Thursday, May 26, 2022
Tutanota is Hardly the Solution to the ProtonMail Problem

Although ProtonMail is one of the few email providers that are not openly hostile to those who value their privacy, the company’s willingness to comply with law enforcement has concerned some users. To be fair, it is understandably difficult for me to criticize such a company when they do fight the majority of requests by law enforcement agencies. But when the company arbitrarily decided to comply with a request for information from law enforcement without a court order, they opened the door to unconditional criticism (most of which has been highlighted by commenters or various bloggers online).

 

One of the alternatives proposed by readers of this site is the email provider Tutanota. Tutanota provides some of the same features provided by ProtonMail but has many significant differences. Although both email services offer end-to-end encryption, Tutanota does not rely on PGP.

tutajavaTutanota uses standard algorithms also being used by PGP (AES 128 / RSA 2048) for encrypting the entire mailbox. Tutanota does not use an implementation of PGP because PGP lacks important requirements that we plan to achieve with Tutanota:

  • PGP does not encrypt the subject line (already achieved in Tutanota),
  • PGP algorithms can’t be easily updated,
  • PGP has no option for Perfect Forward Secrecy.

A further description from one of the company’s FAQ pages:

For the email encryption between users, Tutanota uses a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm. Tutanota uses AES with a length of 128 bit and RSA with 2048 bit. Emails to external recipients are encrypted symmetrically with AES 128 bit.

I suppose the consensus is that javascript is unavoidable when using a secure email provider that offers client-side encryption. As with ProtonMail, Tutanota is unusable with javascript disabled. Most security-conscious Tor users are then unable to access their inbox (without changing their security settings).

A complaint about ProtonMail is that the company makes it complicated to pay for services with cryptocurrrency. In fact, if you access the ProtonMail payment portal and select “Add Payment,” you are greeted with two choices: paying via credit card or PayPal. In order to use cryptocurrency (they only support Bitcoin), you have to select “Add Credits.” After adding credits, one can pay for ProtonMail services with the credts instead of the two payment options listed above. (Note: this is how ProtonMail used to work. It is possible that paying invoices with account credits is no longer an option.)

tutapayTutanota, however, will gladly accept donations in the form of Bitcoin, Monero, Bitcoin Cash, Ethereum, PayPal, and Credit Cards. However, in order to actually pay for Tutanota services, users have only two options: credit cards or PayPal. Cryptocurrency payments is on the company’s roadmap. However, the company has been promising support for cryptocurrency payments since 2017. There have not been any updates to the issue on Github and it has been closed as “Off-Topic.”

tutacreditProtonMail provides what appears to be a false sense of security through their onion service. Naturally, it provides no function to Tor users with javascript disabled. Tutanota does not offer an onion service. Although it would likely be unusable if they did, they appear either dismissive or opposed to the idea. Although the company added support for an onion service to their roadmap, they marked the issue on Github “Off-Topic” and published a somewhat confusing blog post about how everyone should use Tor. The post seemed like the unveiling of a Tutanota onion service.

tutaunicodeDoes Tutanota log I.P. addresses? Well:

We only log IP addresses of individual accounts in case of serious criminal acts such as murder, child pornography, robbery, bomb threats and blackmail after being served a valid court order by a German judge. You can find details on this as well as on German data protection rights on our blog.

Which is effectively no different than ProtonMail’s logging policy. Tutanota apparently does not arbitraily decide to release information without a court order though. Or at least they have not admitted to doing so.

At the heart of the issue, though, is the company’s transparency report. After all, the recent stir about ProtonMail stemmed from an unfavorable update to their transparency report. To recap that incident, ProtonMail complied with a lawful court order that resulted in the arrest of a person identified by ProtonMail as a so-called “climate activist.” The form of activism, illegally occupying buildings, seems like homelessness with more steps. It seems equally bizarre that law enforcement agencies would devote the time and effort required to identify a ProtonMail user simply to arrest some totally-not-homeless person.

Here are the entries from the company’s transparency report for 2021:

Between the 1st of January 2021 and 30th of June 2021 Tutanota has

  • received requests for inventory data in 109 cases.
  • released inventory data in 6 cases.
  • received requests for real time traffic data in 23 cases.
  • released real time traffic data because of a German court order in 13 cases.
  • received requests for stored content data in 32 cases.
  • released stored encrypted content data because of a German court order in 21 cases.
  • received requests for real time content data in 16 cases.
  • released real time content data because of a German court order in 12 cases.

And for 2020:

Between the 1st of July 2020 and 31th of December 2020 Tutanota has

  • received requests for inventory data in 92 cases.
  • released inventory data in 2 cases.
  • received requests for real time traffic data in 20 cases.
  • released real time traffic data because of a German court order in 0 cases.
  • received requests for stored content data in 37 cases.
  • released stored encrypted content data because of a German court order in 34 cases.
  • received requests for real time content data in 18 cases.
  • released real time content data because of a German court order in 0 cases.

Between the 1st of January 2020 and 30th of June 2020 Tutanota has

  • received requests for inventory data in 93 cases.
  • released inventory data in 2 cases.
  • received requests for real time traffic data in 5 cases.
  • released real time traffic data because of a German court order in 0 cases.
  • received requests for stored content data in 24 cases.
  • released stored encrypted content data because of a German court order in 22 cases.
  • received requests for real time content data in 5 cases.
  • released real time content data because of a German court order in 0 cases.

It seems they released data more frequently in 2021 than in 2020. Tutanota provides entries for several periods of time on their transparency report.

At the end of the day, depending on threat models, people might need to operate as if nobody is trustworthy. And ultimatly, in this context, that statement is true. There are companies with what appear to be good track records such as Posteo. According to their transparency report, they only complied with one court order which was a mailbox seizure. Like any other email provider operating this way, Posteo is theoretically no different than ProtonMail or Tutanota when it comes to compliance with law enforcement. I have a suspicion that the people over at Elude have not complied with a single court order. I am not sure how law enforcement would serve one anyway. Please correct me if I am wrong on this count though.


P.S. I see people recommending Matrix as an alternative social networking/messaging platform. The Matrix.org foundation is suspicious at best as far as their metadata acquisition and retention policies go. Following their recommendations for setting up a self-hosted instance or using their recommended clients makes it very difficult to remove matrix.org and vector.im from the scenario.

Top Dark Web Links

Dark Web Links

Dark Web Search Engines & Hidden Wiki's

How Do I Access Hidden Services? In order to access .onion websites you need to download and install the Tor browser. You can download it for any operating system using...

By Administrator - Oct.11

Dark Web Links

Dark Net Links 2022

TOP DARK NET MARKETS 2022   E-Cash - Higly rated vendor on the Darknet :Money transfers paypal,Western Union , Neteller etc (Recommended) TorBuy Money transfers Paypal, Western Union. Prepaid Cards Visa, Master Card. Appliances...

By Administrator - Oct.11

Dark Web Links

Blogs,Forums,Chats

Forums. This list contains forums, imageboards, and other platforms for discussion on the darkweb including Underdir, Blackhat Chat, 8chan, and Germany in the Deepweb. The forums listed here focus on...

By Administrator - Oct.11

Dark Web Links

Safe Darknet Email Provider

Best Anonymous Email Services in 2021 .In this anonymous email piece, I’ll mention some of the best onion (and their clearnet domain versions, when available) email services which prioritize privacy...

By Administrator - Oct.11

Dark Web Links

Top DarkNet Markets 2022

E-Cash - Higly rated vendor on the Darknet :Money transfers paypal,Western Union , Neteller etc (Recommended) TorBuy Money transfers Paypal, Western Union. Prepaid Cards Visa, Master Card. Appliances Apple, iPhones. Phones Samsung...

By Administrator - Oct.11

Dark Web Links

Open Source Software

Open Source Software 1. OnionShare OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. Link: http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion/ 2. Whonix Whonix ™...

By Administrator - Oct.11

Dark Web Links

Privacy Service

Privacy Service 1. Snopyta Snopyta runs online services based on freedom, privacy and decentralization. Link: http://cct5wy6mzgmft24xzw6zeaf55aaqmo6324gjlsghdhbiw5gdaaf4pkad.onion/ 2. RiseUp Riseup provides online communication tools for people and groups working on liberatory social change. We are a...

By Administrator - Oct.11

 

findtortorlinks

Tland