![[?]](https://nadiyar.com/fedi/nadiyar/s/avatar-509e059cb73a1be9dd8d2803d1c34b28.jpg){kind=avatar}
...
![[?]](https://files.mastodon.social/accounts/avatars/112/939/297/534/942/083/original/25999f019d675aba.jpg)
...
![[?]](https://cdn.fosstodon.org/accounts/avatars/000/300/768/original/c00965d6b50001bb.png)
Yes, #Tuta is terrible. Not only you pay for using their platform, but their encryption is not audited and not OpenSource, plus due that soe called encryption (which exclusively works within their platform and all communication with outside is plain-text), you cannot use SMTP or IMAP. So your emails are trapped there. Their export is so damn buggy that I had to export 30 emails at a time. Utter disaster.
I can suggest https://Posteo.de or https://soverin.com
...
![[?]](https://fe.upload.disroot.org/media/76127eacafdb08126300879492466cb82d6d2ec918a2f51486a4ff98236fe345.jpg)
> but their encryption is not audited and not OpenSource
Please correct me if I'm wrong but their encryption is client-side and their client is Free software.
> all communication with outside is plain-text
There is an option to encrypt external emails with a password.
> Not only you pay for using their platform
There is a free plan too. Although several major features are intentionally removed (e.g. no offline mode and emails older than 1 month not being indexed in search results).
...
@kakooda
I don't know how to respond to that. But let's try:
1. Their E2EE is proprietary. Google it.
2. Read a bit about symmertic and asymmetric encryption, plus the password decryption happens is on their platform. There is a reason why PGP is the standard.
3. Yes, but you cannot have some features. I was a premium customer for over 2 years.
Read this for further info:
Anyways, if you are happy with it, enjoy. I GTFO and lost money!
...
@kakooda
To further clarify, use the software you like from the company you like.
I have used Tuta for about 700 days, paid since day 1, but I never got the support I paid for. Even when I wanted to export my emails, they refused to acknowledge the bugs and refused to help. I'm extremely bitter about the experience, and I have done my best ever since to warn people from Tuta issues.
But again, ultimately, use what suites you most.
@nadiyar disroot.org is also great btw.
1) I didn't find anything about their E2EE being proprietary, but found: "Tuta's service relies on executing code dynamically downloaded from Tuta's website, then it could once send code that is not the code that they publish and was audited and steals one's credentials."
2) If I get it correctly, the symmetric key is encrypted with the password which both sender and recipient know but not the server. Their excuse for not using PGP is that does not encrypt the subject line (I find it hillarious though!)
3) Have you tried to post your bad experience on their official sub-Reddit and make them publicly responsible?
...
> I didn't find anything about their E2EE being proprietary
When its code is not publicly available and is not FLOSS, then...
> Have you tried to post your bad experience on their official sub-Reddit and make them publicly responsible?
I don't use reddit. I leave that to other folks who are more invested in this.
...
> the symmetric key is encrypted with the password which both sender and recipient know but not the server.
yes, but remember when the symmetric encryption was used: when the recipient is not in Tuta. And if someone is not in Tuta, they also don't have the client, so they are decrypting it using Tuta's server. Therefore, Tuta's server will have access to unencrypted data.
...
> Their excuse for not using PGP is that does not encrypt the subject line
Well, the email protocol is old and does not have good security features, but they could add a line at the begining of the email body and include the subject there and keep the subject field empty. typically security != convenience.