Tutanota Review: The Ultimate Guide (Updated With Screenshots)

tutanota

Will Tutanota dethrone ProtonMail as the number one security email service provider? Read our review to find out.

Summary

It is perhaps the only real alternative to ProtonMail.

Some consider it better than protonMail.

Afterall, Tutanota is free as well as open source.

It is one of a kind of webmail service which offers its users a very high level of online privacy and anonymity.

But just like the ProtonMail, this webmail service can’t protect users from organizations such as the NSA.

Pros

  • All users get free storage of up to 1GB
  • Users can expand the storage capacity via purchasing premium plans
  • Tutanota encrypts everything.
    And that includes the subject body of an email service as well as any attachments.
  • Tutanota, is 100 percent open source
  • The company has awesome iOS and Android apps
  • Tutanota users can receive and send encrypted replies from other regular email service users
  • Tutanota allows users to use their own domain names

The Ultimate Tutanota Full review

If there is one thing that Edward Snowden revelations told us, then it is that your government is probably spying on all your activities.

And they are doing so all the time.

The worst part is that no one can stop them.

They are the government.

More specifically though, they are organizations which are very secretive and very powerful.

And as a result of such revelations more and more users are demanding the private sector to come up with private internet services.

And if you want to secure just one thing from all the things you do on the internet, then that is email.

Yes.

Email.

That vital piece of technology that forms the bedrock of all our important communications.

It is funny that such an essential piece of technology which most users use on a day-to-day basis has such insecure and outdated protocols.

Our experience tells us that all users should get a secured email service if they use email as their primary mode of communication.

But maybe you have nothing to hide from organizations such as the NSA.

Maybe you are just a regular old internet user who just wants to surf the internet a while before going to bed.

Even then you need to secure your communications.

The modern web-based email services that you see in the market today are very easy to use.

Users can access these email services from any place on earth provided they have internet.

And a computer of course.

Any Internet-enabled device can now help you check your email messages.

Most of the good email service providers on the internet come for free.

But they aren’t really free.

What we mean by that is companies such as Google do offer free email services.

You know that email service by the name of Gmail.

But here is the thing:

Gmail isn’t really free.

Google basically offers you a free email service in exchange for something.

What is that something?

That something is a privilege.

The privilege to access your email messages and scan them.

Then Google can use that important information about you that it can glean from your email messages to deliver you more targeted ads.

The term Google likes to use a lot of relative advertisements.

This is cool with a lot of users.

But some believe, this Google business model presents a great threat.

Perhaps the greatest single threat when it comes to user privacy in the online world.

There is no doubt about the fact that there is one option that is by far the safest and most secure when it comes to accessing email messages.

It is also the method which provides the most amount of privacy.

That is, if we are talking about stand-alone email clients.

If you combine that with PGP encryption (a good example of this is Gpg4win) then you have the perfect privacy-protecting email service.

But preferably you would also want to use a self-hosted email server.

As you can probably tell, a lot of people find this process as fiddly.

Not to mention it is highly inelegant.

Users who want to go this route must have a sophisticated understanding of managing terms such as asymmetric key pairs.

This is something that the majority of online users can’t handle.

Or don’t want to handle.

It requires too much time and desire to master.

Of course, you have browser-based OpenPGP plugins like Mailvelope.

These make life much easier for the average user.

But they come at the cost of less security.

Regardless, regular online users still find the Mailvelope method a bit too complex.

What else can you do then?

We will come to that in a bit.

The thing you need to understand here is that the internet needs a Gmail-like online webmail service.

And they need a service that is secure.

In other words, a perfect email service that offers a ton of functionality like Gmail does, but comes with more security.

And such an email service must not spy on its customers in order to monetize their personal data.

With that said, we would also like to mention that you will never come across an email service that can protect you against targeted online cyber attacks from organizations such as the NSA.

Their surveillance technologies are too advanced for anyone security company.

The other problem with such a hypothetical email service is that simply by the virtue of using a privacy-focused encrypted email service, users would automatically attract the interest of government spying agencies such as the NSA.

But there are free webmail options for internet users who are privacy conscious.

Of course, there is always Gmail.

You can use it.

It isn’t exactly evil per se.

But for users who want privacy-oriented email services, there are a couple of very good options.

Among them, the two new webmail services that have eaten up all media coverage in their niche are Tutanota and ProtonMail.

These two have raced ahead and have captured most of the security community’s market needs.

Both these email services have spent an extraordinary amount of engineering talent to make their email services very attractive to all types of casual internet users.

Internet users who want a more secure online email service solution.

The thing with regular internet users is that they don’t just want a secure email service.

They want a secure email service provider that is secure and offers the same functionality and aesthetics as their insecure counterparts.

And it is true, that Gmail might not provide you the world’s best security and privacy, but it is extremely user-friendly.

And fast.

We have already reviewed ProtonMail.

And it has evolved itself into a really nice alternative to Gmail.

Especially after coming out of its beta stage.

ProtonMail did that earlier this year.

In short, ProtonMail impressed us.

But it isn’t a perfect email solution.

Right now though, it is probably the best.

The interesting thing about ProtonMail is that it provides you with a ton of security.

The team behind ProtonMail is also very solid.

And it offers its secure email service via an easy to use and intuitive webmail interface.

In fact, we think that ProtonMail can match Gmail and other email services in terms of ease of use and interface.

We have already mentioned that ProtonMail is way more secure than Gmail.

And the rest of the email service providers in the industry.

ProtonMail promises that it doesn’t spy on its customers.

And neither their correspondence with their contacts.

Why?


Because it doesn’t really need to serve them targeted ads.

This is exactly what Tutanota provides you as well.

So both are directly competing with each other.

Perhaps, that is good for the security community.

Maybe both these secure email services will push each other to better themselves for a long time to come.

In the end, though, the end-user will benefit the most.

Hopefully.

In this Tutanota review, we will constantly compare it with its rival, ProtonMail.

That will also help you decide which one do you want to go with.

For now, if you are wondering about how weird Tutanota is, then wonder no more.

It is weird.

Tutanota is basically derived from Latin.

It is made up of two words.

Tuta.

And nota.

When you combine them both, they form the phrase “secure message”.

Now that you understand, and probably have memorized, the term, you will find it easier to compare Tutanota and ProtonMail.

Both these secure email services come with their own set of pros and cons.

You will have to weigh each according to your own needs and requirements.

After that, we hope that you will make the right decision.

Features

tutanota_features

  • Free. The company says “forever”.
  • All users get 1GB storage without any charges
  • Tutanota limits the attachment size to 25MB.
    Although there is a strong chance that the company will change it in the future
  • Tutanota permits 1 free alias.
    That means, each user can have 2 email addresses without any additional charges.
    Premium users can have more email addresses.
  • Tutanota encrypts everything.
    And that includes the subject body of the user’s message as well as any attachments.
    Compare that with ProtonMail which only encrypts the message’s body and you would know why so many people prefer Tutanota over ProtonMail.
  • Tutanota is absolutely and completely open source.
    If you want to access its source code you can click here.
  • TutaNota has iOS as well as Android apps.
    That is more than what we can say for ProtonMail at the moment.
  • Tutanota allows users to send encrypted messages via email to regular email users.
    ProtonMail can do that as well.
    But Tutanota also allows users to receive encrypted replies from their contacts.
    ProtonMail doesn’t have that feature.
  • Tutanota has an outlook addon as well.
    But it only provides this feature to premium and/or business users.
    We won’t discuss this feature in this review.
  • The company is busy in introducing new features such as webmail services where users have their own domain names.

Of all the features that we have mentioned above, which one do you think is the best?

In other words, which one is the killer feature?

The feature that will propel Tutanota way ahead of ProtonMail if ProtonMail doesn’t pick up the pace?

Without a doubt, that feature is the ability for Tutanota users to receive encrypted emails from non-Tutanota users.

To put it another way, if you send an encrypted message via Tutanota to your contact, then your contact can reply to that message with encryption as well.

Read the end of this review for more information on this feature.

ProtonMail didn’t start out as an open source service.

Though it is now.

But Tutanota has been open source from day one.

And that is a huge advantage as well.

But this only gives Tutanota an advantage in theory.

In the real world, ProtonMail has the advantage over Tutanota in this regard.

Why?
Because even though Tutanota is open source, we don’t know of a single independent researcher or researcher team that has audited Tutanota.

Many reputable researchers have audited ProtonMail even though it is closed source.

Privacy

tutanota_android

Many in the media like to rely on the fact that ProtonMail operates from Switzerland and hence is better than Tutanota.

There are a couple of problems with this position.

The first problem is that ProtonMail isn’t really based in Switzerland.

In other words, only the company’s servers are.

The team behind ProtonMail hails from a US university known as Harvard.

Regardless, it is true that Switzerland has some strict privacy laws.

And most of the security community considers Switzerland as a very privacy friendly country.

We like to think that this is an illusion.

At least to a large extent if not completely an illusion.

Switzerland does have data retention laws.

And NSA-like surveillance programs also work and work effectively in that country.

Where is Tutanota based?

The company operates out of Germany.

Germany, just like Switzerland, also has a ton of strict privacy laws.

But the country, just like Switzerland, also engages in mass surveillance of its own.

Moreover, Germany has also provided the US bases for its organizations such as the NSA.

In fact, the NSA has launched many extensive operations from its European bases.

What we mean to say is that even though you have to pay money to use Tutanota, but you still have to take your changes.

Tutanota also does not make use of security features such as two-factor authentication.

The company does plan to bring this feature onboard in the very near future though.

But this isn’t such as dealbreaker since ProtonMail also does not have it.

ProtonMail does require its users to provide the company with two passwords.

But again, that won’t really come in handy when you are looking for more security.

Two-factor authentication is basically something the user knows and something the user has.

Two passwords, do not fit that description as each of the items are basically something the user knows.

Tutanota email services also come with end-to-end encryption.

In other words, all Tutanota servers use encryption.

The emails you store on their servers are comprehensively secure.

No one can access them.

And no one can decrypt them.

Not even the company’s own staff members.

But there are law enforcement agencies to deal with.

What happens if a law enforcement agency comes to Tutanota and demands the company to identify a specific user.

What would the company do then?

According to a staff member at Tutanota, the company would refuse such requests.

But the company also makes it clear that if a German court manages to issue a warrant, then the company would have no choice but to hand over user data.

However, the member said, the company encrypts all data on its servers.

And staff members of the company do not have access to the related encryption keys.

So even if law enforcement agencies come with a warrant, they would only get is metadata.

Why?

Because that is the only information that Tutanota can give them really.

Metadata includes information such as contacts to which the user sent, received messages and when did the user sent and receive them.

The company staff member also said that Tutanota had begun work on how to conceal such information as well.

Tutanota does not lop its user’s IP addresses.

Moreover, the company enables users to sign up anonymously as well.

The company strips IP addresses from all emails that the user sends and receives.

This ensures the user’s total anonymity.

All of this sounds extremely reassuring.

But let’s look at something that Tutanota minions on its FAQ page.

The company notes that it will log IP addresses if the company finds out that some user is misusing its systems.

We have already alluded to the same fact in the statement above.

If the user can get a hold of Tor, then Tutanota does allow users to sign up anonymously using the Tor service.

That is great news as well.

Security

tutanota_interface

We have already mentioned the fact that Tutanota makes use of end-to-end encryption.

And the company also does not have any idea of its users’ passwords.

The company salts and hashes them with Bcrypt.

And it does that on the user’s device.

Only after that does it transmit the data for the user’s login.

All of that sounds pretty secure but there is one problem we think you should know about.

Since the company does not store its users’ passwords, you are royally screwed if you lose yours.

The company has no way to recover your password.

Hence make sure you keep a backup somewhere.

Either use a password manager or use the hold paper and pen.

Tutanota encrypted emails that users send to other Tutanota user with a standardized and hybrid method.

This method consists of asymmetrical as well as symmetrical algorithms.

Tutanota uses a 128-bit AES encryption with 2048-bit RSA Handshake.

Tutanota also encrypts emails that Tutanota users send to the non-Tutanota users with AES 128-bit encryption.

That is pretty secure.

Very secure in fact.

But we do have to wonder why tutanota didn’t use AES 256-bit encryption.

Afterall, it has become the industry standard.

And many consider it more secure than 128-bit.

We also know that ProtonMail uses PGP encryption.

And its implementation is stronger than Tutanota’s implementation.

But Tutanota has the advantage here since the methods the company uses allows it to actually encrypt the whole message.

Body plus header.

In other words, Tutanota encrypts the body of your message.

As well as, the subject line along with attachments.

This is definitely a feather in the company’s cap.

The other thing you need to know is that Tutanota does not encrypt regular messages that Tutanota users send to non-Tutanota users when in transit.

But when the company stores them on its servers, it does encrypt them.

As mentioned before, the company encrypted attachments as well as whole messages that it receives.

They usually arrive in plaintext.

The only unfortunate part of the whole process is that Tutanota performs all the encryption via Javascript.

In fact, it is your browser that performs the encryption.

And it does that with the help of Javascript.

Perhaps that may not come as a problem for you.

If it helps, ProtonMail does the same.

But that shouldn’t lead us away from the fact that Javascript encryption is not completely secure.

Especially when it comes to a determined hacker.

User Interface And Installation

tutanota_menu

Tutanota has a different sign-up process than ProtonMail.

To sign up for Tutanota, you only have to provide the company one password.

With ProtonMail, you have to provide the company with two passwords.

After you have done that, Tutanota will take you to the company’s main interface.

Let’s talk about the basic interface first.

It is clean, we can tell you that at the very least.

The layout is simple.

And you will find it easy to use.

It doesn’t come with a lot of the bells and whistles that other webmail services come with.

In fact, you might want Tutanota to bring in more of those extra features before you commit to it.

Right now, you might think to yourself:

“I can do without any extra features”.

And you may be telling the truth.

But get this:

Tutanota doesn’t have the feature of saving drafts.

If you can live with that then great.

The default setting enables users to send their emails confidentially.

In other words, encrypted.

If you don’t want that for all your email messages then you can change the settings via the settings menu.

So what’s the problem with sending an encrypted message?

Well, the little inconvenience is that the system requires the user to enter a predetermined and pre-agreed upon passphrase.

You will then have to share this passphrase.

With whom?

With the recipient of the message.

The recipient must know the passphrase otherwise the message won’t decrypt.

Moreover, if you keep the passphrase too short, the system will show you an alert message.

You can always use the settings menu to override such notifications though.

ProtonMail does provide you with a passphrase hint.

Tutanota does not.

Hence, you will probably have to get in touch with your recipient beforehand and then agree on a given password well in advance of when you want to send the actual message.

We would recommend that you should always prefer to decide the passphrase in person.

Of course, that isn’t always possible.

For those occasions, you can use a secure IM chat service.

Now, with Tutanota as your email service, you have two types of recipients.

The first type are the ones that use Tutanota.

The second type are the ones that don’t use Tutanota.

For recipients that use regular email service provider, Tutanota will send them an invite to view the sender’s message in a secure manner.

Tutanota will show the sender’s name though.

But the company does not show the body, subject and/or attachments that come with the message.

To view the message the sender’s recipient will have to follow the link that Tutanota supplies with the message.

Then, the recipient will have to enter the pre-determined and agree upon passphrase.

And this is the part where Tutanota leaves everything its competitors can throw at it,  in its dust.

Recipients who do not use Tutanota, and want to view the secure email, get to have their own special personal account.

Tutanota itself provides that to them.

And this allows non-Tutanota recipients to respond to their secure email messages in a secure manner.

Specific Tutanota accounts that send messages to other users also have their messages stored and available via the special account we just mentioned.

Early on though, many users complained about the very basic Tutanota Contacts manager.

But Tutanota has fixed that.

Now the Contacts manager looks like it has all the features that one would need in an email service provider.

We sincerely hope that Tutanota will come up with the save draft messages feature very soon in the future.

The Mobile Application

tutanota_user_interface

Tutanota has dedicated apps for the Android and the iOS platform.

Our Tutanota review will talk about the Android version of the app.

The app itself is simple enough.

Again, the layout is organized.

And gets the job done.

Tutanota, by default, encrypts all email messages just as it does in the case of its web client.

What About Our Tests For Email Privacy And The Results?

Let’s talk about that.

As we have mentioned before, we have reviewed ProtonMail before.

And for ProtonMail, we used Mike Cardwell’s Email Privacy Tester online tool.

Our results show that ProtonMail has fewer failures than Tutanota when it comes to Mike Cardwell’s Email Privacy Tester online tool.

When media outlets contacted Tutanota about the results their representatives said that the company knew about the failures from Cardwell’s email privacy tester online tool.

The company representatives said that Tutanota did not consider these crucial.

But they would fix them in the coming months.

Our research shows then when you put email service providers such as Gmail through the same email privacy tester, it passes all tests.

Conclusion

If you didn’t read the entire review, then know that we give Tutanota a green light.

It is certainly one of the best privacy-focused email service providers in the market today.

But it isn’t better than ProtonMail.

ProtonMail, itself isn’t all that perfect.

The only thing we would like to warn you about is that you shouldn’t consider yourself safe from organizations such as the NSA when it comes to security.

As mentioned before, both ProtonMail and Tutanota use Javascript-based encryption.

The web browser itself performs the encryption process.

Hence it is not very secure.

Moreover, Tutanota operates out of Germany.

Germany is not exactly the best location for any privacy service.

With that said, we can’t recommend a single country on earth where online privacy services should set themselves up.

That doesn’t mean Tutanota isn’t secure.

It is far more secure than your average email service provider.

It also provides more privacy than other email service providers.

Tutanota also has a mobile app so that’s great as well.

So which one should you sign up for?

Tutanota or ProtonMail?

Well, the final decision depends on your needs.

And which features you feel you must have.

ProtonMail has the better interface since it comes with more features than Tutanota.

Tutanota doesn’t have a draft function.

And that is an uber bummer.

However, Tutanota trumps ProtonMail with its feature that allows non-Tutanota users to receive and send encrypted emails from Tutanota users.

Yes.

With Tutanota, the recipient of your message can also reply you with an encrypted message.

Tutanota also encrypts the sender’s attachments as well as the subject line.

And that is apart from its encryption on the contents of the body.

As of writing this review, both email service providers come for free.

Both the companies have said that they will continue to offer their basic functionality without cost for the foreseeable future.

Hence, no one is stopping you from trying out both services.

And then decide which one you would like to prefer.

ProtonMail used to have waiting listings which did stretch miles.

Now they don’t.

So you don’t have to wait to try out ProtonMail anymore.

But the fact that you need to keep in mind is that both email service providers are still in their development stages.

And they are heavily improving their features.

Hence you can look forward to a lot of progression in their services.

Update

ProtonMail has updated its systems.

Now outside users can reply to ProtonMail users with encrypted messages in a secure manner.

You can click here for more details on that.

ProtonMail is now on par with Tutanota.

Hence now you will have an even harder time choosing between the two email service providers.

It will now come down to your personal choice.

ProtonMail still has the better interface.

And it is more advanced.

Tutanota still encrypts everything including attachments and headers.

Both services are still undergoing major changes.

They are both adding new features at any given time.

In the end, the end-user will benefit from these two services who are trying to outdo each other.

Update 2:

Tutanota now has introduced the draft feature as well.

But it still doesn’t make use of PGP encryption.

As mentioned before, PGP encryption is hands down the best security system that is available in the market.

The company says that it is working to develop an API in order to communicate with other PGP users in the future.

Tutanota has also upgraded its Contact Book.

Now users can store their Contact Book directly on their account.

 

Zohair

Zohair

Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Zohair

COMMENTS

WORDPRESS: 0

Tutanota Review: The Ultimate Guide (Updated With Screenshots)

by Zohair time to read: 17 min
0