Darknetlive

Tutanota is Hardly the Solution to the ProtonMail Problem

Readers of Darknetlive, as well as users of Dread, have rightly recognized the risks associated with the use of ProtonMail. But the proposed alternatives are not without fault either.

Although ProtonMail is one of the few email providers that are not openly hostile to those who value their privacy, the company’s willingness to comply with law enforcement has concerned some users. To be fair, it is understandably difficult for me to criticize such a company when they do fight the majority of requests by law enforcement agencies. But when the company arbitrarily decided to comply with a request for information from law enforcement without a court order, they opened the door to unconditional criticism (most of which has been highlighted by commenters or various bloggers online).

A picture of Just drinking a cup of coffee. Normal OPSEC things.

Just drinking a cup of coffee. Normal OPSEC things.

One of the alternatives proposed by readers of this site is the email provider Tutanota. Tutanota provides some of the same features provided by ProtonMail but has many significant differences. Although both email services offer end-to-end encryption, Tutanota does not rely on PGP.

A picture of Oh, and there is that unavoidable javascript thing.

Oh, and there is that unavoidable javascript thing.

Tutanota uses standard algorithms also being used by PGP (AES 128 / RSA 2048) for encrypting the entire mailbox. Tutanota does not use an implementation of PGP because PGP lacks important requirements that we plan to achieve with Tutanota:

  • PGP does not encrypt the subject line (already achieved in Tutanota),
  • PGP algorithms can’t be easily updated,
  • PGP has no option for Perfect Forward Secrecy.

A further description from one of the company’s FAQ pages:

For the email encryption between users, Tutanota uses a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm. Tutanota uses AES with a length of 128 bit and RSA with 2048 bit. Emails to external recipients are encrypted symmetrically with AES 128 bit.

I suppose the consensus is that javascript is unavoidable when using a secure email provider that offers client-side encryption. As with ProtonMail, Tutanota is unusable with javascript disabled. Most security-conscious Tor users are then unable to access their inbox (without changing their security settings).

A complaint about ProtonMail is that the company makes it complicated to pay for services with cryptocurrrency. In fact, if you access the ProtonMail payment portal and select “Add Payment,” you are greeted with two choices: paying via credit card or PayPal. In order to use cryptocurrency (they only support Bitcoin), you have to select “Add Credits.” After adding credits, one can pay for ProtonMail services with the credts instead of the two payment options listed above. (Note: this is how ProtonMail used to work. It is possible that paying invoices with account credits is no longer an option.)

Tutanota, however, will gladly accept donations in the form of Bitcoin, Monero, Bitcoin Cash, Ethereum, PayPal, and Credit Cards. However, in order to actually pay for Tutanota services, users have only two options: credit cards or PayPal. Cryptocurrency payments is on the company’s roadmap. However, the company has been promising support for cryptocurrency payments since 2017. There have not been any updates to the issue on Github and it has been closed as “Off-Topic.”

ProtonMail provides what appears to be a false sense of security through their onion service. Naturally, it provides no function to Tor users with javascript disabled. Tutanota does not offer an onion service. Although it would likely be unusable if they did, they appear either dismissive or opposed to the idea. Although the company added support for an onion service to their roadmap, they marked the issue on Github “Off-Topic” and published a somewhat confusing blog post about how everyone should use Tor. The post seemed like the unveiling of a Tutanota onion service.

A picture of Oh, there it is on the roadmap. Right below support for emojis.

Oh, there it is on the roadmap. Right below support for emojis.

Does Tutanota log I.P. addresses? Well:

We only log IP addresses of individual accounts in case of serious criminal acts such as murder, child pornography, robbery, bomb threats and blackmail after being served a valid court order by a German judge. You can find details on this as well as on German data protection rights on our blog.

Which is effectively no different than ProtonMail’s logging policy. Tutanota apparently does not arbitraily decide to release information without a court order though. Or at least they have not admitted to doing so.

At the heart of the issue, though, is the company’s transparency report. After all, the recent stir about ProtonMail stemmed from an unfavorable update to their transparency report. To recap that incident, ProtonMail complied with a lawful court order that resulted in the arrest of a person identified by ProtonMail as a so-called “climate activist.” The form of activism, illegally occupying buildings, seems like homelessness with more steps. It seems equally bizarre that law enforcement agencies would devote the time and effort required to identify a ProtonMail user simply to arrest some totally-not-homeless person.

Here are the entries from the company’s transparency report for 2021:

Between the 1st of January 2021 and 30th of June 2021 Tutanota has

  • received requests for inventory data in 109 cases.
  • released inventory data in 6 cases.
  • received requests for real time traffic data in 23 cases.
  • released real time traffic data because of a German court order in 13 cases.
  • received requests for stored content data in 32 cases.
  • released stored encrypted content data because of a German court order in 21 cases.
  • received requests for real time content data in 16 cases.
  • released real time content data because of a German court order in 12 cases.

And for 2020:

Between the 1st of July 2020 and 31th of December 2020 Tutanota has

  • received requests for inventory data in 92 cases.
  • released inventory data in 2 cases.
  • received requests for real time traffic data in 20 cases.
  • released real time traffic data because of a German court order in 0 cases.
  • received requests for stored content data in 37 cases.
  • released stored encrypted content data because of a German court order in 34 cases.
  • received requests for real time content data in 18 cases.
  • released real time content data because of a German court order in 0 cases.

Between the 1st of January 2020 and 30th of June 2020 Tutanota has

  • received requests for inventory data in 93 cases.
  • released inventory data in 2 cases.
  • received requests for real time traffic data in 5 cases.
  • released real time traffic data because of a German court order in 0 cases.
  • received requests for stored content data in 24 cases.
  • released stored encrypted content data because of a German court order in 22 cases.
  • received requests for real time content data in 5 cases.
  • released real time content data because of a German court order in 0 cases.

It seems they released data more frequently in 2021 than in 2020. Tutanota provides entries for several periods of time on their transparency report.

At the end of the day, depending on threat models, people might need to operate as if nobody is trustworthy. And ultimatly, in this context, that statement is true. There are companies with what appear to be good track records such as Posteo. According to their transparency report, they only complied with one court order which was a mailbox seizure. Like any other email provider operating this way, Posteo is theoretically no different than ProtonMail or Tutanota when it comes to compliance with law enforcement. I have a suspicion that the people over at Elude have not complied with a single court order. I am not sure how law enforcement would serve one anyway. Please correct me if I am wrong on this count though.


P.S. I see people recommending Matrix as an alternative social networking/messaging platform. The Matrix.org foundation is suspicious at best as far as their metadata acquisition and retention policies go. Following their recommendations for setting up a self-hosted instance or using their recommended clients makes it very difficult to remove matrix.org and vector.im from the scenario.

Comments
Do you really want to comment here? not rules
ed569771
c1f9d7f0 Fri, Dec 17, 2021

The messenger called S0NAR is a good alternative, check it out.

8269f6e0
34351520 Tue, Dec 7, 2021

glowing

1ce0941f
df583cd0 Tue, Dec 7, 2021

What about riseup?
They have a .onion, have been online since 1999, they do not collect IP info.

23d9b203
c4c7ffd0 Tue, Dec 7, 2021

dont u need an invite code to get a riseup account?

b0d49d9a
e16fd5f0 Tue, Dec 7, 2021

Riseup.net is a joke of a email provider which requires an invite from an existing user, making an invite impossible to get. Not that you’d want one, because you must be a communist to use Riseup, and you’re supporting communists if you do. I can’t in good conscience do that when I recall that communists killed 100,000,000 people the world over during the last 100 years. I will not join your death cult.

31aa86c4
30b62380 Wed, Dec 8, 2021

unironically recommends riseup
They’re a bunch of leftist cucks & you write the word “nigger” too often, they will remove you from the service and try to dox you.

cb2e8b37
2d8fcf90 Tue, Dec 7, 2021

Could also consider the pros and cons of an onion e-mail provider like tormail.

92296f97
005d7b00 Tue, Dec 7, 2021

I really don’t get what people expect from these companies. Do you really think an above ground corporation with a listed address is going to tell a court “no?” That’s a great way to get your servers seized. Anyone off the grid enough to ignore these requests will come with their own problems and probably be even worse for security. Remember Freedom Hosting / Tormail?

f2271951
8920b5e0 Tue, Dec 7, 2021

I agree. Tutanota is providing privacy, not anonymity. If you’re looking for anonymity then you should be using throwaway emails.

a03010fb
54a6ad20 Wed, Dec 8, 2021

All over if you want to be secure then do as Mr_white do.

Even if email use enforced pgp message or mail..

Yes subject is not encrypted but the body of message is encrypted..

At least you can fight. Because there is no other way to decode the message.

a0c5c76a
13c8c8d0 Wed, Dec 8, 2021

Matrix is no alternative as it’s not an email provider. Matrix team is full of anti-1st amendment, but full of pedo, tranny and furry people. If you want to trust these people with your data, good luck.
I’d say in less than 5 years we’ll see a pedo getting kicked from the matrix team, not because he was the only one but because he was identified by outsiders/LE.

In case you missed it, PGP is indeed the worst (privacy-wise), for the reasons outlined by tuta (and a few more).

Lastly, if you believe that the protonmail dude who got arrested was your average peaceful “climate activist” you are dumber than my wife.

b63e4a43
0e629e80 Wed, Dec 8, 2021

email in general shouldnt be trusted if youre looking to do any less than legal or moral activities. all providers have their own issues.
dont rely on email providers to encrypt things. leave your subject line empty or irrelevant, manually encrypt and sign your messages etc etc common sense stuff

1fde055d
381a82a0 Wed, Dec 8, 2021

cock.li people !

96b94010
3564c5f0 Thu, Dec 9, 2021

cock.li requires invites now. It used to be ok, but now it’s more or less inaccessible.
Cock.li also requires javascript, so it shouldn’t be used for highly illegal acts such as buying or selling drugs.

408547d5
ded69d00 Fri, Dec 10, 2021

countermail….suits me.

9c5cfe72
43798240 Mon, Dec 27, 2021

By design e-mail can not and will not ever be a secure method of communication. end of discussion. That is why LavaBit shut down when the feds tried to come for Snowdens emails. they even said that is why they shut down, because they had no way to be secure 100% I don’t know when people will finally learn this about e-mail. even running your own email server is not secure.

New comments are disabled after ten days in an attempt to limit spam.