Tor Hidden Service
Add access to your site through tor as a hidden service.
I want this also!
Accessing Tutanota via Tor exit nodes is only as secure as regular TLS/SSL (see above).
Aside 1: Legal targeted surveillance will not be impeded by this, because once you're an identified target, they can always bug your devices or shoulder surf.
Aside 2: I don't know enough about i2p to speak to it's security properties.
and .i2p +
.onion adress +
This. Protonmail is Tutanota's main competitor I'd say (I use both services, competitor is just a general term there's plenty of market share for both) and they recently created a hidden service (https://protonirockerxow.onion/) for use of their application. It would be great if Tutao did the same, as right now any Tor user who wants the strongest security for their email would probably use Protonmail's hidden service. The fact that one can register through Tor browser on Protonmail's hidden service is a huge boon to them as well.
Tutanota has custom application of open algorithms to protect the entire inbox, so the inbox may not be accessible at all without an official client or until after the API is released.
Ole, thanks for the idea, but I think you over looked some details in your plan.
Relative links aside, what you are suggesting will actually serve to deanonymize you, and is worse than accessing the service over tor. With tor, your connection would be like so:
you → tor guard node → tor middle node → tor exit node → tutanota server
But you are suggesting the following flow:
you → tor client guard → tor client middle → tor client exit → tor onion exit → tor onion middle → tor onion guard → your server → tutanota server
The only advantages you would see are if you and your server come from different locations, you do not trust the ISP/nation-state you are connecting to, but are fine giving up anonymity between your server and tutanota, because your server will connect directly to tutanota.
As a general rule hidden services are most practical when run on the same host (or internal network for load-balanced servers) as the server that hosts the content.
Ole Tange commented
If the links in Tutanota's webmail are relative links, then it will be very easy to implement:
Setup a hidden service on port 443.
Redirect your port 443 to tutanota:443.
Everyone can do this (if the links in the webmail are relative), but it will clearly be better if there is an official hidden service and not just one run by a random person like me.
I find it important for the same reasons @Muhammed find unnecessary: We need more noncontroversial services on TOR so TOR can shed its reputation of only being used for shady activity. That said TOR-access should of course not be the only way of accessing Tutanota.
+1 for this.
Facebook, DuckDuckGo, and even Blockchain all have hidden services.
This would make it safer for users like myself who live in dangerous and oppressive countries to access and use Tutanota.
to clear up some misconceptions,
0) tutanota accounts are pseudonymous; while they ask for a name, they do no kind of formal verification and would only have access to the ip logs and cleartext mail, as they cannot access the content of your encrypted of messages.
1) tor encrypts traffic within its network but not as it leaves [technically it is exit node to tor client, but this is a minor distinction and I can discuss it further offline], as such an exit node operator can sniff as much as your telco provider or the nsa can. I much prefer having the exit node threat model as it reminds you that there could be a real person watching your traffic. any service that uses tls protects from malicious exit node operators
2) tor hidden services encrypt from end to end, this is the reason that most do not use tls, [again this is really hidden server to tor client]. the network diagram is somewhat different, because the traffic never leaves the tor network, and this allows for a server to become anonymous, but also prevents the server from generating any ip logs as all connections to the hidden service show up with ip 127.0.0.1 finally hidden services do not need to rely on dns or dane: the address is a hash of the server's crypto public key, thus its name is already tied in with its crypto
3) what you are describing with a "specific exit node" is an exit enclave, they sort of work in concept, but have large flaws because of how tor works
4) to implement this tutanota would need to run the tor software, but need not operate a tor relay; internal, exit or guard. the tor hidden service code is completely separate from the relay code
What about having a specifix exit node inside of the tutanota network? all tor traffic can only enter the service trough the exit node inside the network so that it's impossible to snif passwords on exit nodes that you don't know.
BUT is that even possible with tor?
I thought Tor was not meant for this. Afterall you need to be sure that the exit node is not sniffing for login passwords. And once you log in on a server trough tor then you already breach the very reason why you are using tor in the first place.
I'm not against the idea but I try to make sense of it. Anonimity ends when you log in by using a PERSONAL account that can be linked TO YOU. Unless you also created the account when using tor and you NEVER EVER log in to the account without using tor. But I wonder what kind of people would do this. It only seems a feasable thing for people who are planning on commiting fraud. But yea, also people who need more then just basic anonimity might want this.
So ok I answered my own question with a reason to ask a bigger question, but I'm not sure how to ask it. There is more to this then only the simple question.
A messaging service ?
by the way, are attachments encrypted ?
add tor lnk plz cuz reasons, and also things. :-D
If Tor Hidden Service is decided to be done,i2p service will be also appreciated to be implemented.
i2p and Tutanota User :)
For Tutanota over Tor (via Orbot, for Android users): https://tutanota.uservoice.com/forums/237921-general/suggestions/7118670--android-support-for-proxy-configuration-orbot-a
Téchne Digitus commented
I suggested this in a E-mail yesterday to Tutanota Team and I did not read this before!
This is very important to TOR and Privacy... (Remember all of us: We are the resistence!)
The more serious companies enjoy TOR, less power will have the bad reputation of "Deep Web Myth" (reference to Muhammed comment)...
And... I wish to add here the following consideration:
- Maybe Tutanota can be the first company to use DANE feature in a .onion domain!! This would be a kind of revolution! :)
And, ofcourse, get TORProject Team envolved will help a lot!
tl;dr go to uvcdn.com first, submit the captcha solution; then load tutanota.uservoice.com, submit second captcha solution. Happy browsing over tor.
AdminTutanota Support (Admin, Tutanota) commented
Yes, Yogev, the feedback system does not work via Tor. Sorry for the inconvenience.