The web-based e-mail service automatically encrypts all data, including the subject and attachments, locally on the client side before being sent to the company’s servers in Germany.
The encryption method used is a “standardized, hybrid method consisting of symmetrical and asymmetrical algorithms with RSA 2048 Bit and AES 128 Bit. External users are reached with symmetrical encryption with AES 128 Bit,” said Tutanota spokesperson Hanna Bozakov in an e-mail.
Data cannot be accessed by anyone, including the provider, which means that passwords cannot be reset if lost.
“Common web applications have made it very convenient for users by having the reset-password option,”
said co-founder Arne Moehle in a press release.
“With this they also have made it very convenient for themselves because they can access all user data and misuse it for commercial purposes or hand it over to anybody else. We – by default – cannot do this. Since we cannot access user data, we cannot hand it over. Your emails with Tutanota are private and stay private.”
German law permits authorities to ask for data concerning particular users only if they have an enforceable court order, and even if authorities do obtain a court order, any data turned over will be encrypted.
The company says that they aimed to design the most user-friendly interface possible, claiming that it’s as easy to use as any other e-mail service. One particularly useful feature offered is the ability for recipients of a Tutanota e-mail to respond with an encrypted e-mail in one-click, regardless of the e-mail service provider used.
Tutanota’s source code is available via its web application and in a few months, the company plans to allow others to build their own Tutanota applications from the code. Mobile apps are also currently being developed.
In addition to carrying the seal “IT Security Made in Germany,” Tutanota stood up to extensive penetration tests performed on the e-mail service, in which experts failed to hack into the system or retrieve any confidential data. Independent German security penetration testing company Syss performed the tests.
Tutanota was founded by three former informatics students as a spin-off from the L3S Research Center at Leibniz University Hanover in 2012. The company says they are eager to accommodate the wishes of their users, and encourages them to use e-mail, Twitter or Facebook to contact Tutanota and recommend features they would like to see incorporated into the e-mail service.
It should be noted that it may still be possible for the NSA to intercept encrypted e-mail data, regardless of the e-mail provider used. And while the NSA might not have the ability to crack the encryption methods used, according to Snowden leaks, encrypted e-mail messages that are intercepted are subject to indefinite storage – at least until the NSA develops the technology to decrypt them.
Last modified (UTC): July 14, 2014 08:12