not to the same level as you or most any on this site for security. However, I wish to share so e of my thoughts on the article, a friend’s comments that does security for a living and your comments.
First, the encryptions that they use is adequate. However, as was expressed they are using their own created encryptions and also setting it up. The issue comes that there is some big trust needed to trust they set it up correctly. If not it will not secure. Are they doing it right? Probably. But the security then is back to trust.
Being in 14 eyes, I don’t trust. I hear the courts saying they can’t do —. However I have seen the courts also disregard laws because they don’t like to enforce it. How do we know what is going on behind the scenes?
The comment on their pricing, while cheaper per month, was not as good for me. I am an NPO and the documents I use to set up my NPO with bank accounts, tax docs and other things was outright rejected by Tutanota. Proton mail didn’t even blink.
The customer service between my free Tutanota account and my free PM account is different. While smaller, it was two weeks for Tutanota to respond to one contact. Even as a potential new paying customer I did not receive the CS I had hoped I would get. PM, It was as if I was already a paying customer. Then when I would email as a paying PM customer, my questions were answered in minutes if not hours.
Both PM and Tutanota must abide by the laws of their nations. However, even Tutanota has the fact that they too can read unencrypted emails.
Now email security. When I signed up with PM, I set up the account PGP, turned my domain DKIM, MX and SPF ratings on my DNSF files. Tutanota, at the time did not have that. I see DKIM now on the article so I am glad about that but to me they are a little behind in this regard.
This is just my two cents and I am in no way trying to fight and I know Tutanota enjoys a very special place to many here inclusing Sven and rightfully, if they earned it, they should.
However, because half of what is often said is over my head, I have to go practicle. Who gives me the best CS and benefits that I do understand. I keep and use my free Tutanota account. As far as my email it has my name and org in the email so secrecy is not a major player to me on that front as I must have it that way for emails from my ORG. Who gives me the best in areas I do know: Return emails, prompt support, technical aid, fast and curteous CS and answers and the ability to work with me in ways I understand (it took a bit of hassle to set up my email and PM went over and above to help.
So, without meaning to fight this was just my layman’s knowledge. I have learned a lot from the site and am enjoying reading.
I should say, I do not work for, nor receive any money from PM, nor do they pay me or give me “kickbacks” to promote them.
I am just a regular guy who wants to use secure services, saty away from the corp. conglomerates and just get the best bang for my buck. Just thought I would poat that disclamer before I am thought of as being a PM troller.
Greetings JM,
I’m answering both comments here.
I’m also clean too, meaning point blank – – the only compensation I ever get, is what I can bank in my heart – not the pocketbook. (Thank you – helped – understand – agree) or giving their time to respond back proper.
That’s where it’s at with me – besides the knowledge, if I should research an area/subject that interests me in their case.
–
I liked your outline (direction, details, purpose) you’ve presented in the quest related to your first comment. That helps me and others understand many things.
For one, how to move from point ‘A’ to ‘B’ and to know that route can be an uphill one covering many points. A struggle for the novice person, and where there might be relief-nourishment-rest, so to speak.
– Trouble is for any Novice person (I consider myself one), they must TRUST everything digital tech offers.
.
Till the pieces/points are reverend – liken in an order as (science-religion) have taught where ones dedications to the practice in their principles leads into a position of trust called Faith by repeatedly experimenting and experiencing the process or results.
[Ex: First time I set in a chair I trust it will hold me.
Every time after my 10 seating of said chair – I’ve gone from a trust state to a faith state now. ]
– – That puts said chair on a watch status for inspection, maintenance, comparison to new trends and ideals that technology bombards with daily.
[I try to live daily connected to the web but I do take vacations from it too] ; – )
– – –
I think I’ve might of answered some to your points in responses to others here – please have a look.
I see you’ve mentioned a friend’s trust and his background being associated to a security field. *That’s all we really want is like a vetted friend’s relationship for our software/services required today, because as friends interaction with us they learn about us and have that power in our lives to harm or help…
LET ME LEAVE YOU WITH THIS MENTAL PICTURE.
Imagine a rotating ‘Totem Pole’ (no disrespect ever meant), all the carvings of faces stacked looking onward/outward.
See their stacked order as knowledge levels.
I have a low position on the pole, I can only help from that perspective that I’ve seen from my experiences lived.
As this ‘Totem Pole’rotates I get a 360 view (and give from) that level of understanding or from a hands on aptitude – the help I offer to another here.
We need more people here on Restore Privacy taking a spin on the ‘Totem Pole’ above me and offering the perspective from their minds eye view from their experiences in a hands on aptitude they’ve lived.
Thanks : )
JM
I edit a lot sometimes it doesn’t stick.
This was meant after the Mental Picture part.
–
To help answer the questions or correct misnomers, to helping grow peoples researching and reasoning traits, build up their deducting skills by using your examples.
By all levels of people offering their own examples up of how/where as their own quests answers came to find merit to a logical conclusion they had undertook.
I’m referring to what novice people want (a direction of attack) cause you can’t guide or TUT it enough to take them by the hand.
You tell then how you learnt something and showing how by your examples to go about learning in the digital age in how you understood it. That aids the RP site to offer more value and represents the individuals reading here that care.
Thanks :
Great review.
I am like Tutanota but like you said they need to accept cryptocurrency (BAT could be cool too since I’ve got a bunch with no where to go). I would also like to see them fix their pricing plans, I don’t like the idea of switching to a paid plan and not getting more space.
Apologies Sven, I forgot to post the link to GoldBug in my last comment:
http://goldbug.sourceforge.net/
Regards, Paulie 🙂
Hi Sven, I enjoyed this informative and impartial review of Tutanota. It is interesting that they don’t use PGP, which you mentioned in a previous comment to me (on the last article about Tor) is reportedly because it would hinder their ability for future upgrades to defend against quantum decryption attacks, but it’s also interesting that they use “only” AES-128 encryption. I do take your point about the difficulty of breaking even that level of encryption with the best computers of today, and I don’t mean to labour the point on quantum cryptography or to sound too paranoid about something which may be rather a more distant future concern, but still mindful of all that I wish to ask how does GoldBug compare or do you know of it? I know only what I have read on their website and they advertise it as a decentralized secure email and messenger with end-to-end encryption. They use hybrid multi-encryption with zero plain text and no PGP either, their source code is open source and audited. Interestingly, they describe their encryption as “quantum-secure” using McEliece + NTRU instead of RSA, and providing IFPS (instant forward perfect secrecy). From my limited knowledge and checking the info on Wikipedia it certainly appears that the McEliece encryption algorithm is immune to attack by Shor’s algorithm (the latter is commonly used in quantum computers for factoring integers – i.e. breaking encryption). Anyhow, perhaps GoldBug may be worth a look? Regards, Paulie.
Cool I’ll check that out.
My My Paulie your support of the site is a blessing.
The first link you gave on your comment(s) in Sven’s Tor article was enlightening, though the drift I get from it to quantum computing – is it’s out of this world / no really all – that’s the realm where it’s answers come from being the cosmos.
–
https://www.naturalnews.com/2019-09-24-d-wave-2000-qubit-quantum-computing-encryption.html
“Factoring integers” is the key to breaking encryption.
In fact, it is the extreme difficulty of factoring very large numbers that makes encryption incredibly difficult to break using classical computing.
But as quantum computing translates exponentially complex mathematical problems into simple, linear (or you could call it “geometric”) math, making the computation ridiculously simple. (In truth, quantum computers aren’t “computing” anything. The universe is doing the computations. The quantum computer is merely an interface that talks to the underlying computational nature of physical reality, which is all based on a hyper-computational matrix that calculates cause-effect solutions for all subatomic particles and atomic elements, across the entire cosmos.
.
The best way to describe this is to imagine quantum computers as computational stargates. They submit mathematical questions into a hyper-dimensional reality (the quantum reality of superposition, etc.), and the universe itself carries out the computation because the very fabric of reality is mathematical at its core.
As some brilliant scientists say, the universe IS mathematics, and thus the fabric of reality cannot help but automatically compute solutions in every slice of time, with seemingly infinite computational capability down to the subatomic level.
– Put another way, the world of quantum phenomena is constantly trying out all possible combinations and permutations of atomic spin states and subatomic particles, and it naturally and automatically derives the best combination that achieves the lowest energy state (i.e. the least amount of chaos).
@ spell bound Interesting – lest to me.
.
Then it was stated “the rule of thumb is that by the time breakthrough technology gets reported, the government is already a decade beyond that”.
Well I hope there’s someone still left in a cabinet’s position that’s having the smarts.
– – – – – – – – –
Good to see your mention of GoldBug – but really the bug as part of a name for any privacy product sounds spy-like to me.
Briefly looking it over, https://compendio.github.io/goldbug-manual/
*In addition to RSA GoldBug has yet implemented the encryption algorithms Elgamal and also NTRU and McEliece. The latter two are also considered to be particularly resistant to the attacks known from quantum computing.
.
QUESTION — how does anyone know something will be particularly resistant to the attacks known from quantum computing. There’s barely news that one exists (though – it’s manufactured for sale today as a D-Wave 2000Q™ Quantum Computer – Technology Overview: https://www.dwavesys.com/sites/default/files/D-Wave%202000Q%20Tech%20Collateral_0117F.pdf
– YOU, ME and all the John Doe’s can only speculate on this…
Thanks ( :
Hi all…
While I don’t know if the claims are true, I happened to read the article linked to below from the first site (Natural News) that Hard Sell mentioned in his post above…
[https://www.naturalnews.com/2019-09-23-nsa-is-archiving-all-encrypted-emails-and-transactions-quantum-computing.html]
If this is true, my hope is that research and development of stronger, quantum resistant “cryptography solutions” will be expedited.
Regards…
A.R.D.
Thanks A.R.D. – for bringing this up.
Could be why Tutanota went the encrypted direction it took. And it was Paulie’s comment that feed my link offered.
.
I guess for laymen – novice to visualize data that can be seen from a past data timeshot, the best example to see how (digital content) can be trapped and store – – not seen (aka – to you in your case it’s now long deleted or deep down in a folder), as time advances because it been a trapped digital timeshot caught of the past data.
Would be to look at anything trapped in time here-
https://archive.org/web/
[You could go back to a website you know how it looks today to say 4-years ago look…]
–
https://en.wikipedia.org/wiki/Wayback_Machine
–
I could see the governments using stronger “crawlers” such as the service does above for other pieces to add to the pooled data on a subject (you). Then brick-n-mortar records making it to a server of any company you purchased from, caught in some agreement with governments of the businesses operating in their country for otherwise inaccessible data access.
– Imagine all the leads as tree branches and root systems and as like the secondaries of rivers and streams all having a main trunk or supply as feeding or being feed.
–
Stored Communications Act
https://en.wikipedia.org/wiki/Stored_Communications_Act
Email Privacy Act Comes Back, Hopefully to Stay
https://www.eff.org/deeplinks/2018/05/email-privacy-act-comes-back-hopefully-stay
“Today, when government agents seek electronic communications from companies and service providers, they don’t actually follow the rules set forth in the 1986 Electronic Communications Privacy Act.
While the text of that law splinters warrant protections according to an arbitrary time restriction (emails older than 180 days have no warrant requirement protections; emails newer than 180 days sometimes do) since the Sixth Circuit’s decision in Warshak, providers have required a full search warrant for all email content.”
–
Yelp and then the backups made on servers containing the very same data – how many times can you make clones of it blurring the laws affect to protect…
– – So info of emails decryption of it’s encryption standards means any digital encrypted content, service, are broke – three years,,, Well eyes wide open here…
Thanks very good.