I suggest you ...

Release signed Firefox addon, Thunderbird addon, or signed standalone interface

For the same reason as the iOS and Android apps to sandbox security, please release a signed Firefox browser addon, signed Thunderbird email client addon, or signed standalone interface. Neither Tutanota nor any service with an open source Javascript interface sent over TLS can easily ensure to users that the interface delivered to them was not tampered with on the provider's servers before being sent. In the webmail interface, it is inconceivable for users to compare the page's source to the git tree on every login. No one can be certain that a provider is not compromised unless the interface is released in a static, signed package whose hashes and key are publicly published. That way, all users are more certain to have the same, vetted interface and can compare hashes of it among themselves without depending exclusively on the provider's word.

Tutanota already does it for mobile apps. Desktop/browser users should have the same advantages. Do like other security-concerned open-source projects, and provide PGP signature files with every official release or provide hashes or tell users your fingerprint. Allow Mozilla to review your addons as they do to all addons submitted through their site.

This was one of the reasons why Cryptocat evolved from a web interface to a signed browser addon and apps and then to a standalone desktop program. Read the creator's reasoning:

https://nadim.computer/2013/05/23/critique-javascript-cryptography.html
https://www.schneier.com/blog/archives/2012/08/cryptocat.html
https://crypto.cat/help.html#signatures
https://crypto.cat/security.html#misc

291 votes
Vote
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
You have left! (?) (thinking…)
Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

2 comments

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base