Tutanota shouldn't be at the very bottom of the email recommendations page

Encryption

While Tutanota doesn’t use PGP, you can use a password for encrypting emails, and Tutanota external recipients can access the entire email thread via the shared password, while recipients of encrypted messages from Proton Mail are limited to just seeing one message.

Not only that, but because Tutanota doesn’t use PGP, it encrypts not just the bodies and attachments of emails but also the subject line, which can contain very sensitive information. Additionally, the encryption protocols used in Tutanota enable Tutanota to easily upgrade to new algorithms and add support for Prefect Forward Secrecy.

It also allows Tutanota to encrypt things such as the entire address book and calendar metadata like calendar notifications. Meanwhile, Proton Mail doesn’t do that.

Additionally, Tutanota is working on a research project to replace the current algorithms with quantum-secure ones, and their post-quantum prototype is already able to support Perfect Forward Secrecy.

Most of the people in my life and most of the people in general don’t even know what PGP is. Even if they do, it’s much easier and more user-friendly for non-technical people to use a password for decrypting emails, with the benefit that the subject line will be encrypted too, not only the email body and attachments.

Privacy

1. Tutanota developed their own open-source alternative to reCAPTCHA, while Proton Mail uses a closed-source third-party implementation.

2. Tutanota has published their app on F-Droid, and it comes with a notification implementation that doesn’t rely on Google, whereas with Proton, you can only get it from the Play Store or from their GitHub repository (I have noticed that their GitHub releases are usually behind Play Store releases), and even if you obtain their app from GitHub, you will not have notifications, even though people asked for this for YEARS and Proton said that they’re working on this YEARS ago.

3. Tutanota is an absolute godsend for those who need anonymity and use Tor, and here is why:

• Proton always asks for a phone number or an email address when trying to register over Tor.

• The Skiff Mail app didn’t work for me at all when using Tor.

Meanwhile, Tutanota is my go-to email provider when I want to create an anonymous identity because it works every time. The worst thing that I remember happening is that I got a suspension and had to wait some hours to be able to use my Tutanota account, but I experienced that a long time ago.

4. You can use Monero to pay for Tutanota, whereas with something like Proton, you can only use Bitcoin or cash (other options aren’t private).

The only private method that of payment that mailbox.org has is cash by mail and guess how many people use or will use that.

Security

1. Tutanota has open-source desktop clients, unlike mailbox.org and Proton.

“But you can use a bridge”

Yes you can but here are the drawbacks:

• By using a bridge, all data is stored unencrypted in the third-party email client. Tutanota aims for a solution where all data is always stored securely encrypted, even on your own devices. Their desktop clients do exactly that and make the data also available when offline.

• IMAP and SMTP are not the most efficient protocols, especially when it comes to push notifications or attachments to emails (which are encoded into the body).

• By improving their desktop clients, they serve you much better than by spending time developing and maintaining three bridges for Linux, Windows, and macOS.

• Proton doesn’t offer Proton Mail Bridge on the free plan so you’re stuck in the web browser if you don’t pay.

2. When creating a Tutanota account, there is an option to generate a password, which is a 6-word diceware passphrase, and I find this really useful.

3. With Tutanota, you can use your security keys normally.

• With Proton, you have to use both TOTP and FIDO2 or U2F.

• Mailbox.org supports two factor authentication for their webmail only. You can use either TOTP or a YubiKey via the YubiCloud. Web standards such as WebAuthn are not yet supported.

Nice things

1. Tutanota uses 100% renewable electricity for all its servers as well as its offices.

2. Special offer for NPOs.

With all of this I don’t see why Tutanota is at the very bottom of email recommendations and options like Proton and mailbox.org are at the very top because of PGP.

I would like the PG team to elaborate on why exactly Tutanota is at the bottom of the recommendations page and why exactly options that use PGP are at the very top, like they’re superior because of it (even though I think that it’s the opposite, but that’s just me).

I used this article by Tutanota as a foundation for this post: Protonmail vs. Tutanota: Email comparison

Edit: I added some more things.

It’s not really “at the bottom” it’s in the “other” section because these solutions are not interoperable in any way with other email providers. In that section we’ve also added Skiff. It is worth noting that the providers in the “Other” section aren’t necessarily compatible with each other.

As for the headers, etc these things are really only encrypted on receipt, they are not E2EE when they pass through the external relay. External passwords (used in temporary inbox emails) are the weakest form of encryption, because you’re still requiring everyone to trust the JavaScript that Tutanota or Proton serves up. In Tutanota’s case you have no other option, nobody can send an encrypted email from Thunderbird - a completely separate implementation.

They’re really quite a poor cludgy method of encrypting emails and foreign to most people therefore they avoid them. While I don’t have any study on that I would bet if you tried using that feature in any kind of commercial fashion people would just “not be bothered” replying, unless they already had ongoing communication with you, and you educated them on how to use it.

Mostly seems like marketing to me, and until I see something I’m not going to be worried about that. Regardless if it’s only going to work for Tutanota users, that will see that most of the world doesn’t in fact use it. Which means a decrypted copy of the email can just be obtained from the other party. Ie via legal subpoena etc.

And most people I know won’t send email via a special form on Tutanota’s server, won’t switch to Tutanota, and aren’t Tutanota users, meaning emails are not being sent E2EE. I have seen Proton Mail users in the wild, but never really seen Tutanota users outside of privacy communities.

It’s a captcha, this doesn’t really matter too much, and honestly I don’t think there is much of a privacy issue in using recaptcha, hcaptcha etc, considering the code only returns a single result.

I’m yet to see any empirical evidence or study that using these things somehow a massive “privacy breach”.

This is a valid point. There is some question though as to whether it is a good idea to install software using F-Droid’s signing keys as opposed to the original developers.

It requires payment or regular login. They lock accounts which have any amount of inactivity and you’ll need to pay to get it back.

Additionally Proton has a .onion which Tutanota does not.

I’ve never been asked for a phone number, but there’s no reason you could use a temporary mail service or some other free email, then delete it when done.

All these services will put you through some hoops, or probation for free accounts because otherwise they become a target of spam. It wasn’t too long ago people were complaining that emails from Tutanota were being blocked.

Good point, it would be nice to see more providers take Monero.

Well mailbox.org doesn’t have a desktop client because it uses standard IMAP, so you can use Thunderbird or whatever email client you want. Proton Mail doesn’t have a desktop client, but the source is available for what runs in your browser.

Tutanota uses SMTP too. Just not between the MUA and server, otherwise how else does it email external servers. While IMAP does have a few areas it could be better it’s also very well understood. Hopefully we see newer standards like JMAP will provide improvement, particularly on chaining commands together into single objects, blob id for attachments and reliability on intermittent services.

The problem with these “custom APIs” is nobody is going to write a third party client that isn’t clearly defined in a spec. There is some security gained from doing so, and general understanding that comes when a lot of people write clients. Tutanota may be open source, but it’s unlikely anyone is really going to contribute to that code in any significant way.

Tutanota is still missing a lot of features that people expect, for example nesting of folders, and just general usability features.

Tutanota will lock your account if you don’t use it and you’ll have to pay to get it back. Not everything can be free, and it’s not a bad thing these providers do encourage users to pay to, maintain the service, pay developers etc.

You’re really scratching for reasons here… You can make your password whatever you want.

Valid point, but by itself it’s not really too significant.

Tutanota requires you to use their webmail/client which is quite “basic”. It’s also only going to really be E2EE if you’re sending to another Tutanota user.

There are pros and cons to both.

Not something we review as it is not relevant to privacy. I’m pretty sure Mailbox.org does too.

Something has to be at the top, and at the time the page was written those providers covered more of the requirements.

I’m sure Tutanota thinks that Tutanota is the best provider.

I think it’s important to remember that email is not a good protocol for privacy to begin with, (we do warn about that at the top) and there are a lot of places where information leaks anyway. Unless you have a completely non-federated solution that is always going to be a problem.

Not everything also requires 100% security. If you look at governments they tend to classify things based on the contents, and have different processes for different classifications. That is because with most security there is always user experience impact.

One could also argue providers like Mailbox.org are “more secure” than either Proton Mail or Tutanota, as you can supply a public key only and then use an email client with a key that is only on your device, and not stored server side encrypted or otherwise. Reversing your communications with Tutanota or Proton Mail only requires them to change the JavaScript that decrypts your device key. Is this a real problem? Not really, because these services really shouldn’t be relied upon for anything that requires extreme security, because at the end of the day, they are still email.

I think it’s best to find something that works with your workflow. Personally I value having an email client, and would never use a provider which took that away from me.

I do think data liberty is an important issue Tutanota still, to this day only allows you to export emails per folder, which is quite inconvenient if you have many folders. So if for some reason you decide you want to switch, that’s going to be a massive pain. Likewise the service has been around for quite some time and they’ve only just recently started working on email import, which I do find quite odd, as you would expect it to have been a higher priority, to get more users etc.

I will create a separate topic for that. I’ve already started working on it in my notes’ app.

It’s still the last recommendation, and PG ranks services in order of recommendation.

Fair enough; I didn’t know that. It turns out PGP is still the way; nice to learn something new.

Well, I trust Tutanota, and PG has a requirement for honest marketing, so I assumed that everything in there is true and not marketing.

It turns out that it’s irrelevant either way.

Fair enough.

This one was more of an ideological one. I like to have solutions that don’t involve big tech, and I’m not the only one.

That never happened to me. It didn’t require anything; I just remember being locked out for some hours, and I could have just paid with Monero to use my account right away.

They lock accounts after 6 months of inactivity, and it’s in their TOS. You have to pay a few euros to unlock it, and to me, that’s perfectly reasonable.

That’s only useful if you use it in the browser.

I never had any issues with Tutanota, whereas with Proton, they always asked for either a phone number or an email address for verification, which is a pain for me. I would rather use Tutanota, which doesn’t ask for this.

Fair enough.

Only after 6 months of inactivity and it doesn’t cost much.

It offers to generate a secure password which is a lot better than a password that most of the users would come up with like “theirname123”.

Same. I value having an email client, and Tutanota offers that on all platforms.

On Android, Tutanota is the only option that you can use without Google because it can be obtained from F-Droid and has a notification implementation that doesn’t depend on having Google Play Services, which is something that other recommended email providers didn’t manage to do, and I believe that this should be mentioned on email services page.

I’m especially mad at Proton, who said that they were working on it, I think, 4 years ago, if I’m not mistaking.

Except that you must use their client and can only use the features they give you. So that is not what I mean at all.

F-Droid doesn’t have seamless updates without the privileged extension.

F-Droid client’s alpha release targets SDK 33 and supports unattended updates and has a lot of other improvements.

(By the way, F-Droid should be reconsidered because I’m reading through that PrivSec article and a lot of F-Droid’s “issues” are not issues at all, or they are being worked on, or they’re already fixed.)

With Proton Mail, you only get a client on your desktop if you pay, and that’s a third-party one, which means that emails are stored unencrypted on it, and you add a third-party client developer into the mix.

If you’re on Android, then you’re stuck with their client, which doesn’t even have a notification implementation that doesn’t rely on Google Play Services.

The choice purely depends on the user and what the user is looking for in an email provider.

We’ll likely revisit this when it’s not Alpha, and has been tested.

That does make sense, they want to encourage sales.

The emails being unencrypted on a device is not the issue, there is full disk encryption for a reason.

Something like Thunderbird really increasing that trust model, or Apple Mail. or Outlook or whatever. Those vendors are either trustworthy or make your OS anyway.

Desktop security isn’t the best and having all of my emails stored unencrypted isn’t very confidence inspiring for me.

I would rather have them encrypted in my client. If the PC gets compromised while in use then full disk encryption will be as useful as underwater basked weaving.

True.

In the end, I learned quite a bit from this discussion, and I will probably use Proton Mail because of the things that I learned about PGP and password protected emails. But that will only happen when Proton implements non-Google notifications which will probably happen in the next decade.

If your device is compromised in that way, nothing stops whoever has a backdoor simply screen dumping your device anyway or extracting the key, or emails you’re viewing from memory. The reality is this provides next to no protection from a completely compromised device and everything is decrypted at some point.

I use Tutanota, but I saw on fdroid that you can now have notifications for proton mail : GitHub - LeanderBB/you-have-mail: Application to notify you if an email has arrived in your email Account

Edit By Mod:
Yeah lets not do that. Just a note, only and final warning for comments like that.

Anyway I think this thread has had its course.