stop saving passwords (at least when for non-tutanota users)
Hi. I signed up few days ago for your service, and as a coder myself, I started testing it's abilities. First all, you deserve respect and congratulations for the amazing job done in the layout/JS code. It's a inspiration for me (a beginner coder) see something very well done. But there's something very strange (for a service that tell us everytime that they just don't know our keys/password). When sending e-mail for non-tutanota user, with a password for encryption, I send 1 e-mail with one password, later I change the password and send another e-mail (to the same person), and the person is able to access his 'mailbox', and check all messages sent, with the same password... But, I changed it!! Of course you are saving it in your server, and decrypting each message with the respective password. Another thing that is suspicious on this matter, when accessing my mail, and going to contacts, I see all contacts I sent e-mails, right? When is someone outside tutanota, I click on his name and you show me with **** the password used for my communication. WTF?! How the hell are you saving this info at your server?
Thanks for your questions.
1. Tutanota uses indirections so that you may change your password and/or the passwords of external recipients. The new password can decrypt all encrypted data while we do not have access to it.
2. Your entire mailbox, including contacts and their passwords, is encrypted and decrypted locally on your device. All data on our servers in encrypted and we do not have access to it. That's why you can see the passwords of external recipients in your mailbox while we cannot.