22 comments

[ 3.6 ms ] story [ 34.4 ms ] thread
For anybody wondering about the technical offer of Tutanota:

"Why Tutanota is the most secure email service."

https://tutanota.com/blog/posts/most-secure-email-service

I know I only skimmed the article, but at the end of the day they need the plain-text of my email to send it forward so that my Gmail friends can receive it.
Your gmail friend gets a link to their "secure inbox" that they can only view by providing the password you assigned them when you sent them the email. It's a shared password that you need to provide them by _some_ means. I believe the encryption and decryption is all done in the browser (yours and theirs), so tutanota never has the plain text.
With included German goverment backdoor:

https://news.ycombinator.com/item?id=25337507

If choosing between a German backdoor vs a likely US backdoor, the Germans are probably a better choice for non-Europeans worried about security.
Are you saying ProtonMail has a US back door?
ProtonMail is nominally based in Switzerland, so I would assume that any backdoor in their software is controlled by the Swiss.

Although I see their CTO is based in the US so it is certainly possible.

Why? Germany participates as an auxiliary collaborator of the Five Eyes [1] intelligence alliance.

[1] https://fas.org/sgp/crs/intel/R45720.pdf

If the Five Eyes countries and their intelligence services are in your threat model you've likely already lost.
Thanks for the link. I am actually not happy they did not mention this court case in the page I posted above. But the thread you linked also does not clarify the details.

Their clients are open source so you should be able to build them yourself. https://github.com/tutao/tutanota/blob/master/doc/BUILDING.m...

How would that court requirement work ?

>How would that court requirement work ?

Yeah that's the technical detail no judge has any interest in solving ;) ....like upload filters..

How secure is it compared to ProtonMail?
It's also one of the few free email providers I've seen that doesn't require a phone number.
everyone need to switch to Matrix E2E messaging... including all signup forms on all websites.
Related fun story: several years ago I had an issue of my newsletter go into spam and spent ages taking links in and out to find out why. It turned out if you included any URL that had a domain name starting with "0x", you were immediately sent to the sin bin. I even sent email between two fresh Gmail accounts with such a URL to confirm it. I reported the issue to Gmail, heard nothing, and it went away after a couple of years.

I assume they hard coded an overzealous rule to catch people/scammers obscuring URLs with long IPs, but instead it even caught legitimate domains (though only developers tend to use such names).

It's really easy for the AI to stumble into the simplest thing to do the job. I worked for a lab that did AI research in the late 90s and tried to write an AI that would automatically flag spam. My resources were comically limited-- a laptop and my own e-mails.

No matter how many times I tweaked and ran the algorithm, it would always arrive at 73% accuracy-- because one of my inboxes was almost exclusively spam-- and every time the rule it would discover was to discard an e-mail when it had discovered juuusssttt enough of the domain name of the offending mailbox from the header.

So, if the email address was someting@news.ycombinator.com it would discover any email containing the phrase "news.y" was more often then not, spam. This would immediately lead to a huge increase in accuracy but the algo would be stuck a at a local maximum since it hadn't really learned anything useful.

I've been having a lot of trouble sending mail to Gmail recently.

It seems that recently the IP block that my mail server's IP address is in got listed in a Spamhaus database. I checked neighboring IPs, and they're all listed in Spamhaus. Spamhaus has a very easy easy procedure for getting off the list, and I was able to get my IP address removed from their list, and https://www.mail-tester.com/ reported 10/10 score again (meaning SPF, DKIM, DMARC are all kosher).

As others have mentioned in the comments of this answer [0], removing from the Spamhaus database still doesn't fix the issue. So this indicates that Gmail doesn't update their Spamhaus database too frequently?? Or, once you're on their block list, it's very hard to get off of it.

[0]: https://stackoverflow.com/a/20235665/2561579