Follow

@WhatsApp
@telegram
@matrix
@protonmail@fosstodon.org
@protonmail@mastodon.social
@Tutanota

Not all of these accounts are official and currently used, but at least matrix@mastodon.matrix.org and Tutanota@mastodon.social are.
I'm convinced all of these service are not secure since they offer a web version, bu.noblogs.org/end-to-end-encr
I wonder whether they would mind replying to this toot, anyway.

· · Web · 3 · 1 · 1

@zuz Sure we'll reply, but we'll keep it short: The risk you describe is if someone altered the code to capture your password (man-in-the-middle-attack). This risk is minimal, but that is one reason why we highly recommend using the Tutanota desktop clients. The desktop clients automatically check the signature of the code, meaning you can be sure that the code powering your desktop client is exactly the same that is published on GitHub - and which everyone can check: tutanota.com/blog/posts/deskto

@Tutanota what you're omitting now is that the "man-in-the-middle" could very easily be a "man-at-the-source", any internal who has access to your webservers. It's good you suggest to use your desktop clients, but you should simply stop offering access to your services through the web.

@Tutanota by the way, has your javascript crypto code ever been audited? And the mobile and desktop clients-apps code? In this case, when have they been audited? By whom? And when will they be audited again? Is it something you do periodically?

@Tutanota let's pass some time together with this song: clock dva - the connection machine - - yewtu.be/watch?v=xx5ONvV5EyU

@Tutanota
In your answer in this thread you state "This risk is minimal" (it's not, and it's not a man-in-the-middle risk, but a man-at-the-source one), "but that is one reason why we highly recommend using the Tutanota desktop clients", while you don't.
At the very least, i think you should put a big banner on your login and signup pages at tutanota.com stating something like "Web access to our end-to-end encrypted mail services is *not* secure, please use our apps".

@Tutanota still waiting for your answers about this, and about auditions on your code.

@Tutanota let's listen to some other songs together, while we wait: "We cut through toxic lies with truth / We breathe" - Breathe - Ministry - - yewtu.be/watch?v=rZ4ZlCCPW8w - Lyrics: genius.com/Ministry-breathe-ly - Chillout version: yewtu.be/watch?v=_7ioE4wRil8
:)

@zuz Thanks for your feedback. To stop access via the web browser is not possible due to user requirements. Tutanota has been externally audited in 2013 (before the initial launch) and we plan to do another audit in the coming years. The open source code can also be audited and we are very transparent if vulnerabilities are being reported: tutanota.com/blog/posts/user-r

@Tutanota
Thank you for replying. The big and unavoidable security hole in web apps like yours and the others i cited in the first toot remains, though, so i think you should put a big banner on your login and signup pages at tutanota.com stating something like "Web access to our end-to-end encrypted mail services is [*not* secure][link to a page explaining why], please use this web app only if you really need to and can't use our apps and desktop clients".

Reality is, if you want privacy don't use a computer or the internet.

@dirty It's not. You can use Briar, or XMPP with OMEMO, or Signal, or Claws Mail with PGP-mime plugin, and others. These same services I've cited in the first toot could be secure, if they didn't offer access through their websites.

@dirty end-to-end encryption, and encryption in general, can work and does work, the problem i'm reporting has nothing to do with e2e encryption by itself, it's its use through web sites that is unavoidably - at the present state of browser technologies - very insecure.

@dirty I know there are means to intercept almost all if not all communications of a targeted individual, on the internet or anywhere else (not by cracking well done cryptography, but by other means); yet they cost a lot of money and they can be legally done only under some circumstances; here we're writing instead about the "great numbers" of users and the super easy feasability for organizations like tutanota and the others, and their insiders, to intercept lots of persons' communications.

@iooioio
I find your proposal to be a great step towards the right direction - more than the proliferation of services-with-their-own-browser-extension -, but i'm thinking about something bigger and more standardized like this, bu.noblogs.org/draft-of-some-h :)
@WhatsApp @telegram @matrix @protonmail@fosstodon.org @protonmail@mastodon.social @Tutanota

@iooioio
I have introduced the idea of a new "secure" attribute for the "<html>" opening tag that simplifies everything, so i had to rewrite a bit of text ;-)
@WhatsApp @telegram @matrix @protonmail@fosstodon.org @protonmail@mastodon.social @Tutanota

@iooioio
I modified the political consideration at the end, since i think that soon or later the right to privacy would be simply respected by everyone in a liberated world like the one i described in bu.noblogs.org/ultimatum (english version is coming as soon as i manage to finish it without stressing myself too much :-) )
@WhatsApp @telegram @matrix @protonmail@fosstodon.org @protonmail@mastodon.social @Tutanota

Sign in to participate in the conversation
NEBBIA

Nebbia è libera, antifascista, antisessista e antimilitarista