Proton

Proton Mail versus Tuta (Tutanota) encryption

Proton’s encryption is open source and available for public inspection. Because we use open standards, the encryption that Proton utilizes is also publicly discussed and debated as part of the IETF(new window) standardization process. That’s why it is always surprising to see articles that openly misrepresent Proton’s encryption. This was the case with a recent blog post(new window) that was shared on Reddit. While most commenters(new window) correctly called it out for what it was, it’s still worth taking a closer look at Proton Mail vs Tuta encryption to break down the differences.

The blog post on Tuta claims that Proton address books are not encrypted. They are: all sensitive data about your contacts that you enter into your address book is end-to-end encrypted. Only the email address/display name itself is not encrypted, so that you can, for example, filter incoming emails that are not from your contacts.

Encrypting the email address also wouldn’t provide much additional security or privacy, because when you send an email, we need the email address to deliver the email. We could encrypt it anyway, and claim that we can’t see it, but this would be very misleading – and similarly, we find Tuta’s claim that they encrypt the entire address book misleading as well. 

There is also the false claim that Proton Calendar metadata is not encrypted. This is also inaccurate: all sensitive metadata is encrypted. One piece of insensitive metadata cannot be end-to-end encrypted — namely the date and time of events. This is so that we can send reminders (e.g. via email and push notifications) about events at the correct time. However, the contents of the notifications are end-to-end encrypted. If you want to learn more about the security model of Calendar, you can read our blog post about it.

The dangers of proprietary encryption

The recent blog post has also attacked Proton Mail for using open cryptography standards, namely OpenPGP, with the claim that this is somehow less secure. First of all, OpenPGP is an open standard, which means that email encryption at Proton is not a walled garden, you can send encrypted email to any PGP user. In contrast encrypted “emails” within Tuta, which cannot extend beyond their walled garden, are not really emails at all: they are encrypted messages using a proprietary format. And this may even be fine for some use cases, as long as one’s honest about it.

OpenPGP has also gotten a big update in recent years, It is also being standardized to support post-quantum cryptography, and there is now a draft specification(new window) for encrypting email headers (including subjects) in encrypted emails. 

Proton’s use of open standards means that we have worked together with security researchers and cryptographers from universities around the world, like ETH Zürich, to analyze the security of OpenPGP. By contrast, Tuta using proprietary encryption means that the security of their applications has received less scrutiny and academic analysis, leading to flaws. 

For example, while Tuta (like Proton) also uses AES, they do not always use (and require the use of) authenticated encryption. In theory, this means their server (or an attacker who compromises their server) could modify a message in the Tuta users’ mailbox, without the application (and thus potentially the user) noticing.

While this was(new window) reported(new window) before(new window), and Tuta has attempted to fix it (by adding a Message Authentication Code, or MAC), their clients still accept messages without a MAC, and so the server could simply remove it. So the vulnerability is still in place. Furthermore, Tuta’s server can conduct a man-in-the-middle attack by serving a malicious public key to a user (a weakness shared by many public/private key encryption systems).

By contrast, Proton has never used unauthenticated encryption, and rejects external unauthenticated messages (both on the server and in the clients). Furthermore, Proton Mail offers protection against public key tampering, originally via our address verification feature, which is a form of key pinning, and more recently in an automated way via Key Transparency, which prevents this type of attack. 

The above points demonstrate that even if a piece of data is/was to be encrypted, it is not always equally safe. We commend Tuta for trying to do what Proton does, the world certainly does need more people working on private by-default solutions, but integrity matters too.

Related articles

A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
en
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
en
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
en
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
en
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.
A cover image for a blog announcing that Pass Plus will now include premium SimpleLogin features
en
We're changing the price of new Pass Plus subscriptions, which now includes access to SimpleLogin premium features.
Infinity symbol in purple with the words "Call for submissions" and "Proton Lifetime Fundraiser 7th Edition"
en
It’s time to choose the organizations we should support for the 2024 edition of our annual charity fundraiser.