I suggest you ...

PGP Support

Please offer support for PGP to communicate with non Tutanota users.

1,033 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Nico shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    AdminTutanota Support (Admin, Tutanota) responded  · 

    Thank you all for your feedback. Please let us explain in more detail why we don’t plan to add pgp-support at the moment:

    Current encryption standards like pgp and S/MIME have several issue that we plan to address with Tutanota. These standards do not support forward secrecy and are not resistant to attacks from quantum computers.

    In addition, it is important to us that the subject line in emails is also encrypted. That’s why we have developed a solution that is also based on recognized algorithms (RSA and AES) and that automatically encrypts the subject, the content and the attachments. In the future, we plan to upgrade these algorithms to quantum-resistant ones that also support forward secrecy.

    We also see the importance that Tutanota needs to be interoperable with other encryption solutions. We will develop an API so that Tutanota users can communicate with users of other secure services confidentially in the future.

    51 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Sergey commented  ·   ·  Flag as inappropriate

        I haven't sent any encrypted e-mail so far with the reason being tutanota does not use PGP. Even if the subject line is not encrypted, is it possible to simply select both options? It seems people in the comments are even ready to pay money for it

      • Nikhil commented  ·   ·  Flag as inappropriate

        Sometimes I need to send a secure email to someone who I have the PGP key of, but I can't give them a password in person to open the mail. I need a workaround to send signed/encrypted mail to them through tutanota.

      • dojohn commented  ·   ·  Flag as inappropriate

        POSTPONED? tutanota afraid to allow users to divulge its public keys which could be mass scrutinized for flaws?

      • ChrisA commented  ·   ·  Flag as inappropriate

        L - Great post! If all that's stopping Tutanota from incorporating PGP is an encrypted subject header then I'm happy to forgo that and just have a subject of "hello" or something meaningless. I'm also more than happy to encrypt my own attachments if that's another show stopper.

      • L commented  ·   ·  Flag as inappropriate

        I am going to explain why OpenPGP support would be a good thing.

        Right now, there are competing services offering encrypted email. Mostly Protonmail and Tutanota, also others offering lesser degrees of encryption. Since these services compete with one another, they would prefer not to be interoperable.

        But there is an argument to be made that the competing services, by becoming interoperable, will actually compete better. Due to networking effects, if N services offer encrypted communications among one another, they as a group are now able to compete N times better with the NON-encrypted services. Tutanota alone will never compete with Gmail. Most of the other people Tutanota users want to communicate with are using Gmail (or Yahoo, or Hotmail, or ...).

        But if Tutanota + Protonmail are exchanging encrypted email, they are now twice as big. If we add some other encrypted mail services to this, we now have a collective encrypted mail service cluster that is N times better able to compete.

        Protonmail already accepts incoming OpenPGP mail and transparently shows it so the user. All that a sender has to do is know that Protonmail user's public key. If Tutanota wanted to cooperate, Protonmail and Tutanota could work out an automatic public-key–exchange protocol. It would be completely transparent to users on both services. So without trying to underestimate the development effort of doing this, let me point out that OpenPGP already exists in JavaScript form, so they would not have to write the encryption code from scratch — they would only have to add just enough scaffolding to bring it all together.

        Let me also take this opportunity to explain why Tutanota's explanation “Why does Tutanota not use pgp?” (see: https://tutanota.uservoice.com/knowledgebase/articles/470724-why-does-tutanota-not-use-pgp) is untrue. They say: “It is important to us that the subject line in emails is also encrypted. That's why we have developed a solution that is also based on recognized algorithms (RSA and AES) and that automatically encrypts the subject, the content and the attachments.”

        I think this explanation is disingenuous. Nothing in PGP requires that the subject heading of your email be left unencrypted. PGP simply gives you the option to have an unencrypted Subject: header in your email. PGP does not require that the contents of this Subject: header be the subject heading of your email. The subject heading of your email can be inside the encrypted part, and the Subject: header can be “Encrypted email”, or anything else that the sender wishes that does not disclose private information.

        Attachments can definitely be encrypted using PGP since about 15 years ago.

        I am sure Tutanota developers have good reasons of their own for not using PGP. These reasons have nothing to do with the subject heading or encryption of attachments.

      • ChrisA commented  ·   ·  Flag as inappropriate

        Yes, it's the only thing that's stopping taking out an annual subscription. I need to be able to import public keys from other PGP services like Mailvelope and export my tutanota public key to give it to people using other PGP email systems. If I'm forced to use Mailvelope with tutanota then the advantage of Tutanota is reduced and I may as well use Mailvelope with a mail service that has greater functionality like GMX mail etc. The alternative is to try and persuade all my contacts to switch to tutanota which will never happen.

      • Greg commented  ·   ·  Flag as inappropriate

        Any update on PGP support?

        Here's my perspective. If Tutanova only communicates securely with Tutanova, it remains a walled garden. TN users are then in the unpleasant position of trying to convince people with other security solutions to switch to TN or to open a new account.

        PGP support seems the best way to make TN interoperable with other platforms. That would dramatically increase the base of secure email users. Right now, there are so few secure email users, that increasing the total population -- not just the TN population -- will help everyone.

        Just my thoughts.

      • Anonymous commented  ·   ·  Flag as inappropriate

        You should look at pretty Easy privacy engine, it supports encrypting email subject and it's open source. With one of the connectors it can be included in Tutanota and support PGP with any service.

      • Anonymous commented  ·   ·  Flag as inappropriate

        PGP support is useful in order to export my public key and use it with Facebook or other PGP compliant systems

      • Sus Antigoon commented  ·   ·  Flag as inappropriate

        PLEASE add pgp

        When trying to send an encrypthed message to someone overseas
        then there isnt always an option to have a shared password.
        If someone has a shared pgp key then i can use that key to send an encrypted mail even without the need of a shared secret.

        So with totanota's option there is NO WAY to send an encrypted mail to someone you never communicated before.

        So in this case it still leaves a big gap in providing any privacy.

        Adding pgp support would fix this? Is there another way to fix this?

        It would not hurt to have pgp available in tuta.

      • Anonymous commented  ·   ·  Flag as inappropriate

        You mentioned that is will be probably available end of the year. The comment was january 2015 which I could assume that you must be very close in releasing this feature :( Any ETA on this ?

      • Anonymous commented  ·   ·  Flag as inappropriate

        I would love to see this feature implemented. Using open standards and protocols is the way to go. I don't want to see the same thing happening to secure email as what has happened to messaging. Every company using its own implementation and no cross-platform support. Thanks for all the hard work and development of Tutanota!

      Feedback and Knowledge Base