Douglas Crawford

Douglas Crawford

April 9, 2015

Following Edward Snowden’s revelations that everything we do online is spied on all the time by secretive and vastly powerful government organizations, there is a growing demand for more private internet services. This is never more true than with the outdated and highly insecure, yet still essential for most our day-to-day lives, communication system that is email.

Even more than the likes of the NSA, the advent of web based email that is easy to use, can be readily accessed from any internet enabled device, and which is ‘free’ (but which we pay for by allowing the likes of Google to scan every email and use the information it gleans from this to deliver ever more targeted advertising) presents the single greatest threat to our privacy yet seen.

Although by far the most secure and private way to access email is using a stand-alone email client with PGP encryption (see our tutorial on using Gpg4win as an example of this), preferably using a self-hosted email server, this is a fiddly, inelegant solution that involves a sophisticated understanding of using asymmetric key pairs, something which the vast majority of internet users’ have no ability or desire to master. OpenPGP browser plugins such as Mailvelope are easier (if less secure) to use, but are still too complex for most users.

There is therefore an urgent need for a Gmail-like webmail service that provides all the functionality of something like Gmail, but is both more secure, and which will not spy on its users and then monetize that very personal data (it should be understood, however, that no webmail service can protect against targeted NSA-style surveillance, and that simply by virtue of being a privacy-based encrypted service, users will automatically be of interest to government spying organizations.)

In our article on Free privacy conscious webmail options we examine some good privacy oriented alternatives to Gmail (etc.), but the two new services that are getting the most attention from the security community are ProtonMail and Tutanota, both of which have gone to great efforts to make their services attractive to casual users looking for a more secure email solution but without losing all the aesthetics and functionality offered by their current provider.

We reviewed ProtonMail (which is still in beta) earlier this year, and were broadly impressed with. It is a long way from perfect, but ‘is a very easy to use webmail service (on par with Gmail and suchlike) that is much more secure than most such webmail services, and which will not (cannot) spy on all your correspondence in order to deliver targeted advertising.’

As the two services are in fairly direct competition, we think it will be useful in this review of Tutanova (the ‘name derived from Latin and contains the words “tuta” and “nota” which mean “secure message”’) to compare and contrast them, which will hopefully help to highlight the pros and cons of each.


As with ProtonMail, all Tutanota accounts are currently free, but a premium service will be offered soon (Tutanova also accepts donations). It currently offers the following features:

  • 1GB storage (forever free)
  • Attachments limited to 25MB (for now)
  • 1 free alias is permitted (i.e. 2 email addresses). More will be available to premium users
  • Everything is encrypted – subject, body, and attachment (ProtonMail currently only encrypts the body)
  • Completely open source (code available here)
  • Android and iOS apps
  • Can not only send encrypted emails to users of regular email (as ProtonMail can), but can receive an encrypted reply from them
  • Outlook addon (for premium business users – we did not test this)
  • (Upcoming – use webmail services with own domain name)

The killer feature here is clearly the ability for non-Tutanota users to securely respond to encrypted emails (please see update at end of this article). The fact that Tutanota is open source while ProtonMail is not should in theory give it an edge, but Tutanota’s source code has not been independently audited by reputable researchers, while ProtonMail’s, although closed source, has…


Much is made of the fact that ProtonMail is based in Switzerland (or at least its servers are, the team hails from Harvard University in the US), which because of its strict privacy laws is widely regarded as privacy-friendly. This is, however, to a large extent an illusion (Google Translate), as data retention laws and NSA-style surveillance are alive and well there.

Tutanota is based in Germany, which also has strict privacy laws, but which also practices widespread surveillance of its own, and is provides the base for the NSA’s extensive European operations. You pays your money and takes your chances…

Tutanota does not use two-factor authentication (although his feature is planned at some stage), but then neither does ProtonMail (which does require two passwords, but as these are each ‘something you know’ rather than ‘something you know and something you have’, does not count as 2FA).

Tutanota provides end-to-end encryption, so email stored on Tutanota’s servers is encrypted an cannot be accessed or decrypted by staff members. When asked how Tutanota would respond if asked ask by the police to identify a user, a Tutanota staff member said,

We would refuse requests. Only if a German court issues a warrant, we can be forced to hand over data. However all data on our servers is encrypted and we do not have access to the encryption keys. So the only thing we could hand out is the metadata (from, to, when), we are working on how to conceal these. We do not log IP addresses and anonymous sign up it possible. We strip IP addresses from mails sent and received to guarantee your anonymity.

This sounds all very reassuring, although the website FAQ does note that IP addresses will be logged if ‘we find out that an account is misusing the system.’ As alluded to in the above statement, Tutanova permits users to sign-up anonymously over Tor, which is good news.


As noted above, Tutanota uses end-to-end encryption, and does not know users’ passwords, which are ‘salted and hashed with Bcrypt on your device before being transmitted’ for login. You should beware that because Tutanota does not store any passwords, if you lose yours then it will not be recoverable!

Emails between Tutanota users are encrypted using ‘a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm’, using 128-bit AES with 2048-bit RSA handshake encryption. Emails to non-Tutanota users are encrypted using AES-128. This sounds pretty secure to us, although we do wonder why the industry-standard 256-bit AES encryption was not chosen.

Although ProtonMail’s use of PGP encryption is arguably stronger than that used by Tutanota, Tutanota’s method allows it to encrypt not just the body of the message, but the subject line and attachments as well, which is a definite feather in its cap. Regular messages sent to non-Tutanota recipients are not encrypted in transit, but are stored encrypted on Tutanota’s servers, as are messages and attachments received that arrive in plaintext.

Unfortunately, all encryption is performed in JavaScript by your browser, so as with ProtonMail, this cannot be considered completely secure against a determined attacker.

Tutanota in use

Unlike ProtonMail, signing-in to Tutanota requires entering a single password, which takes you to the main interface.

test mail 1

The basic interface is cleanly laid out and easy to use, but lacks many of the bells and whistles we have come to expect from a webmail service (the most notable of which is the ability to save drafts).

By default, all emails are sent confidentially i.e. encrypted (this can be changed in the settings), which requires entering an agreed upon shared passphrase that the recipient will know (if this is too short then you will receive an alert, but you can choose to override this). Unlike ProtonMail, there is no hint option, so you will have to agree on a password in advance (preferably in person or using secure IM chat).

enencrypted msg

If a recipient uses regular email, they will receive an invitation to view your message securely. Note that while the senders name is shown, the subject, body, and attachments are not.

enencrypted 2

To view your message the recipient follows the supplied link, and enters the agreed upon password.

encrypted 3

This where Tutanota really shines, because non-Tutanota using recipients of secure email are assigned a special ‘personal’ account that allows them to respond to the message securely. All messages sent from a specific Tutanota account are also available through this special account.


Early users complained about the basic Contacts manager, but this has now been fixed and seems to be fully featured. Hopefully the ability to save draft messages will also come soon!

The mobile app

A Tutanota app is available for iOS and Android. We tested the Android version.


The app is simple, but is well laid out and works well. As with the web client, emails are encrypted by default

Email Privacy Tester results

We tested both ProtonMail and Tutanota using the Email Privacy Tester tool developed by Mike Cardwell.

ProtonMail test results

ProtonMail results

Tutanota test results

Tutanota results

A Tutanota spokesperson has made the flowing statement:

We know about the failures from They are not crucial and we will fix them within the coming months.

Interestingly, when we performed this test on a Gmail account, it passed with flying colors.


We really like Tutanota. As with ProtonMail, it is certainly not perfect, and should not be considered secure against the NSA – encryption using JavaScript within the browser is not very secure, and Germany is not the ideal location for a privacy service (but then where is?). It is, however, vastly more secure and private than most webmail services, and it has a nice mobile app.

Whether you prefer ProtonMail or Tutanota really depends on what features are important to you – ProtonMail has a much more fully featured interface (Tutanota’s complete lack of a draft function is a total bummer), but Tutanota allows even non-user recipients to reply securely to encrypted emails*, and encrypts the subject line and attachments, in addition to an email’s body.

Both services are currently free (and will continue to offer basic functionality for free), so there is no reason not to try both and see which you prefer (although the waiting list for ProtonMail accounts is quite long). Both services are still under heavy development, so we look forward to seeing how they progress.

*Update 10 March 2015: The ProtonMail team has contacted to let us know that its latest update (ProtonMail BETA v1.15 ) allows outside users to reply to encrypted messages securely. Please see here for more details. This is great news, and makes choosing between two services even more than ever a matter of personal choice, with ProtonMail having a much more advanced interface, while Tutanota encrypts headers and attachments. As already noted, both services are under heavy development and are adding new features all the time, which can only be a good thing for users of either one.

Update: As of 13 August 2015 ProtonMail is fully open source.

Douglas Crawford

Written by

Published on: April 9, 2015.

March 12th, 2018

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

74 responses to “Tutanota private email review (+ vs ProtonMail)

  1. I have created two email accounts, both times even if I punch in the correct password I am told that it is invalid. what is up?

  2. ProtonMail Allegedly Proxied by Israeli Firm with IDF Links

    Protonmail has routed all their server to Israeli Radware for scanning for DDos attacks BUT Israeli IDF spy network now has total a grip of protonmail privacy.
    Is this really an issue?
    Just because a company has done business with the Israeli military, does that make it a tool of and spy for that industry?

    ProtonMail is/was under large scale DDoS attack, with bold and resourced attackers unafraid to cause collateral damage to provider infrastructure. ProtonMail said likely attacker is/was nation-state. ProtonMail subsequently announced they received support to filter the attack, rescuing the service. Let us examine final 5 traceroute hops to ProtonMail:

    9. ???

    Hop 7 is “Internet Binat” based in Israel.

    %rwhois V-1.5:0010b0:00 (CGNT rwhoisd 0.0.0)

    network:Org-Name:Internet Binat
    network:Street-Address:Habarzel 27 Tel Aviv Or Building A 69710 Israel
    network:City:tel aviv
    network:Updated:2015-07-08 17:07:25

    Internet Binat is synonymous with “Bynet Data Communications” which built the Israeli Defense Forces “cloud” server farm, and the IDF Intelligence Corps “technology campus” in the Negev, in deals brokered by Lockheed Martin.

    Binat and Bynet spell their names identically (vet-yud-nun-tuff) in Hebrew, share the same Habarzel 27 address, and are linked by Binat CEO Shmulik Haber.

    Likely the DDoS attack on ProtonMail was orchestrated to follow with an offer of generous “help” it could not refuse, necessarily a re-route of all traffic through third-party “anti-DDoS” systems. Now the “Switzerland” based privacy firm is proxied by an Israeli firm for traffic analysis, network exploitation of users, cryptographic monkeying. Israeli expertise in the latter is unmatched. Classic gov-mil cyber op with great PR happy ending for exploited asset. Users of ProtonMail must not fret; they got lucky with this fumble.
    Don’t trust this security faker; don’t trust the next one.

    They explain first that they work with Radware, which has offices all over the world. I think they work with the German office. But the headquarters is in Israel. Further, all the traffic for DDoS filtering goes through encrypted tunnels. The traffic, when DDoS filtering is active, goes through servers in Germany, not Israel. So it’s is false that they are proxied in Israel–both because that’s not where the servers are and because they are not being “proxied,” which is a misunderstanding of the technology being used. And lastly when they setup the DDoS filtering they went out of their way to find a solution that did not affect the privacy of Protonmail, which required a more expensive complex solution than basic DNS protection.

    Do you know where in germany ? At frankfurt !!!

    Frankfurt where was located the nsa team … proton mail is compromised , works with the nsa by a contract with an israely firm.

    Protonmail runs a smart challenge for an ideal (free software on the front-end – unknown back-end) & for their private ambition (education & origin & competence – not mature : borderline -) applying a trick & tip plan, repeats that they learnt blindly : make money without conscience, morality, involvement.
    That is their signature where the frontier between scam & corruption brings trouble & confusion.

    More importantly, the article focuses on one of the hops when you connect to Protonmail’s servers. But you also hop through a whole slew of other servers that could also do traffic analysis. We already know that NSA can and does set up servers on the internet backbone to watch traffic.

    I feel that protonmail attacks has came from the same people who offered Protonmail an offer that they could not refuse.
    ProtonMail seems to be just a good business oriented email provider with bunch of folks coming from elite universities claiming that switzerland is the safest country for encrypted email provider. I don’t see a reason why it has to be in Switzerland, since it should be encrypted in a way that there is no possibility for decryption. Tutanota does it that way and then it doesnt matter anymore where the servers are, except of the USA where such email provider company cannot even start to operate.
    So any user of an encrypted email service like Protonmail should probably assume that using such a service means they’re email traffic is being watched. If Protonmail’s encryption can’t handle that, then it’s a useless service anyway. And indeed, the whole reason there are encrypted email services to begin with is because email traffic is being watched. Users should already assume their traffic is being analyzed and intercepted. That’s why they use encryption.

    Much is made of the fact that ProtonMail is based in Switzerland (or at least its servers are, the team hails from Harvard University in the US), which because of its strict privacy laws is widely regarded as privacy-friendly. This is, however, to a large extent an illusion, as data retention laws and NSA-style surveillance are alive and well there.

    Protonmail was developed at CERN, the same people who play god with particle accelerators and manufacture black holes. They also started the WWW, which is the very source of most privacy concerns. Trusting them with anything is like trusting drunks with explosives. Oh wait, that’s how we celebrate America’s birthday in this age of terror fears; Protonmail was designed by AMERICANS at CERN. Anyone from Europe and Asia can tell you just how amazingly intelligent Americans are. I’d go with Tutanota, as Germany knows from personal experience just where American “freedom” is heading. Americans don’t even know what privacy or security truly mean. Maps on Wikipedia and probably elsewhere show the location of the Protonmail servers, information you shouldn’t blather about the web if you truly understand those concepts.

    Tutanota is based in Germany, which also has strict privacy laws, but which also practices widespread surveillance of its own, and is provides the base for the NSA’s extensive European operations.

    There is nothing stopping Tutanota (or ProtonMail ect.) from updating the JavaScript sent to your browser with bad code. This one of the main reasons that browser-based JavaScript cryptography is considered very insecure. Basically, services such as Tutanota, ProtonMail are much more private than regular webmail services, but are no protection against a targeted attack by the likes of the NSA.

    * The .com top level domain (TLD) is under the control of the US government (more specifically, the .com TLD is managed by VeriSign which is a US company under US jurisdiction). However, for users who wish to always avoid .com domains, an alternative webmail access is provided.

  3. Tutanota out right lies to it’s users. They say that they do not track you IP addresses. However make two accounts on the same day from the same pc. And the 2nd account can not send email until they review your account. There for they know your IP addresses. Also it’s kind of a dumb move on there part. Because they only know my user name and IP address, what are they reviewing.
    So no I do not like Tutanota.

    1. Hi Dave,

      Hmm. This is something you will need to ask Tutanota about. I know that Tutanota has had issues with abuse of its system before (fake accounts setup for use by spambots). It might be possible to detect that two account are being used at the same time in realtime, withot the need to log IPs as such. But as I say, you will need to ask Tutanota about this.

    1. Hi Mario,

      That is correct. Both services have added lots of new features. I did re-review ProtonMail, but even that is almost a year old now. Until I have time to look at both services in depth, I cannot say with is better now. i do believe, however, that both are very good (as long as you understand the security limitations of all web-mail services).

  4. “This sounds pretty secure to us, although we do wonder why the industry-standard 256-bit AES encryption was not chosen.”

    AES-128 is actually considered the industry standard. I commonly see people choosing AES-256 for new implementations, and when asked why, the answer is simply “because it’s stronger.” It’s the Big Number Effect. If you take a look at the cipher suites chosen/prioritized by modern browsers, you’ll find that AES-128 is prioritized over its 256-bit brother, for a couple of reasons.

    First, AES-128 is (at this time, the world of cryptography is ever-changing) well beyond the ability of even state-sponsored actors to break. As there are no known attacks that work against AES (assuming proper implementation), so the only option is to brute force the key. The numbers involved in attempting to crack a single AES-128 key are beyond reasonable even on cosmological timescales. With extremely generous assumptions of current processing capability, it is estimated to take approximately 1 quintillion (1,000,000,000,000,000,000) years (68 million times the present estimated age of the universe, 14.7 billion years) to crack a single AES-128 key. So what if it takes 331 septendecillion (331,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000) years (22.5 quattuordecillion times the age of the universe) to crack AES-256? By the time we break either key, every star in the universe will have ceased to shine, so why is added the added computational complexity in using the 256-bit variant worth it? It’s not.

    Second, due to some of the design choices in the 256-bit variant, there is some thought in the cryptography field that the 128-bit version is actually MORE secure, owing to some theoretical concerns with one of the main components of the 256-bit algorithm. (Specifically, the values selected for the S-box. See for one such example, and note that it does not apply to the 128-bit variant.)

    1. Hi Justin,

      Yo are correct that AES-128 remains secure as far as anyone is aware. Indeed, I show some similar figures on how difficult it would to brute force here. It is also true AES-128 has a stronger key schedule than AES-256. However, given what we now know about the extent of the NSA’s assault on encryption standards, most experts agree that AES-256 provides a higher security margin. This perception has been reinforced by the US government’s choice of AES-256 for all of its “sensitive” data.

      ut given what we now know about the extent of the NSA’s assault on encryption standards, most experts agree that AES-256 provides a higher security margin

Leave a Reply

Your email address will not be published. Required fields are marked *