Tutanota: webmail or android client

Both the webmail and android client of Tutanota seems to perform about the same.
Is there any privacy/security perks of using one over the other?

1 Like

Yes, there are differences.

Short: Use the Android client.

Not too long: Use the Android client because in webmail, the JS used to hash your password during logins or encrypt your emails can be updated without you knowing (by you just reloading the page). On the Android client (or any other native app) however, you manually need to install the update.

If the service you use has even the slightest of encryption, you ideally must never use the website to log in or do any kind of operations regarding your account(such as with Bitwarden as well).

5 Likes

Thanks, you perfectly answered my question😊

I also stick w/ the android version.

Genuine question: What do you mean by the Javascript can be updated without you knowing? Do you mean as in the Javascript that makes up the app may update to a new version without you knowing? If so, why would that be a problem for encryption?

Say for instance, when you log in, the browser doesnt send your password in clear text. It hashes it with the code provided form the website. This ensures the website can not see your password. It can be updated to be malicious and let the server view your password (and keys for that matter. That is why e2ee on browsers should be avoided). It does not matter with normal websites because there passwords only are for authentication, which if you have access to the server, you can bypass. However, with tutanota, bitwarden, protonmail, etc there is encryption involved.

It is one of my worries about Bitwarden. It requires you to use the web vault in order to change your master password, enable 2fa, buy premium, and perhaps some other features when you can totally do them with the client on other apps.

Fwiw, I consider everything I enter in the browser to be known by the company/person running the server… because I honestly would not check the JS every time I load the site to see if it does what its supposed to (and fwiw again I do check pretty much most apps I use for what changed in their changelog and commits most of the time :d).

2 Likes

This is why I stopped using cloud based password managers such as 1password and bitwarden. KeePass is the way to go IMO…

1 Like