Tutanota: the Open-Source Encrypted E-mail Answer to Protonmail

For several years, and especially since the Edward Snowden revelations, there has been a need for an easy-to-use, automatically encrypted communications service.

Many people have flocked to Protonmail, the closed-source e-mail application based in Switzerland, which has seen a great deal of corporate backing and a rapidly expanding user base. The key word here is closed-source – meaning that the security researchers of the world are not immediately free to audit the viability of the secure algorithms used to encrypt messages on the service.

12-tutanota-logoEnter Tutanota, the German-based alternative to Protonmail, which is both open-source and as easy to use as Protonmail. Tutanota is Latin for “secure message,” at least if you separate the two words. The company was founded in 2011 and presently serves around 100,000 accounts. It is backed by two German private investors and has ambitions to expand into other areas, such as a secure calendar interface and a file sharing / storage service not unlike Mega.

Encrypting E-mails was Just Too Complicated

email encryptedCo-founder Arne Möhle explained in a phone call that the impetus for creating the service was that, in their previous lives, he and co-founder Mathieu Pfau found that it was overly complicated to securely communicate with business partners and customers.

Before we started with Tutanota, we were in some other jobs, and all of us, we always saw this problem that encrypting e-mails for communication with partners or with customers was just too complicated. And that’s when we said there must be some easier way to do that. That’s when we started to develop Tutanota, which hides all the stuff which is complicated like generating keys, exchanging keys, managing certificates, and so on.

In the same way that Mega easily encrypts files for users using client-side browser-based security, Tutanota does not require much of the user in terms of technical know-how. While Tutanota and Protonmail are hardly the first in this space, Hushmail was famously compromised several years ago. Further, Hushmail actively logs IP addresses and over the years, due to complicity with law enforcement and other mistakes, they have fallen off the radar as the go-to secure e-mail provider.

A nifty feature of Tutanota is its per-recipient password protection.
A nifty feature of Tutanota is its per-recipient password protection.

As stated earlier, Tutanota intends to expand into other markets, potentially even into instant messaging later on. The implementation of encrypted calendaring would be a first, and will be something that the next generation of businesses will truly appreciate. It is much easier to track someone’s whereabouts if you can easily access their calendar. In this vein, Tutanota already has a business application, Tutanota for Outlook, which is one of the ways they are already generating revenue. It is also open source so that companies can be sure things are working properly under the hood.

We also have a business product, which is Tutanota for Outlook. So you can just send and receive end-to-end encrypted e-mails directly with Outlook. It works with an Outlook plug-in. And that’s the business variant of Tutanota. […] We’re thinking about integrating it into Thunderbird, but it’s not yet decided if we’re going to do it but we have to see which is the highest priority to work on, and Thunderbird is not currently the highest priority, but it may become the highest priority in the future. […] For private users, we currently focus on the web application and the Android and iPhone applications.

Tutanota is encrypted with RSA/AES 2048 encryption. Hacked got in touch with Dr. Brian Sovryn, a technologist and podcaster based in New Hampshire, for his thoughts on the open-source alternative to Protonmail.

The fact is, we live in a surveillance state. But it’s more than that. It’s also a surveillance society, where people seem to just accept a lack of privacy in their lives and communications. I think the reason they accept this is because it appears that regaining privacy is hard. But that’s the beauty of services like Tutanota, where it takes some of the best open-source encryption devised and makes it easy to use with an app on your smartphone, in your web browser, and even in Outlook! Even if somehow that encryption were cracked, getting people used to encryption being the rule, and no longer the exception, is essential to human freedom.

In the modern age, you can almost bet that anything you send and received is being watched by someone, and governments are not the only third-party to be concerned about.

Hackers who traffic in financial and personal data, marketers who profit by knowing every click of your mouse within the browser, and those with even more nefarious purposes, such as terrorist organizations, all have a motive to know what goes on in the private lives of everyday people.

Möhle says that the state of mass surveillance we live under was a big concern, and the hope is that Tutanota gives people without a great deal of technical knowledge the freedom to communicate unmolested.

Images from Shutterstock and Tutanota.
Editor’s note: in the original article, we gave the impression that all of ProtonMail’s code is closed-source, which is not true. ProtonMail utilizes the open-source library OpenPGPjs. While ALL of TutaNota’s code is freely availably (https://github.com/tutao/tutanota) and they do intend to add PGP (https://tutanota.uservoice.com/forums/237921-general/suggestions/6979966-pgp-support), ProtonMail creator Andy Yen felt that we were unfair to ProtonMail. He wrote to say:

“It is often claimed that Tutanota is open source while ProtonMail is not, but that is actually quite disingenuous. ProtonMail’s client side encryption is based on the OpenPGPjs library (https://github.com/openpgpjs/openpgpjs) and not only do we use that library, our developers are also active in contributing to it. OpenPGPjs is open source. But it is better than open source. It has also been audited and reviewed. And it has a very active developer community which is constantly improving it and making it more secure. In other words, it is an exemplary example of how to leverage the strengths of open source.”


Website: http://phm.link

P. H. Madore has covered the cryptocurrency beat over the course of hundreds of articles for Hacked's sister site, CryptoCoinsNews, as well as some of her competitors. He is a major contributing developer to the Woodcoin project, and has made technical contributions on a number of other cryptocurrency projects. In spare time, he recently began a more personalized, weekly newsletter at http://ico.phm.link