Hi, since I couldn’t find a lot of information on the forum comparing these two mail providers, I tried to list the differences between the two paid versions :
Tuta pros :
Post-quantum encryption
Encryption of email headers (including subject line)
Self destructing messages (Tuta plans to release it)
Onion service (Tuta plans to release it)
Tags/labels (Tuta plans to release it)
Widgets (Tuta plans to release it)
Preview in notifications (Tuta plans to release it)
Fully compatible with PGP
Account recovery with phone number or email
Pinch to zoom the Calendar on mobile (resize)
Link confirmation
Proxy to load images
Customizable display name
Strike text
Proton Scribe
Proton Sentinel
Dark Web Monitoring
Snooze emails
Send later
Alternative routing
More themes & disposition options
Two password mode
Differences that I don’t find important
I think that the jurisdiction does not matter and that Germany is as good as Switzerland.
SimpleLogin integration
I don’t care about Tuta promoting its notification system. Proton notifications are encrypted anyway and the only information leaking is date and time…
On paper, I would prefer Tuta because they encrypt more stuff, and seem like a company that cares deeply about user privacy. Still, the usability isn’t even close to what Proton offers. Tuta’s non-native mobile apps don’t feel great to use, and I agree with @bigdzi regarding the UI. It seems like an aspect that Tuta has seriously overlooked.
Tuta added the ability for you to see the sender and subject a few weeks ago. Idk if that’s what you mean by previews. They encrypt email headers, not just subject lines. Their contacts and calender also encrypts more data. They prevent photos from loading by default to protect against IP leaks, but yes no proxy (although you can use a VPN)
Thank you for sharing your list and starting this discussion.
One point I would like to add is that, despite what Tuta has said on this forum, in my experience it is impossible to create a private email account through the Tor network. I have tried several times and every time my account was disabled within their 48hr review period.
Although, ProtonMail is no better because I think they require an alternative email address before they will create an account.
There is the reddit link above but the source was included in my OP… GrapheneOS also confirmed this around December 2023 when there was the scandal about push notifications but I can’t go that far ago on mastodon. Though one mod confirmed it here
Taste is probably the most subjective thing that exists. Calling Tuta’s UI ugly because you don’t like it does nothing apart from insulting Tuta’s designers.
Sure, but how I see it is that Tuta seems to prioritize user privacy whenever they can while Proton sometimes compromises which can lead to a better user experience for the end user. This doesn’t always apply though, like in the case of telemetry, which is opt-out at Proton while it’s opt-in at Tuta, as @anonbird mentioned. These kinds of details kind of show which company is more hardcore when it comes to privacy.
I think that this video, although a bit outdated by now, still expresses pretty well how I also see these two companies.
T02: Subject line encryption is very important because a lot of sensitive information can be garnered from that short summary.
T03: Another big feature. I believe all your contacts in the Tuta app are encrypted, but other apps can be granted access for making calls and send messages. Is this a better option than storing contacts in your Google/Apple smartphone account?
P08: Does Tuta not allow account recovery via a second email address?
P09: Doesn’t the Tuta Calendar encrypt more/all the data, and now has a standalone app?
P15: Proton Sentinel is not available on the Free Plan.
Good to know the content of ProtonMail’s notifications is reportedly encrypted, but it is still a concern that Google may be able to use the date & time of notifications for tracking. How about the email address of the account the user is logged into?
I started to go into the Proton ecosystem but not long after I switched to different services. Proton has their suite of different apps which all sound good, but once I started using them I realized they all could be better. I use GrapheneOS and for Proton email notifications you need to install GPS which I don’t want to do. Every Reddit AMA someone always asks when/if that’s something their going to work on and every time they claim it’s something they’re looking into. In fact, I thought one time they said it was extremely low on their priority list due to only a small niche of people want it. Tuta has their own notification system.
I canceled my Proton unlimited subscription, got my refund credit and decided to use it just for a ProtonVPN Plus subscription. Was nice at first but they refuse to make their blocklist public for Netshield and from my POV it was a very light list. Apparently you can’t cancel their VPN service, you just use it until it expires. So I swithced to IVPN which has the same speeds but more aggressive blocklists to chose from.
My point is Proton seems like a “fashion over function” type company. I’d personally take an “uglier” looking app that does what I need it to over a “pretty” looking app that falls short.
Do note that most of the people commenting here are either power users or follow suggestions on configuration and usage given by Privacy influencers.
For most of the people out there, Proton suite is probably the cheapest, and the most “it just works” method of securing themselves. Tuta has issues for the general user:
Lacks interoperable, unified ecosystem
The “pros” cited here for Tuta are not significant enough
The “cons” cited for Proton are often desired characteristics for the general. (Ex. - Encryption of the subject lines makes mail search terrible)
On the technical front:
Tuta is useless if you don’t have the other user also on Tuta, while Proton allows PGP (this should be enough to rule out Tuta for almost everyone, I mean some people can’t get others to switch to Signal, fat chance they change their mail provider)
They also still haven’t fixed the very real issue of not authenticating their Encryption MACs. If anyone needs a simple explanation of why this is a major issue, do give this a read (All the crypto code you’ve ever written is probably broken). This is a quote from them about where they are in mitigation, still on prototyping:
We are currently starting to roll out new encryption algorithms. Enforcing MACs is part of this upgrade, just as post-quantum secure algorithms, authentication and signature verification. We already have a working prototype of this hybrid encryption protocol.
Seems pretty glaring. A significant issue with the privacy community not having enough public facing experts is that non-experts lose the forest for the trees. Your mail cannot be secured if they don’t verify integrity of the mails you send, or if you cannot communicate outside of their “walled” garden. The subject line encryption, and the UI are all second to the issue that an encrypted mail provider should not be in denial about very legitimate issue in their encryption and their handling of communication outside of their ambit, especially in a protocol as diverse and decentralized as Email.
Proton has a lot of issues, and a lot of half baked solution. I hate that there are no competitors against it on price point and platform support (especially for Linux). But their baseline security has been miles ahead of any other provider in the space, especially considering 90% of them are scams, honeypots, and snake oil salesmen.
You forgot to mention one considerable pro for Tuta, at least for me, and it’s that for their cheapest paid tiers, Tuta allows you to create more addresses. 15 to be exact, versus Proton Mail Plus’ 10.
Basically, they have a data recovery option, as do Proton, but no way to recover only the account without the data like Proton do with phone number or email
