Tutanota the privacy-oriented email provider is dead

in #email5 years ago

Tutanota-will-Verschluesselung-vereinfachen_reference_2_1.png

Tutanota (www.tutanota.com) has recently introduced the mother of all vulnerabilities into their client. Although they have a voting mechanism for new features and this 'feature' was never requested nor voted on, they have sneakily and over-night introduced a COMPULSORY account-wide recovery code for all users.

This recovery code is displayed in plain sight on your screen and you are requested to copy and keep it safe. Make no mistake, this recovery code has the power to reset all your passwords and any 2FA you might have.

They didn't care that users were requesting other features instead. They didn't care that as a privacy-oriented service - it already deals with people who backup their 2FA. I personally had a normal authentication app and a FIDO device as a backup. The authentication code was backed up anyway.

This new code takes the power away from user-generated 2FA and user-managed backups, and gives it to them. Who knows how and by whom this code can be accessed?

They have no canary and the fact that this was introduced as a mandatory and compulsory thing for all users leads me to believe they built this for someone... else, not their users.

Of course, they will put up some: 'this was for our users' or some boilerplate like that, but the fact remains that all your passwords and 2FAs belong to them now, with this code.

Of course, they will say they have 'no access' to the code, which I highly doubt - and even if that was the case, it's still a very, very insecure way of implementing an account reset.

You can now be compromised for the sake of comfort. I was comfortable with having my own backups and not being forced to have some random code generated by them.

To me, Tutanota is neither private nor independent anymore. Something changed and with the introduction of this, they are now working against their users wishes and have just nulled their biggest advantage: encrypted, private, un-compromised email. I might as well switch back to Gmail - if they're both reading my emails, at least Gmail offers more features.

Imagine this - you cannot even set a 'From' name for your aliases (for which you are required to pay for) - a feature which has been requested over and over again and voted on, but they release instead an over-night, mandatory account-wide compromising code - that nobody asked for.

Let that sink in for a while and then let's all go try something else, because Tutanota is no more.

#encrypted #privacy #hacking #nsa
5 years ago in #email by
$0.00
    1 vote
    Reply 3
    Sort:  
  • Trending
    • [-]
     4 years ago 

    Congratulations @skuldde! You received a personal award!

    Happy Birthday! - You are on the Steem blockchain for 2 years!

    You can view your badges on your Steem Board and compare to others on the Steem Ranking

    Vote for @Steemitboard as a witness to get one more award and increased upvotes!
    $0.00
      Reply
      [-]
       4 years ago 

      Congratulations @skuldde! You received a personal award!

      Thank you for the witness votes you made to support your Steem community and for keeping the Steem blockchain decentralized

      You can view your badges on your Steem Board and compare to others on the Steem Ranking

      Do not miss the last post from @steemitboard:

      Use your witness votes and get the Community Badge
      Vote for @Steemitboard as a witness to get one more award and increased upvotes!
      $0.00
        Reply

        Coin Marketplace

        STEEM 0.28
        TRX 0.13
        JST 0.032
        BTC 60870.66
        ETH 2917.09
        USDT 1.00
        SBD 3.62