« Previous 1 2 3 Next »
Posteo, Mailbox.org, Tutanota, and ProtonMail compared
More Secure Email
Tutanota
Tutao GmbH from Hanover is the company behind the Tutanota [18] – whose name comes from the Latin for "secure message" – email service (Figure 10). A direct comparison with the other providers does not make sense because Tutanota currently offers few functions. On the other hand, it surpasses the performance of its competitors with its end-to-end encryption and by disclosing the entire source code [19]. Additionally, Tutanota charges no fees for the basic model, and the company has no plans to change this approach in the future.
The offer by Tutanota is currently limited to one webmail client. The email service cannot be used with mail clients such as Thunderbird because the end-to-end encryption used here cannot be readily implemented in the clients. The free offer includes 1GB of storage and currently does not offer any additional convenience on top of the basic functions. For example, no migration tool is offered, which customers could use to transfer their email from the previous provider. However, full encryption, which includes the subject and all attachments, works much more easily. The Tutao servers are located in Germany, and they store all email in encrypted form, even if the user sends them in an unencrypted form.
The service automatically encrypts email to another Tutanota address. The recipient can open the email in the web client with no further action and can also automatically send an encrypted replay. Encrypted email also can be exchanged without much effort with recipients who do not have a Tutanota account. To this end, both sides need to agree on a password that should have the usual security features. The sender writes a message and enters the password in their web client.
The receiver, using Gmail for example, receives an email informing them of the receipt of an encrypted mail. A link directs the receiver to the Tutanota webmail, where entering the previously agreed password will decrypt the email. After that, you can then turn off the requirement to enter a password for future correspondence. The answer reaches the Tutanota account in encrypted form; however, decryption works without entering a password because this is where the password was entered in the first place. The password is thus linked to the sender's address.
Tutao offers seamless integration of full encryption in Outlook for paying users [20]. Unlike the free offer, you can send the required password by SMS for decryption with Outlook.
The whole Tutao offer was subjected to a penetration test by Syss GmbH, in which it was not possible to hack the system or gain access to sensitive data. Apps for Android and iOS are available in the respective app stores; Tutao is currently working on extensions for the web mailer. An encrypted calendar will be added shortly. The developers are considering Office functions for collaborative work in the future. The company wants to offer these and other features, including more storage, as a commercial service.
In the future, Tutanota will be looking to offer users the ability to use their own domains with the service, just like the advance features you can add to Mailbox.org. This, however, would essentially remove the user's anonymity.
ProtonMail
The fourth provider is ProtonMail [21] from Switzerland. Several students developed the idea for this service in 2013 at the nuclear research center CERN and at MIT. The initial funding came from a crowdfunding project at Indiegogo [22]. Instead of the targeted $100,000, the developers received more than $550,000 right away – a record at Indiegogo at the time.
The service now has users in more than 120 countries and an office in San Francisco as well as Geneva. When registering your account, you therefore have to wait up to a few weeks for ProtonMail to activate your account. The web mailer is simple (Figure 11), offers 500MB of memory for free, allows you to send 1,000 email messages per month, and provides an address book. Commercial extensions are due to be added in the future. ProtonMail has messages with determinable expiration dates in the program as a special feature.
ProtonMail offers several encryption models. The system sends email between ProtonMail users natively through a secure tunnel. This end-to-end encryption can also be used by ProtonMail for sending to other mail providers, but not for receiving from them again, unlike with Tutanota.
Unlike the other providers mentioned here, ProtonMail is subject to Switzerland's data protection laws. The advantage of this is that the authorities and intelligence agencies who collect particularly sensitive personal data are obligated to inform the stakeholders about this. By definition, mandatory disclosure also applies to data that supports profiling.
Which Provider to Choose
Currently, Posteo and Webmail.org without doubt provide the largest range of functions. Posteo focuses on maximum user anonymity and offers an attractive business model for customers who value sustainability and environmentally correct behavior.
The range of functions from all the providers is certainly enough for everyday use, even if the emphasis differs somewhat. The web clients still struggle with minor hiccups, especially if the respective windows remain open in the browser for several days. In our lab, the Mailbox.org web client performed slightly better. The service uses a simple interface that also works well on widescreen displays because of its optional vertically split view. Anyone who places value on complete anonymity will be best off using Posteo; Mailbox.org does well with its additional office functions for collaborative work and its 20 years of experience.
Tutanota might offer a free basic model – but money should not be a decisive factor when making your decision. However, a free account decreases the inhibition threshold, making the service available to everyone. The end-to-end encryption, even for users without a Tutao account, can hardly be surpassed in terms of simplicity, and Tutanota is the first to offer the opportunity to encrypt simply but securely. However, the service does lack some features, meaning that Tutanota is only really useful for email that you need to encrypt. The service also works with Android and iOS. Users will have to wait and see where Tutanota is heading. When asked, the company spokesperson stated that more functions would be added and that the initial focus had been full encryption.
The newest provider from our survey, ProtonMail, has been in business for less than one year. The service is still in the beta phase; however, it is blooming into a serious competitor for Posteo and Webmail.org with its coffers well-filled by crowdfunding.
Like Gmail [23] and Yahoo Mail [24], the major providers here are also working on simple-to-use full encryption. It's always nice to see how small providers encourage large companies to do good. For example, when Posteo presented a transparency report [25] in May 2014, Telekom followed suit the same day, although they had previously declared that it was up to lawmakers to make disclosing this information mandatory.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)