I suggest you ...

A fake inbox/passphrase (for plausible deniability purposes)

In Truecrypt, you have an option that enable you to set up a "fake passphrase", in order to access another Truecrypt volume that the really secure/secret one. If someone ever forces you to reveal your passphrase, you just have to reveal the "fake passphrase" and your private data remains secure. There is no way to detect if the fake volume is, in fact, a fake volume; you can always argue that it is the real one: this is plausible deniability.

A similar option in Tutanota would be great: it would work by offering to the user the possibility to set up an alternate inbox for the one he is using. If forced to reveal his passphrase, the user would just have to reveal the one to the alternate inbox.

This option, in my opinion, would perfectly complete the only weakness it exists in the way Tutanota works. Yes, everyting is encrypted from end to end, but if one gains access to the real passphrase corresponding to an inbox, he gains access to everything. A fake passphrase and a fake inbox would limitate greatly this flaw.

Cheers!

211 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Gévaudan shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    17 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        Interesting feature, but two passwords would mean two keys. I like SwissTengu's and Mustafa's ideas for an optional hidden vault inside the account like Truecrypt's suggestion of a volume inside a volume, another method for plausible deniability. Make sure the vault is not counted for the "Used space" percentage until its password is entered.

      • Chris commented  ·   ·  Flag as inappropriate

        > Wouldn't the attacker immediately be able to tell that the inbox is fake simply by sending en email to it? Am I missing something?

        Exactly. I haven't heard this system played out for email yet.

      • Chris commented  ·   ·  Flag as inappropriate

        > I've always wondered about systems that advertise plausible deniability. What's to stop your adversary from continuing to beat you with a $5 wrench while screaming, "Now enter the REAL password!"

        Plausible deniability is for the legal world. There is no solution for someone torturing you.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Rather than conceptualizing it as a 'normal' and 'emergency' password, why not look at it as a 'vault access' and 'normal' password? That way you can go about your normal emailing but have a separate login for all the other things...without the question of deniability/duress.

      • joe commented  ·   ·  Flag as inappropriate

        I've always wondered about systems that advertise plausible deniability. What's to stop your adversary from continuing to beat you with a $5 wrench while screaming, "Now enter the REAL password!"

      • Anonymous Anonymous commented  ·   ·  Flag as inappropriate

        Conceptually, I find this to be a good idea, but right now I would like to just have an alias user name for the alias email address. As far as I know you only have one User Name for both email addresses.

      • SwissTengu commented  ·   ·  Flag as inappropriate

        @Mustafa yep, that's even better, and would be addressed by another feature request: filters.

        That would probably be the smartest solution, and, I think, the most userfriendly.

      • Mustafa Mohsen commented  ·   ·  Flag as inappropriate

        Good solution @SwissTengu
        Though I believe that balancing both cases, I think that exposing the real inbox will put the user under the risk that no "sensitive" emails are sent while his/her inbox is exposed. I guess it's less likely that @t's scenario happen
        A mix-and-match might be to selectively add some addresses/keywords to create some (hidden) filter that by default moves the email to the vault folder, and make the filters too inaccessible except using the "safe" password

      • SwissTengu commented  ·   ·  Flag as inappropriate

        Good point @t indeed. Better solution might be:

        - create some "vault" folder
        - if standard password is entered, display it
        - if "emergency" password, hide it and its content

        Would mean "user responsibility to move sensitive mails to the vault". But this would prevent the point raised by @t in an elegant way.

      • t commented  ·   ·  Flag as inappropriate

        Wouldn't the attacker immediately be able to tell that the inbox is fake simply by sending en email to it? Am I missing something?

      • Simon commented  ·   ·  Flag as inappropriate

        I believe that this is one of the most important features to add. I don't know a lot about technicalities, but maybe having two distinct mail boxes each is accessed through the same email with different password, without a noticeable way to distinguish them

        One important aspect is to "hide" this feature somehow. If a person is "forced" to show his mail box but it was discovered that it could be a fake one, then it won't be "plausible" anymore. Maybe one way to do it is to enable this feature using a keyboard shortcut (not a link/setting). There must be some other ways too

      • Nick Chapman commented  ·   ·  Flag as inappropriate

        I think this is an interesting idea. I'm not sure if the whitelist feature could be implemented without compromising security - I can see some real problems with that. But... Well, I think it's interesting and worth considering.

      • Zachary Hill commented  ·   ·  Flag as inappropriate

        It could possibly only show emails from a whitelist/blacklist of senders/recipients for the best plausible deniability. (IE, show emails to/from your family, but not to/from your boss)

      • Gévaudan commented  ·   ·  Flag as inappropriate

        Of course, it would be needed to determine how this alternate passphrase would work:

        Does it grant access to a fully functional inbox? It seems difficultt, since it seems impossible to make it so that to a same address [name@tutanota.de] corresponds two different inboxes.

        However, I can work by enabling the possibility to transfer email to the fake inbox, from the real one.

        Just some thoughts! ;-)

      Feedback and Knowledge Base