Please offer support for PGP to communicate with non Tutanota users.
Thank you all for your feedback. Please let us explain in more detail why we don’t plan to add pgp-support at the moment:
Current encryption standards like pgp and S/MIME have several issue that we plan to address with Tutanota. These standards do not support forward secrecy and are not resistant to attacks from quantum computers.
In addition, it is important to us that the subject line in emails is also encrypted. That’s why we have developed a solution that is also based on recognized algorithms (RSA and AES) and that automatically encrypts the subject, the content and the attachments. In the future, we plan to upgrade these algorithms to quantum-resistant ones that also support forward secrecy.
We also see the importance that Tutanota needs to be interoperable with other encryption solutions. We will develop an API so that Tutanota users can communicate with users of other secure services confidentially in the future.
Emile Pesik commented
Well, ProtonMail already has my money, but sadly they don't multiple accounts in the same client. This brought me to Tutanota as I need separate email accounts on separate domains (which they don't support either!).
ProtonMail offer full PGP support, and the ability to exchange encrypted messages with users on other services is essential.
All a proprietary solution achieves is another walled garden, something we need fewer of, not more! Messenger only works between Facebook users, Facetime only works between Apple users, Hangouts (or whatever they change to _this_ time) only works between Google users, but encrypted emails work both between ProtonMail users and users on other services that emply OpenPGP.
This, together with the lack of support for multiple accounts, means I will now have to reconsider signing up for a paid Tutanota account :-(
At the moment I am waiting for:
a) tutanota supporting PGP
b) protonmail lowering its price to <30€ per year
The first one who achieve this, will get my money. But at the moment I will stay with an traditional email provider and simply use PGP.
All nice and well, but I would take PGP over unencrypted emails. Your Swiss competitors seem to have understood the need and have implemented the change already.
Anon Im commented
That's all nice and well - but there are thousands of PGP users out there who simply don't care. We need a way to communicate with them and decrypt their emails, so why not just fucking add this - since we're paying you, and stop trying to push your own agenda? Nothing is stopping you from continuing Tutanota as you see fit - we just ask for PGP SUPPORT not PGP-by-default.
Emmanuel Goldstein commented
YOU CAN ALWAYS USE MAILVELOPE TO ADD TRUE PGP ENCRYPTION INSIDE A TUTANOTA EMAIL. PROBLEM SOLVED.
Dear Ladies and Gentlemen
Would you please implement PGP?
We understand, however we'd like to be able to use PGP with people that use other e-mail providers who we can't have a secure way to exchange a symmetric key with.
I absolutely love what Tutanota is doing about the e-mail crypto problem, and I understand that PGP has its own flaws and isn't perfect, but it's the de facto PGP standard of today.
When everyone's ready for a better system, that's gonna be awesome. But would be awesome to have built in PGP support (specially PGP/MIME) in the meantime.
I am a premium user of tutanota since 2016. I understand all the arguments from tutanota but currently I am just using tutanota for a secure and encrypted mailbox in the cloud. None of my contacts so far have a secure mailbox and would not be happy to start reading my e-mails using a password on tutanota.com. As a results I am not able to use any of the encryption options. By default I am sending e-mails unencrypted. I do not like the fact that the only option left is unencrypted e-mails. I recently came across https://encrypt.to which is using pgp and which in my eyes is one little step further in bringing encryption and secure e-mail to the mass. However there is still a long way to go. Any initiative to be more open and support interoperability will help.
I had to find other solutions for PGP communication... There was a service for 12EUR/month, and there was an other one for free. Now I have sever different e-mail providers, but I pay none of that, because there is simply no single one which has all the important features.
This is just a hint, I know, you work hard, but when these features need years to develop, people get bored of waiting, and switch.
I understand, that PGP is not perfect, but maybe it would be easier to integrate an already existing tool, than build your own for years, and lose customers with that.
It would be great, if Tutanota worked in Thunderbird with PGP.
Pussy Whipped commented
non-RSA is greatly preferred
>@Tin Man: We will make Tutanota interoperable! But not based on classic PGP...
so basicly you will invent yet another "standard" to write to people outside of tutanota? Sure PGP is not perfect but its the biggest and most used standard yet.
This won't solve the "island"/walled garden problem.
"There are several "islands" Tutanota, Hushmail, Protonmail, Silent Circle, various PGP and S/MIME, Startmail, etc. (Telegram, TextSecure (WhatsApp), Wickr,...) but few of them can communicate with each other. If you can connect them together the sum is much greater than the parts. I have correspondents in the various islands, but no secure mail gets sent because they are often in different ones."
This is very true, many times you have no chance to exchange passwords in a 2nd secure channel, nor timed destruction for mail exists here (unlike in protonmail), so youre forced to send mails to privacy invading providers. Since Tutanota only operates in English, many people who speak other languages, can not even switch.
Please remove your votes and vote for the link https://tutanota.uservoice.com/forums/237921-general/suggestions/6979966-pgp-support , because that has more votes already.
I use Mailvelope to accomplish this.
...and yes, despite it's weaknesses, properly used pgp is still the largest secure mail system out there. If I know the proper key for a contact, I would like to be able to add it in my contacts and - after being warned about the potential problems - send pgp encrypted mail.
At least enable receiving and verifying pgp emails - done properly with rotating sub-keys etc. What's the logic behind forcing experienced secure mail users to go plaintext because I'm using a secure email service.
RSA? How is that resistant to attacks from future quantum computers? Please reconsider this and add switch to proper post-quantum crypto. Maybe djb's nacl for everything else.
As a premium user, I wish you would revisit this decision.