Tutanota

Ideas to everything that could be useful. Proposals and tips for JonDonym programming.
Post Reply
sammmy
Posts: 1
Joined: Mon Jan 19, 2015 11:56

Tutanota

Post by sammmy » Mon Jan 19, 2015 12:00

What do you think about email service tutanota.com?
It's secure?
Thank you.

cane

Re: Tutanota

Post by cane » Mon Jan 19, 2015 16:24

I don't recommend server based crypto solutions in Javascript like Tutanota, Protonmail, Subrosa.io and others.

1: You will get the crypto code each time if you call the website. You have to login and with login you will be personalized (at least with a pseudonym). It is possible to send you (and only you) modified crypto code with a backdoor. This was already done by Hushmail, because Hushmail was forced by US DEA to do it for some mail accounts. Server side crypto is never secure!

2: It is much more easy to hack you communiction if you use Javascript code in a browser than using seperate application for communication. This was demonstrated by hacking Protonmail with XSS attack: http://vimeo.com/99599725 Use the web browser to display websites and nothing else.

3: You private keys are stored in the browser (DOMStorage). This is less secure than storing it on disc by seperate application. It is more easy to hack the browser than seperate application to get your privat keys.

Conclusion: The concept is weak. To many trade-offs to simplify the usage.

Post Reply