Tuta (email)

Tuta, formerly Tutanota, is an end-to-end encrypted email app and a freemium secure email service. The service is advertisement-free; it relies on donations and premium subscriptions. As of June 2023, Tutanota's owners claimed to have over 10 million users of the product. The company announced a transition to 100% renewable electricity in March 2019. This decision coincided with employee participation in Fridays for Future protests. On 1st October 2024, Tuta launched its standalone encrypted calendar app. Tuta Mail has recently integrated post-quantum cryptography features through its new protocol - ''TutaCrypt'' replacing standard encryption methods like RSA-2048 and AES-256 for its newly created accounts after March 2024.

History

Tutanota is derived from Latin and contains the words " tuta" and "nota" which means "secure message". Tutao GmbH was founded in 2011 in Hanover, Germany.

The goal of the developers for Tuta is to fight for email privacy. Their vision gained even more importance, when Edward Snowden revealed NSA's mass surveillance programs like XKeyscore in July 2013.

Since 2014, the software has been open-sourced and can be reviewed by outsiders on GitHub.

In August 2018, Tuta became the first email service provider to release their app on F-Droid, removing all dependence on proprietary code. This was part of a full remake of the app, which removed dependence on GCM for notifications by replacing it with SSE. The new app also enabled search, 2FA and got a new reworked user interface.

In November 2020, the Cologne court ordered monitoring of a single Tuta account that had been used for an extortion attempt. The monitoring function should only apply to future unencrypted emails this account receives and it will not affect emails previously received.

On 7 November 2023, Tutanota announced it was rebranded to simply 'Tuta'. The former domain name tutanota.com now redirects to the shorter tuta.com.

On 11 November 2023, it was alleged that Tuta was being used as a honeypot for criminals with a backdoor from authorities. An ex-RCMP officer, Cameron Ortis, testified that the service was used as a storefront to lure criminals in and gain information on those who fell for it. He stated authorities were monitoring the whole service, feeding it to Five Eyes, which would disperse it back to the RCMP in order to gain more knowledge about the criminal underground. However, no evidence was ever presented to back up this statement, and Tuta refuted the claim.

Services

Tuta Mail

"Tuta Mail" is Tuta’s initial and primary service. Tuta Mail is a fully end-to-end encrypted email service available for download on Android (Google, F-Droid, apk) and iOS. Tuta Mail has email clients for Linux, Windows and macOS. It can also be accessed through web browser. In 2024 Tuta introduced quantum-resistant algorithms in a hybrid protocol similar to Signal to protect the data against future attacks from quantum computers.

Tuta Calendar

The "Tuta Calendar" is encrypted with post-quantum cryptography. The Tuta Calendar was first released as an integrated calendar in Tuta Mail. In October 2024, Tuta released it as a stand-alone calendar app available for iOS and Android.

Encryption

When a user registers on Tuta, a private and public key is generated locally on their device. The private key is encrypted with the user's password before being sent to Tuta’s servers. User passwords are hashed using Argon2 and SHA256.

Emails between Tuta users are automatically encrypted end-to-end. For emails sent to external recipients, a password must be exchanged for symmetric encryption. Tuta also encrypts subject lines and attachments of emails and calendars with metadata and search indexes. The email addresses of users, as well as those of senders and recipients, are stored in plain text. The timestamps indicating when an email was sent or received are also not encrypted.

Tuta uses a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm - AES with a length of 256 bit and RSA with 2048 bit. To external recipients who do not use Tuta a notification is sent with a link to a temporary Tuta account. After entering a previously exchanged password, the recipient can read the message and reply end-to-end encrypted.

Tuta Mail uses post-quantum cryptography features through its new protocol, ''TutaCrypt'' for its newly created accounts after March 2024. TutaCrypt combines traditional encryption methods with quantum-resistant algorithms to secure communications. It replaces the previous RSA-2048 keys with two new key pairs:

Elliptic Curve Key Pair: ''Utilizes the X25519 curve for the Elliptic Curve Diffie-Hellman (ECDH) key exchange.''

Kyber-1024 Key Pair: ''Implements post-quantum key encapsulation using the CRYSTALS-Kyber algorithm.''
TutaCrypt employs AES-256 in CBC mode alongside HMAC-SHA-256 for authenticated symmetric encryption. And the transition to TutaCrypt for old existing user accounts created before March 2024, will occur in December 2024. Tuta also stated that it does not use PGP due to its limitations in encrypting subject lines and lack of flexibility for algorithm updates. S/MIME is also avoided due to critical vulnerabilities identified in 2018.

Reception

Reviews of Tech websites were generally positive for Tuta. In July 2023, TechRadar praised Tuta Mail as an "Excellent encrypted email platform" focusing on its broad features and intuitive design. However, it criticized the limitations in customer support and the cost of additional storage. In June 2024, PCMag highlighted Tuta for its strong encryption and user-friendly interface with a rating of 4 out 5. CyberNews rated 4.6 overall, but criticized Tuta for its lack of PGP and IMAP support. Also it pointed out Tuta's Headquarters - Germany as a drawback for being a part in Fourteen Eyes Alliance.

Future

Tuta is working on a cloud storage platform named "TutaDrive" with a focus on post-quantum cryptography. The project, officially named "PQDrive - Development of a Post-Quantum Encrypted Online Storage," is funded by the German government's KMU-innovativ program (€1.5 million), which supports Small and medium-sized enterprises (SMEs) like Tuta. The project receives further support through a €600,000 collaboration with the University of Wuppertal, which will play a key role in research and development.

Account deletion

Tuta deletes free accounts that have not been logged into for 6 months. According to Tuta, this happens because of security reasons and for keeping the service free.

Tuta has also been GDPR compliant since 2018.

Censorship

Tuta has been blocked in Egypt since October 2019, and blocked in Russia since February 2020 for unknown reasons (although believed to be tied to actions against services operating outside of the country, especially those that involve encrypted communications).

See also

* Comparison of mail servers
* Comparison of webmail providers

References

External links

* {{Official website, https://tuta.com

Cross-platform software
Free security software
Free software webmail
Internet properties established in 2011
Secure communication
Software using the GNU General Public License
Free software programmed in TypeScript
Free software programmed in JavaScript