Tutanota is a German company that you probably have never heard of unless you are in the business of email. This company is ready to beta test its new encrypted email service after a year of internal testing as well as an alpha that included 100,000 users signed up and ready to go. The standard .com will be available on release with additional domains released in the near future such as .de, .us, or .io.
The concept that lead to the foundation of the company in 2011 was truly secure email without difficult to use software like PGP. This is encrypted email usable from a web browser or apps from iOS and Android apps. This would be similar to Hushmail, StartMail, and ProtonMail but far easier to use and the encryption would be toggled on and off and be supported across many platforms.
Arne Mohl said that the company, “decided to invent something new which is easy to use. That was the plan from the beginning”. He continued to make it clear that this level of email encryption must be broght to apps, web browser and the best way to do this was to create a web application as opposed to a locally installed solution.
Tutanota is confident that the security of its solution is ready for cheap internet plans and the public now that it has fixed its cross-site scripting vulnerability revealed early in expanded testing. Encryption is done locally on the computer or device and is secured with a unique password. The local device then connects to the Tutanota service and moves on from there. This of course means that the user’s password need to be strong enough to protect the first leg of the data stream.
Tutanota has no access to user’s passwords and there is no password reset option so there is truly no way for the service to decrypt email. This means a user’s data is safe from the provider as well as any agency that may try to force the company to release a user’s files. This is referred to as end-to-end encryption. The encryption begins before the data hits the app or browser and stays encrypted until the person that the mail was sent to decrypts it outside the loop it was sent in.
One reason why this company is being trusted by experts in the market is that the source code that powers the service was made open and revealed for the community to review. It was also tested using cryptographic peer review by the firm SySS.
Users are assigned an asymmetric key pair, one public and one private, when they first register for the service. The keys are placed client side and then encrypted themselves. Keys are synced across all the users devices so they are never entered manually making key loggers uses against them. All attachments and email subject lines are also encrypted using the same keys so the more visible aspects of a message are inaccessible. Even if a mail is sent without using the encryption the files are stored on the servers in an encrypted state so the service would still not have access to any of it.
Most Internet providers by zip code and Tutanota is confident that the security of its solution is ready for the public now that it has fixed its cross-site scripting vulnerability revealed early in expanded testing.