Most email services can decrypt and read your emails, should they wish to. Even those advertised as 'secure.' Currently, Tutanota and Protonmail are the most private and secure email alternatives, both offering end-to-end encryption.
But which one should you choose? We dissect both to give you an honest verdict.
Tutanota is a free, secure email provider based in Germany. Its name comes from the Latin words “Tuta” and “Nota,” which translate to “secure note.” Boasting impressive end-to-end encryption, U2F, and SHA256 password hashing, Tutanota claims to be the world's most secure and private mailbox. With research in Quantum Cryptography already underway, it's hard to believe otherwise.
Let's take a look at ProtonMail.
ProtonMail is a free, secure, Swiss email provider. Using Open Source and zero-knowledge architecture, their security is so robust that not even they can read your emails. Their servers are also hidden under a kilometer of granite in a former military bunker, with multiple password layers. An attack would need to be nothing short of nuclear.
Let's talk about the data laws under which these companies operate. Tutanota is based in Germany (one of the Fourteen Eyes). Protonmail uses its Swiss location to take advantage of the DPA and DPO acts.
Tutanota: Germany may be one of the 14 Eyes, but it is protected by The German Federal Data Protection Act – a modification of the general EU GDPR law. Essentially, it prohibits the collection and use of personal data unless the law specifically permits it or you have given your informed consent.
ProtonMail: Switzerland is renowned for being neutral territory – being outside of US and EU jurisdiction. Offering some of the strongest privacy protection in the world, their 1993 Federal Act on Data protection strictly prohibits any processing of personal data without explicit consent.
Since both Tutanota and ProtonMail have zero-knowledge architecture, even if the Swiss Supreme Court ordered the release of your data (within reason) or you were a target of German authorities, the only information they'd have on you would be the time you went on/offline.
Both ProtonMail and Tutanota messages are encrypted every step of the way, leaving little to no room for interception.
Messages are encrypted while:
Tutanota encrypts the email subject, body, and all attachments. The bonus is an end-to-end encrypted address book and calendar, ensuring that your contacts and meetings are kept top secret.
ProtonMail offers nearly the same level of end-to-end encryption, though it does NOT encrypt email subject lines. What they must be given credit for is usability: enjoy conversation views, group sending, and Bond-style self-destructing emails for quick security. Your full-text searches are NOT encrypted, however.
Tutanota combines AES 128-bit and RSA 2048-bit protocols to give you end-to-end protection. Their stronger key schedule arguably makes it more secure than AES 256-bit. Emails to non-Tutanota users are encrypted using AES-128-bit. Passwords are hashed using bcrypt and SHA256, with connections to the Tutanota servers secured using TLS.
ProtonMail encrypts their emails much like Tutanota does, except that it uses AES 256-bit, known as the gold standard of cryptography. Messages to non-ProtonMail users are password protected, expire after 28 days with no sign-up required. It is however, left up to the user to share the password securely.
Tutanota encrypts more sections of your email and inbox than ProtonMail (your calendar and address book) while also giving you a zero-knowledge text search. No one at Tutanota can see what you search for within your emails.
Both Tutanota and ProtonMail are open source-based, crucial for ensuring the highest levels of security. Open-source software is open to the world's security experts for inspection. Tutanota differs by strengthening 2FA with U2F.
ProtonMail lets you select an “Encrypt for Outside” option that enables end-to-end encryption between ProtonMail users and non-ProtonMail users. Nothing between you can be read, not even by the creators themselves.
Otherwise, messages are encrypted with TLS (all popular email providers support TLS). These encrypted messages are not end-to-end secured, which means that the provider can read and hand your messages over.
ProtonMail doesn't offer end-to-end encryption on subject lines or recipient/sender email addresses. This means that emails sent to popular providers who don't offer end-to-end encryption likely retain a copy of the email.
Tutanota takes no chances. For end-to-end encryption between Tutanota users and non-users, the users must exchange a password securely beforehand. This ensures the message can only be read by the intended and verified recipient.
The question is, do you want the hassle of Tutanota's additional password step for extra U2F authentication and a zero-knowledge full-text search? Or are you willing to sacrifice your subject line to enjoy ProtonMail's zero-knowledge calendar and end-to-end encrypted address book?
ProtonMail can be used on the web like regular email. Or you can download the Android or iOS app. As a paid user, you can also install the ProtonMail Bridge app. It runs in the background to encrypt all mail that enters and leaves your computer.
As well as a web version, Tutanota has desktop clients for Windows, Mac OS, and Linux, with apps for Android, iOS.
If storage is important and you like to keep a backlog of emails, Tutanota's free account has double the storage of ProtonMail's free account.
With that being said, even though ProtonMail’s free account has half the storage of Tutanota, that's still up to 150 messages a day, and it supports third-party clients. Of course, both are 100% ad-free.
Tutanota accounts are available for personal use and business.
Both offer add-ons for extra storage and aliases, with prices starting at €1 per GB each month. Tutanota also lets you build your plan with the features you really want. Just use their pricing calculator on their website to create your ideal subscription.
Technically, you are extremely secure with either Tutanota or ProtonMail. Both use the world's most potent end-to-end encryption methods and zero-knowledge infrastructure, and both keep you secured even amidst non-users. In some specific instances however, both can be seen to prioritize storage over secrecy, or non-user accessibility over security for example. The choice really depends on what you value the most. For example, conscious consumers will be pleased to hear Tutanota runs entirely on green electricity.
Remember, encryption is not end-to-end encryption. The former is used by almost every popular email service today, enabling them to keep copies of your emails and potentially pass them on to third parties – depending on the data laws they operate under. Switch to free secure emails instead.
To learn more about cybersecurity, subscribe to our monthly blog newsletter below!