Me +wife were seriously considering switching to proton, but we had been “considering” for like half a year. So while the transfer now has been officially put on hold indefinitely, that’s in practice no different from how it was before :)
Have considered tuta but there are several reasons I’m not sold on that service - primarily that they manage to give me (who isn’t a techie!) the impression (I might be wrong…) of a walled garden where all the benefits /convenience of the service evaporate (??) as soon as you need to talk to a non-tuta user.(??)
From your description it sounds like the feature you might be thinking of as walled-garden-ing is end-to-end encrypted (e2ee) emails, which they call “confidential”. The idea is that you can encrypt a message and send it to someone. The message they receive is actually just a link to a publicly-accessible page that Tuta hosts. You give the other person a password that they can enter on that page to read the email you sent and respond to it. If your recipient is also using Tuta, though, when you send an encrypted email it just shows up in their inbox like a regular email.
This is the standard way to handle secure emails, and it’s actually a limitation of the email protocol. The way you would send an encrypted message to someone on another email server is to encrypt the email with your recipient’s public key. Then the message goes to their email inbox like a regular email and they can use their private key to decrypt it (which is what Tuta does if you’re sending an encrypted email to another Tuta user–they already have the recipient’s public key). Email servers don’t have a standard way to send each other public keys for accounts, so if you want to encrypt an email you either have to get the recipient’s public key yourself and tell your email software to encrypt the message with it, or have your provider send a password protected link.
I actually just switched to Tuta. You can still get and receive normal unencrypted emails. The encryption is optional and not enabled by default. I don’t have strong feelings one way or the other yet on the service as a whole. They just added the ability to import emails exported from another service, which is usually something email providers do pretty early on. Currently it’s only available at the $8/month tier, but it’s speculated that they’ll roll it out to the $3/month tier once it’s stable. That’ll be a non-starter for a lot of people. The client UI is simple but functional. It was easy to set up my domain so I don’t have to go into each account and update my email address. Yeah, no complaints so far, but also nothing that blows me away. There’s a free tier if you wanted to just poke around.
Of course, bolting security on top of email is going to be a challenge, and require trade-offs between convenience and security.
It’s likely that there are aspects of how Tuta works that I have misunderstood, but based on my understandings, this is my take:
For my use case, I believe tuta’s choice of increased security isn’t worth the added inconvenience for the people I’m communicating with who have to access our communications through a separate webpage instead of within their normal email inbox. (Perhaps they can export the emails from that site, but if so, they’d be unencrypted on their machine unless the user took manual steps to reenceypt, no?)
Secondly, I do not, IRL, know anybody else who uses Tuta, but I know a handful of people who do use PGP (for example through Proton). That would mean that communications with them would need to be unencrypted, or go through Tuta’s portal, just as if they were regular gmail users. In contrast, if I were to choose a PGP based encryption, communicating with them - encrypted - would be more convenient. Less secure? Yes, but as I said above, that’s a trade-off that I’m willing to make. Not to mention, if I no longer liked the service next year I ought be able to move on without ruining access to old emails, or really, even seeing an interruption in ongoing email conversations. Yes, that does require a custom domain to work in practice - I’ve set that as a precondition for whatever service I’m going to sign up for.
Thirdly, I mentioned a walled garden.
Assume I were to use Tuta for a couple of years. People I regularly exchange encrypted mail with have gotten frustrated by having to use the portal and signed up for Tuta as well. One day, I decide that I would like to move elsewhere for whatever reason. Now I’m the one who have to use Tuta’s portal whenever I want to communicate with my friends, because there’s no other service that I can go to, that’s compatible with Tuta’s encryption.
That’s why I consider Tuta to be a walled garden.
I am glad that they finally did add import/export. When I took the service for a spin maybe a year and a half ago, import and export wasn’t yet possible and a another reason too why I didn’t join them already in mid 2023.
(BTW, have they fixed the Linux desktop app so that it can be used on a hi-dpi (4k) screen without a magnifying glass? Back then, that app refused to listen to any display scaling commands. I had to reconfigure the display resolution from 4k to 2k to be able to interact with the app.)
Me +wife were seriously considering switching to proton, but we had been “considering” for like half a year. So while the transfer now has been officially put on hold indefinitely, that’s in practice no different from how it was before :)
Have considered tuta but there are several reasons I’m not sold on that service - primarily that they manage to give me (who isn’t a techie!) the impression (I might be wrong…) of a walled garden where all the benefits /convenience of the service evaporate (??) as soon as you need to talk to a non-tuta user.(??)
From your description it sounds like the feature you might be thinking of as walled-garden-ing is end-to-end encrypted (e2ee) emails, which they call “confidential”. The idea is that you can encrypt a message and send it to someone. The message they receive is actually just a link to a publicly-accessible page that Tuta hosts. You give the other person a password that they can enter on that page to read the email you sent and respond to it. If your recipient is also using Tuta, though, when you send an encrypted email it just shows up in their inbox like a regular email.
This is the standard way to handle secure emails, and it’s actually a limitation of the email protocol. The way you would send an encrypted message to someone on another email server is to encrypt the email with your recipient’s public key. Then the message goes to their email inbox like a regular email and they can use their private key to decrypt it (which is what Tuta does if you’re sending an encrypted email to another Tuta user–they already have the recipient’s public key). Email servers don’t have a standard way to send each other public keys for accounts, so if you want to encrypt an email you either have to get the recipient’s public key yourself and tell your email software to encrypt the message with it, or have your provider send a password protected link.
I actually just switched to Tuta. You can still get and receive normal unencrypted emails. The encryption is optional and not enabled by default. I don’t have strong feelings one way or the other yet on the service as a whole. They just added the ability to import emails exported from another service, which is usually something email providers do pretty early on. Currently it’s only available at the $8/month tier, but it’s speculated that they’ll roll it out to the $3/month tier once it’s stable. That’ll be a non-starter for a lot of people. The client UI is simple but functional. It was easy to set up my domain so I don’t have to go into each account and update my email address. Yeah, no complaints so far, but also nothing that blows me away. There’s a free tier if you wanted to just poke around.
Of course, bolting security on top of email is going to be a challenge, and require trade-offs between convenience and security.
It’s likely that there are aspects of how Tuta works that I have misunderstood, but based on my understandings, this is my take:
For my use case, I believe tuta’s choice of increased security isn’t worth the added inconvenience for the people I’m communicating with who have to access our communications through a separate webpage instead of within their normal email inbox. (Perhaps they can export the emails from that site, but if so, they’d be unencrypted on their machine unless the user took manual steps to reenceypt, no?)
Secondly, I do not, IRL, know anybody else who uses Tuta, but I know a handful of people who do use PGP (for example through Proton). That would mean that communications with them would need to be unencrypted, or go through Tuta’s portal, just as if they were regular gmail users. In contrast, if I were to choose a PGP based encryption, communicating with them - encrypted - would be more convenient. Less secure? Yes, but as I said above, that’s a trade-off that I’m willing to make. Not to mention, if I no longer liked the service next year I ought be able to move on without ruining access to old emails, or really, even seeing an interruption in ongoing email conversations. Yes, that does require a custom domain to work in practice - I’ve set that as a precondition for whatever service I’m going to sign up for.
Thirdly, I mentioned a walled garden. Assume I were to use Tuta for a couple of years. People I regularly exchange encrypted mail with have gotten frustrated by having to use the portal and signed up for Tuta as well. One day, I decide that I would like to move elsewhere for whatever reason. Now I’m the one who have to use Tuta’s portal whenever I want to communicate with my friends, because there’s no other service that I can go to, that’s compatible with Tuta’s encryption. That’s why I consider Tuta to be a walled garden.
I am glad that they finally did add import/export. When I took the service for a spin maybe a year and a half ago, import and export wasn’t yet possible and a another reason too why I didn’t join them already in mid 2023.
(BTW, have they fixed the Linux desktop app so that it can be used on a hi-dpi (4k) screen without a magnifying glass? Back then, that app refused to listen to any display scaling commands. I had to reconfigure the display resolution from 4k to 2k to be able to interact with the app.)