Make tutanota resistent to browser fingerprinting and thus support anonymous usage
The suggestion is to design tutanota in a way that browsers which avoid fingerprinting can fully use tutanto in an anonymous way.
JondoFox for examples prevents browser fingerprinting (https://anonymous-proxy-servers.net/en/software_win.html) similar to the TorBrowser. This makes the use of tutanota more anonymous.
Unfortunately, tutanota uses fonts which have to be loaded by the JondoFox and other browsers and which allow to fingerprint everyone's browser and prevent anonymity. This should be clearly avoided.
This also concerns Tutanota allowing login BTW. I found that even with an "approved" browser set "to enhance security and privacy" the Tutanota login comes back with "Your browser is not supported". I found however, resetting the browser profile (FF in this case) by deleting the browser profile, login is restored. Strangely enough, if then the original profile is restored, login is still possible. Furthermore, I suspect that this behaviour is not user agent dependant, because "spoofing" a Tutanota accepted browser does not resolve a "not accepted browser" situation. Perhaps Tutanota can share what their login page is scanning for that triggers this process?
Just a remark: as far as I can see Tutanota does not need the fonts to be loaded. As you probably know browsers can be configurated to use only fonts available locally, thus limiting font loading and potential font fingerprinting. For example, for FireFox see browser.display.use_document_fonts. When I tested this on Tutanota, all still functioned perfectly. Furthermore, if this is applied on the users browser, it'd apply to all web use (although detection can still occur with Java and we all know complete anonymity is of course a pipe dream).
Agreed, this is a great idea.
I'm all out of votes, +1 please