Tuta (formerly Tutanota) denies claim it has intelligence ties (opens in new tab)

(cp24.com)

80 pointsipcress_file2y ago77 comments

77 comments

43 comments · 10 top-level

PrimeMcFly2y ago· 11 in thread

It's such a bad service, I don't know why anyone uses it. ProtonMail is superior in every way.

Tuta has all kind of weird restrictions, like not being able to search back more than a month.

One reason is that tuta does not require you to have any other connection to create and account. Protonmail require a second mail, phone or possibly some kind of payment if I recall correctly (for verification?) that could be linked from your account in theory.

Without having a good anonymous starting point, protonmail does not let you get that starting point, at least the last time I tired (maybe a year ago).

PrimeMcFly2y ago

ProtonMail never used to require another email to verify, and only asked for a phone if I was on an IP that had made more than one account already.

1 more reply

Karsteski2y ago

You can definitely search back more than a month. However the search is genuinely atrocious. I've been using tutanota for a few years now but every time I need to search my emails I think about switching to something else. It is just not acceptable for the service to need to slowly iterate through emails, downloading them one by one the first time you decide to go back that far, just to find something important.

PrimeMcFly2y ago

I have a tuta account, I tried to search for something recently and it only let me search from October 12th or something. I'm not sure you can search back more than a month on the free plan.

shrimp_emoji2y ago

Can confirm. Search is brutal. But I just set it to auto-delete old emails anyway now, so problem "solved". ;D

hiepph2y ago

I used to love Tuta for the tempting price (1eur/month). But now due to the increasing price, poor UX, no bridge to Thunderbird, broken filter rules, I switched to another provider.

PrimeMcFly2y ago

I still have an account that I have some stuff linked to, I want to close it down entirely soon, it sucks there isn't any way to export all my emails without paying though.

tym02y ago

What do you use instead? I also only use it for the price.

nicce2y ago

> ProtonMail is superior in every way.

In the past, their billing was based on blackmailing. I don't know if that is the case anymore. But I dropped using it ever since.

wkat42422y ago

Elaborate please?

> In the past, their billing was based on blackmailing.

Not saying I don't believe you but I'd like to know more.

1 more reply

PrimeMcFly2y ago

I only use the free service, and it isn't nearly as limited as tutanota's free service.

hnarn2y ago· 7 in thread

I'm not a fan of Tuta, mainly because of their disingenuous advertising where they keep calling themselves "open source" when they in fact only open source their clients but keep anything server-side under wraps -- but for this reason this also makes me skeptical; if their clients are indeed open source (which I assume is true, I haven't verified), and all encryption happens client-side before being sent to the server (also an assumption), how would it even be possible for this to be true?

In my understanding, anything that Tuta potentially did to compromise e-mails would necessarily have to shine through in their open source client code -- unless they willingly serve binaries that are not actually built from that code, which of course would be a scandal.

So even if I don't like them, I'm going to need something more concrete than someone simply saying they have "intelligence ties" to be willing to believe that they are somehow duping their users.

amanzi2y ago

I always ask this when it comes up - how would open-sourcing the server-side components help you trust them? They could be running any code on the server-side and you wouldn't know. So even if they open-sourced their server-side code, how would you know for sure that is actually the code they are running in production?

I always ask this because ultimately if you are consuming a web-based application, you have to have some level of trust in the provider. And if you didn't trust them, your only option would be to completely self-host in an environment that only you have full control over.

hackideiomat2y ago

I guess, if the crypto is real, the only things feds could do is tell tuta to load different JS for certain IPs. Which would not be easy to verify as anyone but a targeted person.

The point here is, if they have nothing to hide, they can easily open source. If they already have a weird system to serve some people insecure code, they have to extract that from their code base, maintain 2 versions and make sure both sides are up to date at all times. So not going open source is easier if you wanna be malicious. Not a huge task for feds tbh, but still.

Also, there's still benefits for my privacy and security as in I'm sure some people would find vulns in the code and report them.

1 more reply

BlueTemplar2y ago

Which you cannot do using Tutanota (or only can do it using server binaries they provide ?), exactly why the "open source" claim is disingenuous.

linhns2y ago

Privacy-wise, all your emails are stored in Germany, and govt can just flip the switch at any time and just confiscate the servers.

nicce2y ago

It does not matter where the emails are stored if you have zero trust policy and use proper encryption protocols.

byyll2y ago

And privacy-wise, the data can be encrypted.

hnarn2y ago

So what? The assumption is that the data is encrypted at rest. If your threat model is "physical seizure by a nation state" then obviously you shouldn't be storing your encrypted data at a SaaS provider in a location out of your control anyway, but I don't see why it would be a reasonable assumption by default that Tuta willingly uses weak (or no) encryption.

1 more reply

treypitt2y ago· 5 in thread

It seems obvious Five Eyes will not tolerate or legitimize any email provider that doesn't allow them access to subpoenas, at the very least - this rules out most of the privacy features touted by protonmail & tutanota (no logs, E2E encryption, etc).

Perhaps what makes the ruse convincing in Tutanota's case is the crappy interface and clear dearth of basic features: search basically doesn't work; it's impossible to select all messages or use shift to select pages of messages. Their excuse is that customers might accidentally delete emails, but it might make more sense that they want to retain as much data as possible: https://www.reddit.com/r/tutanota/comments/nc9jxx/suggestion...

nicce2y ago

> Perhaps what makes the ruse convincing in Tutanota's case is the crappy interface and clear dearth of basic features: search basically doesn't work; it's impossible to select all messages or use shift to select pages of messages. Their excuse is that customers might accidentally delete emails, but it might make more sense that they want to retain as much data as possible: https://www.reddit.com/r/tutanota/comments/nc9jxx/suggestion...

Implementing search for E2EE mailbox is difficult problem (Protonmail is not doing the same). For search to be efficient, you would need to download the whole mailbox for your device. If you want to support as many users as possible, you can't. But maybe they could make it optional.

And they are very small team, offering mail for very low price (free for most), which has resulted on using Electron for producing the applications for as many platforms as possible. And it is a mess.

What comes to that Reddit post, it is two years old and they have supported mass selection for a long while for now.

Ayesh2y ago

My naive thought is that they could have an E2EE search index for each mailbox? I wouldn't even mind if the index storage counts against the quota.

1 more reply

anjel2y ago

Both proton and tuta cripple search so that deleting mail detritus is tedious so that you'll use up your free storage quota and have to subscribe.

blueflow2y ago

Tuta is not in Five Eyes jurisdiction, it is in Germany.

Dah00n2y ago

No but it is in 14 eyes.

DSingularity2y ago· 3 in thread

What evidence is there that they do have such ties?

boomboomsubban2y ago

The testimony of the director of the RCMP Operations Research group.

yborg2y ago

Who is on trial for allegedly trying to sell internal Canadian government investigative documents to the CEO of Phantom Secure, the 'secure' communications app popular with the underworld until it got rumbled and who needs some explanation for why he wanted to communicate via a privacy-focused open email service.

2 more replies

agilob2y ago

Some dude said so publicly.

poutinepapi2y ago· 2 in thread

Stick a fork in them, they're done. At least with that name they are. Easiest thing would be to disolve, and start a brand new company with the same people.

Don't get me wrong, whether they have or don't have intelligence ties is irrelevant. No one serious uses them, they're a general public supplier, and the general public is about as brave as a gringo cop, i.e.: not much.

So they're about to lose a chunk of customers and Tutanota's leadership isn't exactly quality so who knows what they'll do.

shrimp_emoji2y ago

> No one serious uses them

Hey... :c

poutinepapi2y ago

Sorry mate! Didn't want to be mean XD, but funny you commented this, because I posted about it on LinkedIn and got like 5 private messages asking:"Should I really switch?" XD, so you're at least not alone and in the company of some pretty fine people :P

rez9x2y ago· 2 in thread

While I tend to assume the vast majority of privacy is either imagined or a façade, I also have a deep enough distrust of authority that when I see such a claim made by a government, or government official, I'm inclined to believe it's a ploy to discredit someone that won't cooperate with them.

injeolmi_love2y ago

The campaign against Wikileaks and Assange comes to mind in particular.

shrimp_emoji2y ago

He was a hacker who leaked information about a single political party, justifying that with "Trump's already bad enough on his own, so no need to sling mud his way". Then said party, and the country's intelligence agencies, got mad. How is that surprising? Of course they're going to discredit and prosecute him; it's the healthy response to a foreign actor trying to target and influence politics to their agenda.

1 more reply

popcalc2y ago· 2 in thread

Same with Proton. Basically the spiritual successor to Crypto AG.

protonmail2y ago

We understand your concerns, however there is no comparison between Crypto AG and us. Our encryption occurs client-side, our cryptographic code is open source ( https://proton.me/community/open-source ), and our tech can and has been independently verified. More about this here: https://proton.me/blog/is-protonmail-trustworthy.

popcalc2y ago

Emails arrive at your datacenter in the clear and that is simply a flaw of SMTP; you're not going to change that. Blabbing on about your client-side JS as if it stops you from reading your users' mail just makes you look disingenuous.

grammers2y ago· 1 in thread

Similar allegations were removed from r/privacy as fake news: https://www.reddit.com/r/privacy/comments/17st6yu/tutanota_i...

canadiantim2y ago

reddit isn't exactly known for the free sharing of information anymore tho

hackideiomat2y ago

> "This would completely contradict our mission as a privacy protection organization."

no shit, but the claim is that you aren't...

ThePowerOfFuet2y ago

Could it be that their backend is compromised, instead of being willing participants?

j / k navigate · click thread line to collapse

77 comments

43 comments · 10 top-level

PrimeMcFly2y ago· 11 in thread

It's such a bad service, I don't know why anyone uses it. ProtonMail is superior in every way.

Tuta has all kind of weird restrictions, like not being able to search back more than a month.

norenh2y ago

Without having a good anonymous starting point, protonmail does not let you get that starting point, at least the last time I tired (maybe a year ago).

PrimeMcFly2y ago

ProtonMail never used to require another email to verify, and only asked for a phone if I was on an IP that had made more than one account already.

1 more reply

Karsteski2y ago

PrimeMcFly2y ago

I have a tuta account, I tried to search for something recently and it only let me search from October 12th or something. I'm not sure you can search back more than a month on the free plan.

shrimp_emoji2y ago

Can confirm. Search is brutal. But I just set it to auto-delete old emails anyway now, so problem "solved". ;D

hiepph2y ago

I used to love Tuta for the tempting price (1eur/month). But now due to the increasing price, poor UX, no bridge to Thunderbird, broken filter rules, I switched to another provider.

PrimeMcFly2y ago

I still have an account that I have some stuff linked to, I want to close it down entirely soon, it sucks there isn't any way to export all my emails without paying though.

tym02y ago

What do you use instead? I also only use it for the price.

nicce2y ago

> ProtonMail is superior in every way.

In the past, their billing was based on blackmailing. I don't know if that is the case anymore. But I dropped using it ever since.

wkat42422y ago

Elaborate please?

> In the past, their billing was based on blackmailing.

Not saying I don't believe you but I'd like to know more.

1 more reply

PrimeMcFly2y ago

I only use the free service, and it isn't nearly as limited as tutanota's free service.

hnarn2y ago· 7 in thread

So even if I don't like them, I'm going to need something more concrete than someone simply saying they have "intelligence ties" to be willing to believe that they are somehow duping their users.

amanzi2y ago

hackideiomat2y ago

I guess, if the crypto is real, the only things feds could do is tell tuta to load different JS for certain IPs. Which would not be easy to verify as anyone but a targeted person.

Also, there's still benefits for my privacy and security as in I'm sure some people would find vulns in the code and report them.

1 more reply

BlueTemplar2y ago

Which you cannot do using Tutanota (or only can do it using server binaries they provide ?), exactly why the "open source" claim is disingenuous.

linhns2y ago

Privacy-wise, all your emails are stored in Germany, and govt can just flip the switch at any time and just confiscate the servers.

nicce2y ago

It does not matter where the emails are stored if you have zero trust policy and use proper encryption protocols.

byyll2y ago

And privacy-wise, the data can be encrypted.

hnarn2y ago

1 more reply

treypitt2y ago· 5 in thread

nicce2y ago

What comes to that Reddit post, it is two years old and they have supported mass selection for a long while for now.

Ayesh2y ago

My naive thought is that they could have an E2EE search index for each mailbox? I wouldn't even mind if the index storage counts against the quota.

1 more reply

anjel2y ago

Both proton and tuta cripple search so that deleting mail detritus is tedious so that you'll use up your free storage quota and have to subscribe.

blueflow2y ago

Tuta is not in Five Eyes jurisdiction, it is in Germany.

Dah00n2y ago

No but it is in 14 eyes.

DSingularity2y ago· 3 in thread

What evidence is there that they do have such ties?

boomboomsubban2y ago

The testimony of the director of the RCMP Operations Research group.

yborg2y ago

2 more replies

agilob2y ago

Some dude said so publicly.

poutinepapi2y ago· 2 in thread

Stick a fork in them, they're done. At least with that name they are. Easiest thing would be to disolve, and start a brand new company with the same people.

So they're about to lose a chunk of customers and Tutanota's leadership isn't exactly quality so who knows what they'll do.

shrimp_emoji2y ago

> No one serious uses them

Hey... :c

poutinepapi2y ago

rez9x2y ago· 2 in thread

injeolmi_love2y ago

The campaign against Wikileaks and Assange comes to mind in particular.

shrimp_emoji2y ago

1 more reply

popcalc2y ago· 2 in thread

Same with Proton. Basically the spiritual successor to Crypto AG.

protonmail2y ago

popcalc2y ago

grammers2y ago· 1 in thread

Similar allegations were removed from r/privacy as fake news: https://www.reddit.com/r/privacy/comments/17st6yu/tutanota_i...

canadiantim2y ago

reddit isn't exactly known for the free sharing of information anymore tho

hackideiomat2y ago

> "This would completely contradict our mission as a privacy protection organization."

no shit, but the claim is that you aren't...

ThePowerOfFuet2y ago

Could it be that their backend is compromised, instead of being willing participants?

j / k navigate · click thread line to collapse