Proton’s encryption is open source and available for public inspection. Because we use open standards, the encryption that Proton utilizes is also publicly discussed and debated as part of the IETF(new window) standardization process. That’s why it is always surprising to see articles that openly misrepresent Proton’s encryption. This was the case with a recent blog post(new window) that was shared on Reddit. While most commenters(new window) correctly called it out for what it was, it’s still worth taking a closer look at Proton Mail vs Tuta encryption to break down the differences.
The blog post on Tuta claims that Proton address books are not encrypted. They are: all sensitive data about your contacts that you enter into your address book is end-to-end encrypted. Only the email address/display name itself is not encrypted, so that you can, for example, filter incoming emails that are not from your contacts.
Encrypting the email address also wouldn’t provide much additional security or privacy, because when you send an email, we need the email address to deliver the email. We could encrypt it anyway, and claim that we can’t see it, but this would be very misleading – and similarly, we find Tuta’s claim that they encrypt the entire address book misleading as well.
There is also the false claim that Proton Calendar metadata is not encrypted. This is also inaccurate: all sensitive metadata is encrypted. One piece of insensitive metadata cannot be end-to-end encrypted — namely the date and time of events. This is so that we can send reminders (e.g. via email and push notifications) about events at the correct time. However, the contents of the notifications are end-to-end encrypted. If you want to learn more about the security model of Calendar, you can read our blog post about it.
The dangers of proprietary encryption
The recent blog post has also attacked Proton Mail for using open cryptography standards, namely OpenPGP, with the claim that this is somehow less secure. First of all, OpenPGP is an open standard, which means that email encryption at Proton is not a walled garden, you can send encrypted email to any PGP user. In contrast encrypted “emails” within Tuta, which cannot extend beyond their walled garden, are not really emails at all: they are encrypted messages using a proprietary format. And this may even be fine for some use cases, as long as one’s honest about it.
OpenPGP has also gotten a big update in recent years, It is also being standardized to support post-quantum cryptography, and there is now a draft specification(new window) for encrypting email headers (including subjects) in encrypted emails.
Proton’s use of open standards means that we have worked together with security researchers and cryptographers from universities around the world, like ETH Zürich, to analyze the security of OpenPGP. By contrast, Tuta using proprietary encryption means that the security of their applications has received less scrutiny and academic analysis, leading to flaws.
For example, while Tuta (like Proton) also uses AES, they do not always use (and require the use of) authenticated encryption. In theory, this means their server (or an attacker who compromises their server) could modify a message in the Tuta users’ mailbox, without the application (and thus potentially the user) noticing.
While this was(new window) reported(new window) before(new window), and Tuta has attempted to fix it (by adding a Message Authentication Code, or MAC), their clients still accept messages without a MAC, and so the server could simply remove it. So the vulnerability is still in place. Furthermore, Tuta’s server can conduct a man-in-the-middle attack by serving a malicious public key to a user (a weakness shared by many public/private key encryption systems).
By contrast, Proton has never used unauthenticated encryption, and rejects external unauthenticated messages (both on the server and in the clients). Furthermore, Proton Mail offers protection against public key tampering, originally via our address verification feature, which is a form of key pinning, and more recently in an automated way via Key Transparency, which prevents this type of attack.
The above points demonstrate that even if a piece of data is/was to be encrypted, it is not always equally safe. We commend Tuta for trying to do what Proton does, the world certainly does need more people working on private by-default solutions, but integrity matters too.
