This guy can be pretty harsh at times, but he’s clearly very knowledgeable..
However, not all providers have a recent review, and his priorities are skewed heavily to the “paranoid” side of the tech world. For example, he considers being able to mail cash to a provider a significant pro. The overwhelming majority of users aren’t mailing cash to pay for their email.
Overall, it’s good info that’s worth sharing.
Seems a bit nearsighted to accuse every service of malice and then completely ignore that tutanota fixes lackluster pgp encryption by also encrypting the subject line. > This works virtually identically between both providers, except that Tutanota encrypts both the message body and subject line, whereas ProtonMail only encrypts the message body. This doesn’t pose a huge risk if you use the former service. Just make sure that your subject lines don’t contain any sensitive information. source
further read > PGP and SMIME can’t encrypt the header which include subject, from, to, cc only the body of the endo, the text is encrypted. This is how encryption of email works.Tutanota don’t use a standard encryption system this means also the subject is encrypted but it is not compatible which 99 % of the other email providers.If ProtonMail get a court order to get access to the mailbox they can only give them the access to the mailbox without the pgp key. So they see the header / subject but all encrypted contacts and the body of the emails are secure.If tutanto have to do the same they get less information.You must choose what’s more important for you.
Not sure if this is entirely true, it is possible Proton mail is encrypting everything at rest (with the users public key) and only following PGP mail limitations during transit.
Like for example plaintext emails are encrypted at rest on Proton mail, what isn’t ideally (compared to e2ee) but still minimizes the attack surface.
Actually for reference this is exactly the case
https://proton.me/support/proton-mail-encryption-explained
Cool, thank you for clearing that up!
I do like Tutanota’s approach to encryption, but communication outside of other Tutanota addresses is less secure than PGP. It’s just a symmetric, password-based scheme.
Since you will probably deal with a lot of non-tuta email providers, it’s a hard sell for me. In network, though, it’s good.
Second issue I had with it was the email client. I like my third party client and it’s built into my workflow. Tuta doesn’t support third party clients because they consider the storage of emails on your local drive a security risk. (That’s only true if your hard drive isn’t encrypted, and setting up encryption isn’t all that hard to do)