Proton Mail versus Tuta

Hi, since I couldn’t find a lot of information on the forum comparing these two mail providers, I tried to list the differences between the two paid versions :

Tuta pros :

  1. Post-quantum encryption
  2. Encryption of email headers (including subject line)
  3. Native contact integration
  4. Passkey as 2FA without TOTP.
  5. Perfect forward secrecy prototype
  6. You get notifications without Play Services
  7. Avalaible on FDroid

Proton Pros

  1. Their encryption has been more reviewed. Proton also claims Tuta’s encryption has open flaws.
  2. Self destructing messages (Tuta plans to release it)
  3. Onion service (Tuta plans to release it)
  4. Tags/labels (Tuta plans to release it)
  5. Widgets (Tuta plans to release it)
  6. Preview in notifications (Tuta plans to release it)
  7. Fully compatible with PGP
  8. Account recovery with phone number or email
  9. Pinch to zoom the Calendar on mobile (resize)
  10. Link confirmation
  11. Proxy to load images
  12. Customizable display name
  13. Strike text
  14. Proton Scribe
  15. Proton Sentinel
  16. Dark Web Monitoring
  17. Snooze emails
  18. Send later
  19. Alternative routing
  20. More themes & disposition options
  21. Two password mode

Differences that I don’t find important

  1. I think that the jurisdiction does not matter and that Germany is as good as Switzerland.
  2. SimpleLogin integration
  3. I don’t care about Tuta promoting its notification system. Proton notifications are encrypted anyway and the only information leaking is date and time…
  4. Opt-in telemetry for Tuta, opt-out for Proton
2 Likes

@mangomango all true, just one thing to add: Proton has decently made UI, while UI at Tuta is just ugly.

2 Likes

On paper, I would prefer Tuta because they encrypt more stuff, and seem like a company that cares deeply about user privacy. Still, the usability isn’t even close to what Proton offers. Tuta’s non-native mobile apps don’t feel great to use, and I agree with @bigdzi regarding the UI. It seems like an aspect that Tuta has seriously overlooked.

3 Likes

Tuta added the ability for you to see the sender and subject a few weeks ago. Idk if that’s what you mean by previews. They encrypt email headers, not just subject lines. Their contacts and calender also encrypts more data. They prevent photos from loading by default to protect against IP leaks, but yes no proxy (although you can use a VPN)

Its telemetry is opt in, not opt out like Proton, which is nice. Proton pings google btw regardless of whether you have google play services or not, and regardless of whether you enable notifications or not Proton apps pinging Google API + sending reports back after opting out - GrapheneOS Discussion Forum

1 Like

Source ?

Also:

  • Protonmail Pro: fully compatible with PGP so encryption will actually work across providers (e.g. Protonmail ↔ Mailbox.org)
  • Tuta Pro: Android app notifications work without Play Services

Generally yes, but if you’re a German citizen you probably want to use the Swiss service and vice versa.

2 Likes

https://www.reddit.com/r/ProtonMail/comments/1cmcre5/concerns_about_privacy_does_proton_mail_still_use/

E2EE according to them.

1 Like

Well I also thought this and after making an account and installing the apps and using the web version, I found that it is not that bad.

Well Proton seems to care deeply about privacy too

1 Like

Thank you for your inputs I corrected my OP

They prevent photos from loading by default to protect against IP leaks

As do Proton

Thank you for sharing your list and starting this discussion.

One point I would like to add is that, despite what Tuta has said on this forum, in my experience it is impossible to create a private email account through the Tor network. I have tried several times and every time my account was disabled within their 48hr review period.

Although, ProtonMail is no better because I think they require an alternative email address before they will create an account.

2 Likes

There is the reddit link above but the source was included in my OP… GrapheneOS also confirmed this around December 2023 when there was the scandal about push notifications but I can’t go that far ago on mastodon. Though one mod confirmed it here

Taste is probably the most subjective thing that exists. Calling Tuta’s UI ugly because you don’t like it does nothing apart from insulting Tuta’s designers.

4 Likes

Sure, but how I see it is that Tuta seems to prioritize user privacy whenever they can while Proton sometimes compromises which can lead to a better user experience for the end user. This doesn’t always apply though, like in the case of telemetry, which is opt-out at Proton while it’s opt-in at Tuta, as @anonbird mentioned. These kinds of details kind of show which company is more hardcore when it comes to privacy.

I think that this video, although a bit outdated by now, still expresses pretty well how I also see these two companies.

1 Like

My comments:

T02: Subject line encryption is very important because a lot of sensitive information can be garnered from that short summary.
T03: Another big feature. I believe all your contacts in the Tuta app are encrypted, but other apps can be granted access for making calls and send messages. Is this a better option than storing contacts in your Google/Apple smartphone account?

P08: Does Tuta not allow account recovery via a second email address? :face_with_diagonal_mouth:
P09: Doesn’t the Tuta Calendar encrypt more/all the data, and now has a standalone app?
P15: Proton Sentinel is not available on the Free Plan.

Good to know the content of ProtonMail’s notifications is reportedly encrypted, but it is still a concern that Google may be able to use the date & time of notifications for tracking. How about the email address of the account the user is logged into?

1 Like

Oh, it’s apparently not the case by default on iPhones and the web, as protonmail proxies photos there. You can still disable them though How to stop email trackers and protect your inbox | Proton

1 Like

I started to go into the Proton ecosystem but not long after I switched to different services. Proton has their suite of different apps which all sound good, but once I started using them I realized they all could be better. I use GrapheneOS and for Proton email notifications you need to install GPS which I don’t want to do. Every Reddit AMA someone always asks when/if that’s something their going to work on and every time they claim it’s something they’re looking into. In fact, I thought one time they said it was extremely low on their priority list due to only a small niche of people want it. Tuta has their own notification system.
I canceled my Proton unlimited subscription, got my refund credit and decided to use it just for a ProtonVPN Plus subscription. Was nice at first but they refuse to make their blocklist public for Netshield and from my POV it was a very light list. Apparently you can’t cancel their VPN service, you just use it until it expires. So I swithced to IVPN which has the same speeds but more aggressive blocklists to chose from.
My point is Proton seems like a “fashion over function” type company. I’d personally take an “uglier” looking app that does what I need it to over a “pretty” looking app that falls short.

5 Likes

Do note that most of the people commenting here are either power users or follow suggestions on configuration and usage given by Privacy influencers.

For most of the people out there, Proton suite is probably the cheapest, and the most “it just works” method of securing themselves. Tuta has issues for the general user:

  1. Lacks interoperable, unified ecosystem
  2. The “pros” cited here for Tuta are not significant enough
  3. The “cons” cited for Proton are often desired characteristics for the general. (Ex. - Encryption of the subject lines makes mail search terrible)

On the technical front:

  1. Tuta is useless if you don’t have the other user also on Tuta, while Proton allows PGP (this should be enough to rule out Tuta for almost everyone, I mean some people can’t get others to switch to Signal, fat chance they change their mail provider)
  2. They also still haven’t fixed the very real issue of not authenticating their Encryption MACs. If anyone needs a simple explanation of why this is a major issue, do give this a read (All the crypto code you’ve ever written is probably broken). This is a quote from them about where they are in mitigation, still on prototyping:

We are currently starting to roll out new encryption algorithms. Enforcing MACs is part of this upgrade, just as post-quantum secure algorithms, authentication and signature verification. We already have a working prototype of this hybrid encryption protocol.

Seems pretty glaring. A significant issue with the privacy community not having enough public facing experts is that non-experts lose the forest for the trees. Your mail cannot be secured if they don’t verify integrity of the mails you send, or if you cannot communicate outside of their “walled” garden. The subject line encryption, and the UI are all second to the issue that an encrypted mail provider should not be in denial about very legitimate issue in their encryption and their handling of communication outside of their ambit, especially in a protocol as diverse and decentralized as Email.

Proton has a lot of issues, and a lot of half baked solution. I hate that there are no competitors against it on price point and platform support (especially for Linux). But their baseline security has been miles ahead of any other provider in the space, especially considering 90% of them are scams, honeypots, and snake oil salesmen.

5 Likes

You forgot to mention one considerable pro for Tuta, at least for me, and it’s that for their cheapest paid tiers, Tuta allows you to create more addresses. 15 to be exact, versus Proton Mail Plus’ 10.

no. they explain why in this blog post :

A standard reset feature that sends a new password to a second email address was never an option for Tutanota for security reasons. As all your data is encrypted with the help of your login password, we cannot reset your login password in a way unencrypted services do. If we did, all data stored encrypted in your Tutanota mailbox would be lost.
If we wanted to use such a reset feature, we would have to store your login password in plain text on our servers for being able to decrypt your data and then re-encrypt it with the new password. Obviously this is completely insecure and, thus, not an option for Tutanota.
Because your Tutanota password is so important, we take utmost care that it is never accessible to anyone.

Basically, they have a data recovery option, as do Proton, but no way to recover only the account without the data like Proton do with phone number or email