Just in time for 10 years of Tuta/Tutanota, we are launching the most significant security upgrade of Tuta Mail with TutaCrypt. This groundbreaking post-quantum encryption protocol will secure emails with a hybrid protocol combining state-of-the-art quantum-safe algorithms with traditional algorithms (AES/ECC) making Tuta Mail the world’s first email provider that can protect emails from quantum computer attacks.
making Tuta Mail the world’s first email provider that can protect emails from quantum computer attacks.
I don’t see how mails are secured when being sended from or to a Tutanota user and to or from a non Tutanota user. Those mails are only secured on their servers.
If you, a non tuta user, receive a mail from a tuta user you only get a download link. Which at least protects the content but not the metadata that someone send you an email. If a non tuta user sends a mail to a tuta user, there isn’t much tuta can do unfortunately. I’m not quite sure how you expect tuta to do magic? They do what they can.
Quite a lot of cryptography detail in their blog post, not all of which do I understand. Curious to find out what the community thinks of this …
For instance:
We’ve re-built the Tuta cryptographic protocol from the ground up and are now upgrading our encryption using quantum-resistant algorithms together with conventional algorithms (Kyber in combination with AES 256 and ECDH x25519 in a hybrid protocol) for our asymmetric public key encryption of emails
I know Bruce Schneier says rolling your own Crypto is hard and most will get it wrong. So is it concerning that they made their own encryption protocol?
So, are they putting a piece of cardboard in front of a bullet-resistant door?
🤔
It sounds like they’re just encrypting it twice (once with each algorithm), but I could be wrong.
