Tuta (email)

Last updated
Tuta
Tuta logo.svg
Tutanota screenshot.png
Screenshot of Tutanota
Type of site
 Webmail
Available inMultilingual
Headquarters
Germany
OwnerTutao GmbH
Employees14 (Nov. 2020) [1]
URL tuta.com
CommercialYes
RegistrationRequired
Users Over 2 million
Launched2011
Current statusOnline
Tutanota client app
Developer(s) Tutao GmbH
Stable release
220.240321.0 [2] / 21 March 2024;8 months ago (21 March 2024)
Repository github.com/tutao/tutanota/
Written in TypeScript and JavaScript
Operating system Microsoft Windows, macOS, Linux, iOS, Android
Platform x86-64, iOS, Android
License GNU GPL v3
Website tuta.com

Tuta, formerly Tutanota, [3] is an end-to-end encrypted email app and a freemium secure email service. [4] The service is advertisement-free; it relies on donations and premium subscriptions. [5] As of June 2023, Tutanota's owners claimed to have over 10 million users of the product. [6] The company announced a transition to 100% renewable electricity in March 2019. [7] This decision coincided with employee participation in Fridays for Future protests. On 1st October 2024, Tuta launched its standalone encrypted calendar app. [8] Tuta Mail has recently integrated post-quantum cryptography features through its new protocol - TutaCrypt replacing standard encryption methods like RSA-2048 and AES-256 for its newly created accounts after March 2024. [9] [10]

Contents

History

Tutanota logo from 2014 to 2024 Tutanota logo.svg
Tutanota logo from 2014 to 2024

Tutanota is derived from Latin and contains the words "tuta" and "nota" which means "secure message". [11] Tutao GmbH was founded in 2011 in Hanover, Germany. [12] [13]

The goal of the developers for Tuta is to fight for email privacy. Their vision gained even more importance, when Edward Snowden revealed NSA's mass surveillance programs like XKeyscore in July 2013. [14] [ unreliable source? ]

Since 2014, the software has been open-sourced and can be reviewed by outsiders on GitHub. [15] [16]

In August 2018, Tuta became the first email service provider to release their app on F-Droid, removing all dependence on proprietary code. This was part of a full remake of the app, which removed dependence on GCM for notifications by replacing it with SSE. The new app also enabled search, 2FA and got a new reworked user interface. [17] [18] [ non-primary source needed ]

In November 2020, the Cologne court ordered monitoring of a single Tuta account that had been used for an extortion attempt. The monitoring function should only apply to future unencrypted emails this account receives and it will not affect emails previously received. [19] [20]

On 7 November 2023, Tutanota announced it was rebranded to simply 'Tuta'. [21] The former domain name tutanota.com now redirects to the shorter tuta.com. [3]

On 11 November 2023, it was alleged that Tuta was being used as a honeypot for criminals with a backdoor from authorities. An ex-RCMP officer, Cameron Ortis, testified that the service was used as a storefront to lure criminals in and gain information on those who fell for it. He stated authorities were monitoring the whole service, feeding it to Five Eyes, which would disperse it back to the RCMP in order to gain more knowledge about the criminal underground. However, no evidence was ever presented to back up this statement, and Tuta refuted the claim. [22] [23] [24]

Services

Tuta Mail

"Tuta Mail" is Tuta’s initial and primary service. Tuta Mail is a fully end-to-end encrypted email service available for download on Android (Google, F-Droid, apk) and iOS. Tuta Mail has email clients for Linux, Windows and macOS. It can also be accessed through web browser. In 2024 Tuta introduced quantum-resistant algorithms in a hybrid protocol similar to Signal to protect the data against future attacks from quantum computers.

Tuta Calendar

The "Tuta Calendar" is encrypted with post-quantum cryptography. The Tuta Calendar was first released as an integrated calendar in Tuta Mail. In October 2024, Tuta released it as a stand-alone calendar app available for iOS and Android.

Encryption

When a user registers on Tuta, a private and public key is generated locally on their device. The private key is encrypted with the user's password before being sent to Tuta’s servers. User passwords are hashed using Argon2 and SHA256. [25] [26]

Emails between Tuta users are automatically encrypted end-to-end. [27] For emails sent to external recipients, a password must be exchanged for symmetric encryption. Tuta also encrypts subject lines and attachments of emails and calendars with metadata and search indexes. [28] The email addresses of users, as well as those of senders and recipients, are stored in plain text. The timestamps indicating when an email was sent or received are also not encrypted. [29]

Tuta uses a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm - AES with a length of 256 bit and RSA with 2048 bit. [30] [31] [32] [33] To external recipients who do not use Tuta a notification is sent with a link to a temporary Tuta account. After entering a previously exchanged password, the recipient can read the message and reply end-to-end encrypted. [34] [35]

Tuta Mail uses post-quantum cryptography features through its new protocol, TutaCrypt for its newly created accounts after March 2024. TutaCrypt combines traditional encryption methods with quantum-resistant algorithms to secure communications. It replaces the previous RSA-2048 keys with two new key pairs:

   Elliptic Curve Key Pair: Utilizes the X25519 curve for the Elliptic Curve Diffie-Hellman (ECDH) key exchange.
   Kyber-1024 Key Pair: Implements post-quantum key encapsulation using the CRYSTALS-Kyber algorithm.

TutaCrypt employs AES-256 in CBC mode alongside HMAC-SHA-256 for authenticated symmetric encryption. And the transition to TutaCrypt for old existing user accounts created before March 2024, will occur in near future. [36] [37] [38] [39] Tuta also stated that it does not use PGP due to its limitations in encrypting subject lines and lack of flexibility for algorithm updates. S/MIME is also avoided due to critical vulnerabilities identified in 2018. [40]

Reception

Reviews of Tech websites were generally positive for Tuta. In July 2023, TechRadar praised Tuta Mail as an "Excellent encrypted email platform" focusing on its broad features and intuitive design. However, it criticized the limitations in customer support and the cost of additional storage. [41] In June 2024, PCMag highlighted Tuta for its strong encryption and user-friendly interface with a rating of 4 out 5. [42] CyberNews rated 4.6 overall, but criticized Tuta for its lack of PGP and IMAP support. Also it pointed out Tuta's Headquarters - Germany as a drawback for being a part in Fourteen Eyes Alliance. [43]

Future

Tuta is working on a cloud storage platform named "TutaDrive" [44] with a focus on post-quantum cryptography. The project, officially named "PQDrive - Development of a Post-Quantum Encrypted Online Storage," is funded by the German government's KMU-innovativ program (€1.5 million), which supports Small and medium-sized enterprises (SMEs) like Tuta. The project receives further support through a €600,000 collaboration with the University of Wuppertal, which will play a key role in research and development. [45]

Account deletion

Tuta deletes free accounts that have not been logged into for 6 months. According to Tuta, this happens because of security reasons and for keeping the service free. [46]

Tuta has also been GDPR compliant since 2018.[ better source needed ] [47] [48]

Censorship

Tuta has been blocked in Egypt since October 2019, and blocked in Russia since February 2020 for unknown reasons (although believed to be tied to actions against services operating outside of the country, especially those that involve encrypted communications). [49]

See also

Related Research Articles

In cryptography, key size or key length refers to the number of bits in a key used by a cryptographic algorithm.

<span class="mw-page-title-main">Encryption</span> Process of converting plaintext to ciphertext

In cryptography, encryption is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Despite its goal, encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

<span class="mw-page-title-main">Public-key cryptography</span> Cryptographic system with public and private keys

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security. There are many kinds of public-key cryptosystems, with different security goals, including digital signature, Diffie-Hellman key exchange, public-key key encapsulation, and public-key encryption.

A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key can be different sizes and varieties, but in all cases, the strength of the encryption relies on the security of the key being maintained. A key's security strength is dependent on its algorithm, the size of the key, the generation of the key, and the process of key exchange.

Hushmail is an encrypted proprietary web-based email service offering PGP-encrypted e-mail and vanity domain service. Hushmail uses OpenPGP standards. If public encryption keys are available to both recipient and sender, Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password and stored for pickup by the recipient, or the message can be sent in cleartext. In July 2016, the company launched an iOS app that offers end-to-end encryption and full integration with the webmail settings. The company is located in Vancouver, British Columbia, Canada.

<span class="mw-page-title-main">Key derivation function</span> Function that derives secret keys from a secret value

In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function. KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

The following tables compare general and technical information for a number of notable webmail providers who offer a web interface in English.

This is a technical feature comparison of different disk encryption software.

Skype is a Voice over Internet Protocol (VoIP) system developed by Skype Technologies S.A. It is a peer-to-peer network where voice calls pass over the Internet rather than through a special-purpose network. Skype users can search for other users and send them messages.

<span class="mw-page-title-main">Private Disk</span>

Private Disk is a disk encryption application for the Microsoft Windows operating system, developed by Dekart SRL. It works by creating a virtual drive, the contents of which is encrypted on-the-fly; other software can use the drive as if it were a usual one.

LastPass is a password manager application. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.

There are various implementations of the Advanced Encryption Standard, also known as Rijndael.

crypt is a POSIX C library function. It is typically used to compute the hash of user account passwords. The function outputs a text string which also encodes the salt, and identifies the hash algorithm used. This output string forms a password record, which is usually stored in a text file.

<span class="mw-page-title-main">Proton Mail</span> End-to-end encrypted email service

Proton Mail is a Swiss end-to-end encrypted email service founded in 2013 and headquartered in Plan-les-Ouates, in the Canton of Geneva of Switzerland. Proton Mail is now run by Proton AG, which also operates Proton VPN, Proton Drive, Proton Calendar, Proton Pass and Proton Wallet. It uses client-side encryption to protect email content and user data before they are sent to Proton Mail servers, unlike other common email providers such as Gmail and Outlook.com.

<span class="mw-page-title-main">Threema</span> Instant messaging smartphone service

Threema is a paid cross-platform encrypted instant messaging app developed by Threema GmbH in Switzerland and launched in 2012. The service operates on a decentralized architecture and offers end-to-end encryption. Users can make voice and video calls, send photos, files, and voice notes, share locations, and make groups. Unlike many other popular secure messaging apps, Threema does not require phone numbers or email addresses for registration, only a one-time purchase that can be paid via an app store or anonymously with Bitcoin or cash.

<span class="mw-page-title-main">VeraCrypt</span> Free and open-source disk encryption utility

VeraCrypt is a free and open-source utility for on-the-fly encryption (OTFE). The software can create a virtual encrypted disk that works just like a regular disk but within a file. It can also encrypt a partition or the entire storage device with pre-boot authentication.

Nitrokey is an open-source USB key used to enable the secure encryption and signing of data. The secret keys are always stored inside the Nitrokey which protects against malware and attackers. A user-chosen PIN and a tamper-proof smart card protect the Nitrokey in case of loss and theft. The hardware and software of Nitrokey are open-source. The free software and open hardware enables independent parties to verify the security of the device. Nitrokey is supported on Microsoft Windows, macOS, Linux, and BSD.

<span class="mw-page-title-main">Proton Pass</span> Password management software

Proton Pass is a password manager developed by the Swiss software company Proton AG. It stores login credentials, email aliases, credit card data, passkeys, 2FA secret keys, and notes in virtual vaults that are encrypted using 256-bit AES-GCM.

<span class="mw-page-title-main">BBM Enterprise</span> BlackBerry instant messaging client

BBM Enterprise is a centralized instant messaging client provided by Canadian company BlackBerry Limited. BBMe is marketed as a secure messenger with end-to-end encryption.

References

  1. "Huge community support enabled us to employ our 14th team member: Welcome Jonas!". Tutanota. 18 November 2020. Retrieved 28 December 2020.
  2. "Release 220.240321.0 (Desktop)". 21 March 2024. Retrieved 29 March 2024.
  3. 1 2 Rudra, Sourav (2023-11-07). "Tutanota Rebranding as 'Tuta': What You Need to Know". It's FOSS. Retrieved 2023-11-07.
  4. Natasha, Lomas (18 March 2015). "Tutanota, An Open Source Encrypted Gmail Alternative, Heads Out Of Beta". techcrunch.com. TechCrunch . Retrieved 4 November 2015.
  5. "Tutanota prices". Tutanota. Retrieved 2022-09-25.
  6. "Celebrate with us: Tutanota reaches 10 million users!". Tutanota. Retrieved 2024-05-14.
  7. "Embracing Sustainability: Tuta's Commitment to a Greener Future". Tuta. Retrieved 2024-05-13.
  8. "Exciting News from Tuta: Introducing the Tuta Calendar App!". [Tuta]. Retrieved 2024-09-05.
  9. "Tuta Mail Adds New Quantum-Resistant Encryption to Protect Email". Bleeping Computer. Retrieved 2024-09-06.
  10. "Post-Quantum Cryptography". Tuta. Retrieved 2024-09-06.
  11. "What does the name "Tutanota" stand for?". Archived from the original on 2016-07-30. Retrieved 2016-08-06.
  12. "5 of the Best Secure Email Services for Better Privacy". maketecheasier. 23 October 2015. Retrieved 13 March 2017.
  13. "Amtsgericht Hannover Aktenzeichen: HRB 208014" (in German). German Company Register. 18 January 2012. Archived from the original on 22 September 2022. Retrieved 22 September 2022. Gesellschaftsvertrag vom 25.11.2011
  14. "Encrypted Email: The Privacy Alternative to Gmail". StickyPassword. 20 October 2015. Archived from the original on 13 March 2017. Retrieved 13 March 2017.
  15. "Secure Mail Service Tutanota Celebrates One Year Open Source". Tutanota. 2 September 2015. Retrieved 13 March 2017.
  16. "Tutao GmbH". GitHub. Retrieved 2020-07-17.
  17. Ivan (3 September 2018). "How Tutanota replaced Google's FCM with their own notification system". F-Droid. Retrieved 28 November 2018.
  18. "Tutanota Becomes the Go-to Open Source Email Service with an App on F-Droid". Tutanota. 14 August 2018. Archived from the original on 13 August 2018. Retrieved 28 November 2018.
  19. "German secure email provider Tutanota forced to monitor an account, after regional court ruling". msn.com. 8 December 2020. Retrieved 19 January 2021.
  20. Moody, Glyn (9 Dec 2020). "German Court Orders Encrypted Email Service Tutanota To Backdoor One Account". techdirt. Retrieved 6 September 2021.
  21. "Time to celebrate: Tutanota is now Tuta". tuta.com. 2023-11-07. Retrieved 2023-11-07.
  22. "Tuta Is An Independent Company And Not Linked To Five Eyes Secret Services". Tutanota. Retrieved 2023-11-22.
  23. Tunney, Catharine (12 Nov 2023). "Alleged RCMP leaker says he was tipped off that police targets had 'moles' in law enforcement". CBC. Archived from the original on 18 Nov 2023. Retrieved 22 Nov 2023.
  24. "Encrypted Email Service Tuta Denies It's a 'Honeypot' for Five Eyes Intelligence". Gizmodo. 2023-11-15. Retrieved 2023-11-22.
  25. "Best Encryption with KDF". Tuta. Retrieved 2024-09-06.
  26. "What is a Password Hash". Tuta. Retrieved 2024-09-06.
  27. "AES 256 Encryption". Tuta. Retrieved 2024-10-06.
  28. "Tuta Encryption". Tuta. Retrieved 2024-09-06.
  29. "Tuta Support General". Tuta. Retrieved 2024-09-06.
  30. "What encryption algorithms does Tutanota use?". Archived from the original on 22 March 2015. Retrieved 17 August 2017.
  31. "Security details about the encrypted email service Tutanota". Tutanota. Retrieved 2022-09-25. Tutanota uses symmetric (AES 128) and asymmetric encryption (AES 128 / RSA 2048) to encrypt emails end-to-end.
  32. Bahar, Zen (2021-12-29). "Tutanota vs. ProtonMail: which one is better?". NordVPN. Retrieved 2022-09-22. Currently, Tutanota and Protonmail are [...] both offering end-to-end encryption.
  33. "AES 256 Is Now Securing All Your Encrypted Tuta Emails". 2024-01-11.
  34. "Tutanota FAQ". Tuta. Retrieved 2024-09-06.
  35. "Tuta". Cyber Security Intelligence. Retrieved 2024-09-06.
  36. "Tuta Mail Adds New Quantum-Resistant Encryption to Protect Email". Bleeping Computer. Retrieved 2024-09-06.
  37. "Post-Quantum Cryptography". Tuta. Retrieved 2024-09-06.
  38. "Tuta Mail Adds Quantum-Resistant Encryption via TutaCrypt". Restore Privacy. 11 March 2024. Retrieved 2024-09-06.
  39. "TutaCrypt to Thwart Harvest Now, Decrypt Later Attacks". Security Boulevard. 14 March 2024. Retrieved 2024-09-06.
  40. "Tuta Encryption". Tuta. Retrieved 2024-09-06.
  41. "Tutanota secure email review". TechRadar . 21 July 2021. Retrieved 2024-09-06.
  42. "Tuta Mail Review". PCMag . Retrieved 2024-09-06.
  43. "Tutanota review: when privacy is a must". cybernews. 29 December 2021. Retrieved 2024-09-06.
  44. "The Race Is On: Tutanota Launches Development of Post-Quantum Secure Cloud". Tuta. Retrieved 2024-05-13.
  45. Rudra, Sourav (4 July 2023). "Tutanota Starts Working on Post-Quantum Secure Cloud". It's FOSS News. Retrieved 24 May 2024.
  46. "Tutanota FAQ Inactive-accounts". Tutanota. Retrieved 2022-09-06.
  47. "Press Inquiries & Media Kit". Tutanota. Retrieved 2022-09-24.
  48. "GDPR-compliant email service: Tutanota offers easy email encryption for all businesses". Tutanota. Retrieved 2022-09-24.
  49. Spadafora, Anthony 18 (18 February 2020). "Tutanota secure email service blocked in Russia". TechRadar. Retrieved 2020-02-22.{{cite web}}: CS1 maint: numeric names: authors list (link)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.