❌ Software Removal | Tutanota currently fails the minimum email security qualifications #2277

New Issue

2021-05-01T22:12:34Z

idunno101 commented

2021-05-01 22:12:34 +00:00

(Migrated from github.com)

Description

Last year, in September, Tutanota changed DNS providers (blog post) and as a result, the security on their email server changed (https://www.reddit.com/r/tutanota/comments/jqyltu/no_dnssec/gbq55i5)

Today, almost 8 months later, DNSSEC and DANE have still not been reimplemented. The test results of three different sites are linked below.
Hardenize
Internet.nl
MECSA

This conflicts with PrivacyTools' minimum security requirements for an email provider to qualify.
Specifically, these lines:

DNSSEC support
Valid DANE records

Why I am making the suggestion

It has been long enough for Tutanota to correct this issue but they have avoided providing a concrete timeline.
January 2021: "This is planned for the coming weeks"
February 2021: "We'll prioritize this now"
April 2021: "Hopefully we will be able to support DNSSEC again"

My connection with the software

Currently have an account and decided to do checks on my providers today.

I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

## Description Last year, in September, Tutanota changed DNS providers ([blog post](https://tutanota.com/blog/posts/ddos-dns-attack/)) and as a result, the security on their email server changed (https://www.reddit.com/r/tutanota/comments/jqyltu/no_dnssec/gbq55i5) Today, almost 8 months later, DNSSEC and DANE have still not been reimplemented. The test results of three different sites are linked below. [Hardenize](https://www.hardenize.com/report/mail.tutanota.de/1619904014#domain_dnssec) [Internet.nl](https://internet.nl/mail/tutanota.com/523036/#control-panel-4) [MECSA](https://mecsa.jrc.ec.europa.eu/en/finderRequest/bc24b0eca2de5766620ad7bfd049980c) This conflicts with PrivacyTools' minimum security requirements for an email provider to qualify. Specifically, these lines: - DNSSEC support - Valid DANE records ## Why I am making the suggestion It has been long enough for Tutanota to correct this issue but they have avoided providing a concrete timeline. [January 2021: "This is planned for the coming weeks"](https://www.reddit.com/r/tutanota/comments/kon6x7/dnssecdane/ghtavzk/) [February 2021: "We'll prioritize this now"](https://www.reddit.com/r/tutanota/comments/ll8lpu/dnssecdane/gnzysex/) [April 2021: "**Hopefully** we will be able to support DNSSEC again"](https://www.reddit.com/r/tutanota/comments/mzqtau/mail_done_right/gw2lhlb/) ## My connection with the software Currently have an account and decided to do checks on my providers today. - [X] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

TrashPandaCodingGarbage commented

2021-05-03 11:37:46 +00:00

(Migrated from github.com)

If that's fine by you - I will post this issue on Tutanotas' subreddit and ask for a clarification. If they fail to deliver, indeed we should consider delisting them until further notice.

EDIT: I have contacted them by email. I will update this comment once I got a reply from Tuta.

If that's fine by you - I will post this issue on Tutanotas' subreddit and ask for a clarification. If they fail to deliver, indeed we should consider delisting them until further notice. EDIT: I have contacted them by email. I will update this comment once I got a reply from Tuta.

👍 2

mpfau commented

2021-05-03 13:44:39 +00:00

(Migrated from github.com)

Thanks for reaching out!

We had to disable DNSSEC due to a DDOS attack on our DNS providers. Re-implementing DNSSEC and DANE is on top of our backlog. Two engineers already started working on this task and I think that we will be able to release it again within the next 3-4 weeks.

Thanks for your understanding!

Thanks for reaching out! We had to disable DNSSEC due to a DDOS attack on our DNS providers. Re-implementing DNSSEC and DANE is on top of our backlog. Two engineers already started working on this task and I think that we will be able to release it again within the next 3-4 weeks. Thanks for your understanding!

👍 1

ph00lt0 commented

2021-05-03 13:53:41 +00:00

(Migrated from github.com)

@mpfau seems like a strange situation, lowering the security because of a DDOS attack isn't very promising. I am not sure what exactly we should 'understand' from this.

rusty-snake commented

2021-05-03 14:05:27 +00:00

(Migrated from github.com)

seems like a strange situation, lowering the security because of a DDOS attack isn't very promising

It's not about lowering security to mitigate DDoS attacks, it's about DNS changes to mitigate DDoS attacks.
https://tutanota.com/blog/posts/ddos-dns-attack/

> seems like a strange situation, lowering the security because of a DDOS attack isn't very promising It's not about lowering security to mitigate DDoS attacks, it's about DNS changes to mitigate DDoS attacks. https://tutanota.com/blog/posts/ddos-dns-attack/

👍 3

idunno101 commented

2021-07-12 02:48:30 +00:00

(Migrated from github.com)

Looks like it's configured again. Good to see 👍

MECSA test
Hardenize test

DNSSEC is well configured
Valid DANE configuration

Looks like it's configured again. Good to see :+1: [MECSA test](https://mecsa.jrc.ec.europa.eu/en/finderRequest/59c1007626155632356f41f4371e4e17) [Hardenize test](https://www.hardenize.com/report/mail.tutanota.de/1625705816#email_dane) > DNSSEC is well configured > Valid DANE configuration

This repo is archived. You cannot comment on issues.