September 8, 2014 1:16 PM

Secure Email Provider Tutanota Goes Open Source

A number of “NSA proof” e-mail services are currently in later stages of development or private beta, but there’s one that seems to be ahead of the game: Germany-based Tutanota. The end-to-end encrypted e-mail provider announced Tuesday that they had released their source code on GitHub, claiming to be the first operational, secure e-mail application to go open source.


Now, Tutanota, who first launched internationally in July, says they hope the community will take to the task of inspecting their code, ensuring it is of proper integrity, and also hope that users will make requests for additional features they would like to see implemented.

While the e-mail provider already passed vulnerability testing back in 2013 from leading security firm SySS GmbH, transparency and extensive peer review from multiple parties is the name of the game.

“This release is an integral part of our security concept. Without peer reviews one can never be sure if a security solution does not contain backdoors,” said Tutanota in their announcement.

“After the revelations by Edward Snowden last summer, we have decided to release our secure email solution to the public for free, making it available to everybody worldwide. We do not want to live in a world with massive spying on innocent individuals. That’s why Tutanota will be forever free with 1 GB of free storage. All data is encrypted locally on your device before being transmitted to our German-based servers. The data cannot be accessed by anybody. Not even we have access. This also means that we cannot reset passwords. Since we cannot access user data, we cannot hand it over. Your emails with Tutanota are private and stay private.”

While other secure e-mail providers like ProtonMail saw their servers maxing out around 250,000 users, and now require users to first join a waiting list of over 100,000, Tutanota spokeswoman Hanna Bozakov told CCN that their servers are ready and capable of taking on over a million users immediately with no wait.

Bozakov added, “All attachments are automatically encrypted and the recipient can directly answer with an encrypted email – without having to sign up. The user needs only one password, which is hashed and salted before being transmitted to our servers so that we do not have access.”

The encryption method used is a “standardized, hybrid method consisting of symmetrical and asymmetrical algorithms with RSA 2048 Bit and AES 128 Bit. External users are reached with symmetrical encryption with AES 128 Bit,” said Bozakov.

Another tweak Tutanota made in response to user feedback was removing the need to provide a telephone number when signing up, which likely prevented a number of users from actually signing up due to it practically de-anonymizing the user.

“Many users – and potential users – complained that asking for the mobile number does not go along with privacy. That’s why we took it off the registration form. Anonymous sign up is now possible,” said Bozakov. “We listen to our users and implement the features they ask for. We are always happy about feedback. Now, with being open source we will also engage with the community and encourage them to implement features they wish for.”

As for the future of Tutanota, Bozakov says the company is already developing native mobile applications for iOS and Android, which will be released in the next few weeks. They also have plans to implement a calendar and file sharing, which will all be end-to-end encrypted.

No requests from intelligence agencies yet, said Bozakov, stressing again that even if they do receive a request, since all data is encrypted before hitting their servers, all they can possibly hand over are encrypted messages.

Tutanota allows users to send end-to-end encrypted e-mails to anyone, regardless of e-mail service provider. If one chooses to send an encrypted e-mail to a Gmail user, there is a need to somehow transmit a password to the recipient, which seems that it could potentially serve as a security risk to those who are extremely privacy-conscious. But for those who use the service to send e-mail to another Tutanota user, the encryption works similar to PGP and no additional information needs to be exchanged, as the software does all the work.

In July, German security researcher Thomas Roth discovered a cross-site scripting bug in Tutanota which would have allowed attackers to inject Javascript into users’ browsers. Tutanota responded by immediately patching the bug. Similar cross-site scripting attacks were attempted and unsuccessful during the Syss GmbH penetration test, said Tutanota. A similar bug was also discovered by the researcher in ProtonMail’s service.

New Features Recently Implemented Include:

Tutanota webmail client is available as Open Source:
Partial loading of email list (optimization for mobile devices)
Forwarding of attachments
Final deletion of emails in trash folder
Invitation email to friends
Registration without mobile phone number

Features Currently Being Developed:

Mobile apps for iOS and Android
Make Tutanota compatible with PGP
Add top-level domains (,,
Make Tutanota usable with your own domain

Images from Shutterstock.

Taylor Tyler @taylortylerr

Journalist focusing on politics, cryptocurrencies, privacy and current events.