Review: Using Tutanota.

Updated 10 January 2020.

Copyright: European Union Public License, version 1.2 (EUPL-1.2).

Out of 20+ email providers we’ve tested.  Basically it quickly came down to Tutanota vs Protonmail. We use both of them…

Disclaimer : we are not affiliated to these Companies, this article is 100 % our own findings and there is no affiliate marketing in place through the links provided below for your convenience.

How we write our reviews: To ensure an unbiased and thorough review all apps are tested:
• In real time, i.e. we use it on real projects.
• By different team members located in different countries.
• With different devices and operating systems.
• For a minimum of two weeks, four on average.
• Article is peer reviewed by other team members then sent to the app’s publisher for final review.

1. Our specifications sheet:

  • End-to-end, zero-knowledge encryption (1).
  • own business domain (2).
  • Administration of users (3).
  • Resistance to state-sponsored criminals (4).
  • Cost-effective for large user base (5).
  • Multi-platform (6).
  • Open-Source (7).
  • Emergency support by the provider.

From there, it’s easy to get a lot of email providersout of the list. Basically it quickly came down to Tutanota vs Protonmail. Interesting fact: The NSA requested a backdoor from them but they refused. We use both of them, but Tutanota is the one supporting our domain name with the Premium package. The main differences between Tutanota and Protonmail are the price and storage capacity (8). 

2. Shared features between Tutanota and Protonmail:

  • Open source.
  • End-to-end encryption with keys stored on user’s computer (9).
  • Android and iOS apps.
  • Web-based add-ons for desktops.
  • Password protected emails for external users (10).
  • Own domain.
  • No logging of users’ data.
  • Two factor authentication.
  • Encrypted calendar.
  • Encrypted contacts.

3. Only with Tutanota:

  • Administration of users.
  • No recovery via email or SMS (insecure), but via Recovery Code generated during the account creation. The admin can recover for a user from the admin.
  • 1€/month/user.
  • 1 Go storage.
  • Servers are located in Germany therefore under German privacy protection laws (11).
  • Dual encryption mechanism (12).
  • Local encryption (13).

4. Only with Protonmail:

  • Auto-destruct emails between Protonmail users. Possible for external users if you set up a password protected email.
  • You get a notification on your recovery email when you have a new incoming email.
  • 5€/month/user.
  • 5 Go storage.
  • Can disable recovery email.
  • PGP encryption available (11).
  • Servers are located in Switzerland, therefore under Swiss privacy protection laws (15).
  • IMAP/POP3 support (16).

5. Serious alternatives:

6. Notes:

 (1) In any case, it’s end-to-end encrypted only between users of the same solution. Only PGP is a universal way of sending encrypted emails to anyone, but unfortunately not enough people know how to use this. The encryption key must be stored on the user’s device otherwise it’s not protected against state-sponsored criminals. Of course, this doesn’t mean they couldn’t give the government plain text messages — just that it would require them to actively attack the user in order steal the required password, up to now they haven’t done it, and most probable will not do so in the foreseeable future. 

(2) That one may present an attack opportunity to state-sponsored criminals through MX records, so you must host your domain in a place that is going to protect access, not in the same country as your email provider.  Look at states that are not part of the fourteen eyes with a record for respecting privacy and democracy.

(3) Multiple Users isn’t multiple aliases. A user has its own access, username, password and mailbox. Aliases are like forwarding emails to/from the original email. For example you would have an original email like name.surname@youdomain.com with aliases like blabla01@yourdomain.com blabla02@yourdomain.com etc. So if someone is sending an email to any alias it will be forwarded to the main name.surname@yourdomain.com. The benefit of that being that you can create/destroy emails easily. But if you’re using aliases, you’d have to give admin access to the account in order to share your inbox, which is impossible in a business environment. 

(4) Police, prosecutors etc. Their crimes are “legal” since they’ve corrupted state institutions. They are the most dangerous sort of criminals, to an individual or to a country. If they’ve done something illegal, they can cover it up any ways they like. They can intercept and read IMAP, POP3, TLS, SSL. They can spoof your email provider SSL certificat. They can have access to your SMS, emails, meaning a recovery option is often an easy attack possibility for them. That’s why you should always use encryption software, encrypt your devices, and buy hardware outside the country you operate. 

(5)  We have hundreds of contractors using our emails as such a synchronized and unified solution is needed so as to minimize possible leakage of information to third parties.

(6) Must be accessible from iOS, Android, Windows, Linux and Mac desktops. We don’t do Windows phones or Blackberry because it would restrict so much the list, it’s almost impossible to find a solution.

(7) Open source doesn’t guarantee someone has actually taken the time to audit the code for backdoors or weaknesses, but it shows a will to be transparent. Tutanota claims to be auditing regularly their codes and was subject to an extensive penetration test by the SySS GmbH.

(8) Tutanota is cheaper than Protonmail but offers less storage space (1 vs 5), in our case we don’t need much storage so pricing was the deciding factor at 12USD/year/user.

(9) It also means the provider is unable to recover (decrypt) data if password is lost.

(10) You need to send the password through another communication channel.

(11) We’re not sure if this is good as Germany is a member of the five eyes. On the one hand we know there is a lot of NSA hardware on German soil, basically this is from where they spy on Europe. On the other hand it means German people are used to fighting back. In any case Tutanota claims they won’t give backdoors to these agencies.

(12) Tutanota uses a dual encryption mechanism private key + password. A private key is generated in the browser upon registration and is used for encryption/decryption. This private key is then encrypted with the login password.

(13) Emails are stored encrypted locally on the devices. 

(14) Tutanota is planning to develop an API to allow users to use PGP in a user friendly manner.

(15) By remaining outside of US and EU jurisdictions they provide a safer location to protect confidential data.

(16) IMAP and POP3 are not secure because they download emails locally unencrypted therefore they can be read in transit and/or on the devices.

7. We’ve tested this and more:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s