❌ Software Removal | Tutanota currently fails the minimum email security qualifications #2277
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#2277
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
Last year, in September, Tutanota changed DNS providers (blog post) and as a result, the security on their email server changed (https://www.reddit.com/r/tutanota/comments/jqyltu/no_dnssec/gbq55i5)
Today, almost 8 months later, DNSSEC and DANE have still not been reimplemented. The test results of three different sites are linked below.
Hardenize
Internet.nl
MECSA
This conflicts with PrivacyTools' minimum security requirements for an email provider to qualify.
Specifically, these lines:
Why I am making the suggestion
It has been long enough for Tutanota to correct this issue but they have avoided providing a concrete timeline.
January 2021: "This is planned for the coming weeks"
February 2021: "We'll prioritize this now"
April 2021: "Hopefully we will be able to support DNSSEC again"
My connection with the software
Currently have an account and decided to do checks on my providers today.
If that's fine by you - I will post this issue on Tutanotas' subreddit and ask for a clarification. If they fail to deliver, indeed we should consider delisting them until further notice.
EDIT: I have contacted them by email. I will update this comment once I got a reply from Tuta.
Thanks for reaching out!
We had to disable DNSSEC due to a DDOS attack on our DNS providers. Re-implementing DNSSEC and DANE is on top of our backlog. Two engineers already started working on this task and I think that we will be able to release it again within the next 3-4 weeks.
Thanks for your understanding!
@mpfau seems like a strange situation, lowering the security because of a DDOS attack isn't very promising. I am not sure what exactly we should 'understand' from this.
It's not about lowering security to mitigate DDoS attacks, it's about DNS changes to mitigate DDoS attacks.
https://tutanota.com/blog/posts/ddos-dns-attack/
Looks like it's configured again. Good to see 👍
MECSA test
Hardenize test