The road to open source
Building a service that offers true open source email is very difficult as a lot of services from Google are so convenient for developers to use that is takes a lot of effort to replace these, namely push notifications on Android and Google's reCaptcha.
Our first step on our road to open source was to publish the Tutanota webmail client as open source on GitHub in September 2014. Since then, hundreds of people have downloaded and built the Tutanota client locally on their device, reported bugs and security weaknesses as well as fixed bugs and added small improvements or helped with our open source translation project.
It's great to have such a vibrant open source community that helps us improve Tutanota constantly!
Why open source is important
We believe that open source is crucial to any security service. Open source guarantees that lots of people can scrutinize the code to make sure no security weaknesses exist within the code. Open source also makes it impossible to sneak an encryption backdoor into the code.
By being open source, we at Tutanota can prove that we actually do what we say: protecting your emails from prying eyes. That's why publishing all Tutanota clients as open is a must.
In December 2014, we then released the Tutanota Android and iOS apps - as open source as well, of course. We built our own captcha for being able to prevent abusive mass sign-ups without relying on Google's reCaptcha. Lots of email services, even secure ones, rely on Google's reCaptcha, but this was never an option for us.
The hardest part, however, was to replace Google's push notification service, which we originally used for the Android app, with our own notification service. This was necessary for two reasons:
- First, we wanted to release the Android app on F-Droid, and F-Droid does not allow any Google dependencies.
- Second, we wanted to include more information in the push notification, which is impossible when using Google's push notification service as this service can read any data included in the notification.
Finally, we succeeded in building our own notification service.
If you're interested in how we managed to replace Google's push notification service, read this post.
Tutanota - the Google-free email service
With the app release on F-Droid, Tutanota now proves that it is possible to build a secure email service that is completely Google-free, giving people a real open source email alternative to services like Gmail, Yahoo, Hushmail, GMX, Outlook, Fastmail, Posteo, Startmail, Mailbox.org and Protonmail.
Special challenges due to the encryption
Usage on desktops
Due to the encryption, Tutanota can not be connected with external mail clients via IMAP or POP. Tutanota manages and stores the encryption keys for you. With the help of your password, you can decrypt your keys and then also your data.
This automatic management of encryption keys would not be possible if we enabled integration of Tutanota into external mail clients. To achieve this, it would be necessary to decrypt the data before it reaches the external mail client - which would then defy the concept of end-to-end encryption.
Nevertheless, we understand that our users need to be able to handle their emails locally on a desktop and also to connect multiple email services within one client. To fully comply with user expectations while maintaining our high level of security and privacy, we have identified four challenges:
1. Building desktop clients
We have built and published the Tutanota desktop clients end of 2018. These clients are published as open source and you can even verify the signature after downloading the client. We are now improving and finalizing a few minor features within the Windows, Mac OS and Linux clients before we will push them out of beta.
2. Email import
Importing and encrypting large mailboxes into Tutanota takes up a lot of traffic and computing power. Nevertheless, it is understandable that professional users of Tutanota want to import their old mailboxes and secure them within Tutanota.
That's why we have already drafted an import feature which will allow this in a timely manner in the future. Now, we have to build this complex feature and add it to the Tutanota clients.
3. Offline support
When fetching emails via third party clients, e.g. Thunderbird or Outlook, these emails are also stored locally and are available all the time. Emails stored in Tutanota are currently only available when being online.
However, as everyone needs their emails every now and then - even when no internet connection is present - we plan to add offline availability to the Tutanota clients.
This feature became even more important when Tutanota was under DDoS attack two weekends this August. Even though, we have now improved the DDoS protection method immensely, we understand the need for offline availability and have moved this feature up on our priority list. You can check the roadmap for more details.
4. Conversation view
As most desktop clients as well as webmail providers support conversation view, lots of users are constantly asking for this in Tutanota. We plan to implement a conversation view option into all Tutanota clients so that you can use conversation view in the browser, on your smartphone and with the desktop clients.
Privacy done right
Privacy is at the heart of Tutanota, and as our development steps prove, we never compromise on that. This clear focus on privacy is possible because our founders own 100 per cent of Tutanota. We don't have to explain ourselves against shareholders or any other third party.
To this day, Tutanota has grown organically: With the rising number of paying users, we have employed more developers. So you'll be as excited as we are to hear that in August and September alone, four additional developers have started at our offices in Hanover! And we plan to grow our team even further in the coming months.
All of this has only been possible because of your continuous support. We are very grateful to have such an awesome and loyal user base. We will keep working hard to earn your loyalty.