Yes they do. It does not support pinch to zoom though
They rolled out said hybrid encryption (non post quantum + post quantum) a few months ago, so this should be fixed, right?
Yup should ideally be. I looked at it just now, a few points below.
Is it audited now, and does it mandate MAC? Doesn’t look audited from their blogposts, although they do seem to have started enforcing MAC authentication (finally thank God):
Our partners in the PQDrive project at the University of Wuppertal have not found any security problems with the TutaCrypt protocol and suggested that we do a formal verification. We plan to have the protocol formally reviewed and verified in the near future.
And does Tuta now support PGP? Doesn’t look like it for now, neither do they plan to if their blog posts are anything to go by.
Off topic: Making secure software
I would not put them in the all clear even if they did the above two. I have a strong belief that if you market yourself to high risk individuals and privacy conscious communities, you should never ship broken/incomplete security relevant code to production. Mistakes are fine, software is hard. But to intentionally ship something that actually endangers users is an interesting choice. It’s the same reason I dislike Threema for: Breaking PFS to support group chat.
I found the issue. It still appears to be a problem Manual key verification · Issue #768 · tutao/tutanota · GitHub.
Their blogpost also mentions this: “As one of the next steps, we will also add key verification so that TutaCrypt will also provide cryptographically guaranteed authentication.”
This is their issue about PGP: Autocrypt support · Issue #198 · tutao/tutanota · GitHub. One interesting thing is:
“You could, in fact, generate a PGP keypair for your Tuta address via GPG on your local machine, but in order to actually read incoming PGP e-mails you’d either have to
- tell external senders to use inline PGP (instead of PGP/MIME) so that you can use the Mailvelopebrowser addon as a hacky work-around or
- export the e-mail as an .eml file and open that in an e-mail client like Thunderbird.
Neither of these options is very user-friendly for Tuta users, and I doubt that the average non-technical person would even know how to do that.”
Could this get added to privacyguides?
Thanks for looking this up! Unfortunate to see it still isn’t fully fixed.
The PGP workaround sounds like a PITA, not sure PG would add it since it involves third parties and cannot be performed solely using first party platforms.
Well, the third parties are recommended already, so I don’t think it matters. It is non straight forward, but honestly not that hard either.
It’s a pity though that it doesn’t appear to support thunderbird encrypted mail, but it does work with protonmail, which is nice.
I compared the paid versions.
I think you can Tuta here. You can double tap to zoom and scroll through like a webpage.
On which device ? On Android I can’t double tap to zoom, no.
I am on android, I can. you need to open an email and double tap on the email content. It’s been there for more than 2 years.
Tuta doesn’t let you delete your paypal information from your account , and after contacting support saying i wanted to switch to crypto , their answer was the only way to delete paypal information is to the delete the whole account lol
Accordinng to reddit , proton lets you delete payment information or at least does so after you contact support
Read again my OP. I speak about the calendar
I have both Proton Unlimited and Tuta Revolutionary, and I strongly prefer Tuta. Here’s why:
- Tuta seems more privacy-oriented than Proton. All of Tuta apps are available on GitHub straight away (looking at you, Proton Calendar), all their apps are on F-Droid as well. Tuta Calendar already has an Fdroid ready release, should hit the repo soon. Protonmail won’t hit F-droid anytime soon.
- Their notification system is awesome and works flawlessly on Graphene without Gapps. It is really battery efficient as well.
- Recently they released a notification preview of the email content.
- Tuta encrypts subject lines.
- Tuta cares about Linux, they are multiplatform and they do truly mean it. Proton neglects Linux, as they don’t care about Linux users despite being in the privacy industry. Proton always follow the money first. Which isn’t bad from the business perspective, but from the user perspective it’s pretty horrible, especially if you follow PG recommendations and use Linux.
- You can synchronize your contacts via Tuta.
- Tuta domains aren’t blocked by third parties and their deliverability is good (emails go to the inbox). With Proton, I was forced to use a custom domain.
Tuta cons in relation to Protonmail:
- UX/UI is not great
- Lack of labels
- Lack of PGP
- Lack of Bridge (although Proton is discouraging lately from using it, as discussed in another thread)
Neutral stuff about both of them:
- Both doesn’t deliver their promises (Proton - libre notifications, promised years ago, nothing happened. Tuta - labels and email export, however both are in progress as I can see on their GitHub so it might change soon)
- Jurisdiction - Switzerland (Proton) vs Germany (Tuta) doesn’t matter this much at all.
- Proton works with authorities. Everyone works with authorities if you’re a legally operating company and receive a valid request. Proton I feel like is more abused than Tuta, therefore it goes viral for cooperating with authorities more often.
Don’t get me wrong, Proton is a great value especially if you’re using their VPN and SimpleLogin, but purely as of email service Tuta wins it for me.
Actually, Proton and Tuta both comply with legal requests similarly (as they should). Tuta complied with around 600 requests in 2023 with 10 million users, Proton complied with 6000 requests with 100 million users.
Good. No one with actual security needs should use apps signed by anyone other than the provider they trust. Interesting decision by Tuta to allow 3rd parties to sign critical applications.
It doesn’t matter as far as data privacy goes. But swiss law still affords you certain rights like being notified if your data is demanded, not allowing agencies to bypass judiciary, and no foreign government is allowed to request extra-judicial investigation. These rights don’t exist/are dependent on judge in German law. You can read a bit more here: Germany’s New Surveillance Laws Raise Privacy Concerns | Human Rights Watch
Again, not saying jurisdiction matters a lot when it comes to data security and privacy if companies implement good solutions, but it still does matter when it comes to protections before and after data requests are made.
From the little experience I have, I have to agree that Tuta seems more private. Particularly because subject lines are encrypted (that’s a big one considering how much sensitive information they can contain), that the calendar and contacts are encrypted, along with notifications, and I have extrapolated from what overuse shared (about PayPal) that Tuta has zero-knowledge of payment details, or at least Proton saves payment details together with account details and can access/share them.
Off-topic
Just see how ugly ProtonVPN is on Linux.
I’m so glad that I purchased IVPN instead, which looks fine on Linux.
Also eats around 500 MB of memory.
i can’t edit my previous reply but Tuta support finally deleted my paypal information
and from my experience i don’t have much to say that wasn’t said already , proton has better ui , but they don’t have notifications that work for degoogled users , unless you use a third party app which you would need to trust , and although Tuta’s email encryption is better than pgp that proton (and all other encrypted email providers use) , it’s not even remotely close to being adopted as the pgp standard , in my experience of many years in the privacy world , the amount of tuta email addresses that i have seen even in the privacy world is less than 10 , i wish Tuta worked on their users adoption , for example have a competitor to simplelogin
edit : Tuta allows full text search on both web app and mobile clients , proton only supports web app search for now
Just to add to why jurisdiction may matter:
If sharing IP on legal request is bad (what Proton did), how about recording all emails sent to and from a certain account after an order? That’s what Tuta did in 2020.
You can read more about why German law sometimes sucks ass, although the linked article is very sensational: German court forcing Tutanota to let authorities read emails in plain text
Here is the official response from Tuta: https://np.reddit.com/r/tutanota/comments/k3sfs5/in_englisch_court_forces_mail_provider_tutanota/ge4xywc/
Sharing this so that people can make their decisions wisely based on their threat model. Swiss law is still much more user and privacy friendly than German law.
Send them a PM message thru X and they will help you with that!