TypeScript Webmail client Projects

• Tutanota makes encryption easy

  467 5,756 9.9 TypeScript

  Tuta is an email service with a strong focus on security and privacy that lets you encrypt emails, contacts and calendar entries on all your devices.

  

Project mention: Show HN: TutaCrypt, post-quantum encryption protocols for securing emails [pdf] | news.ycombinator.com | 2024-03-18

Hi HN, we are the developers from Tuta (formerly Tutanota), the German end-to-end encrypted email provider, and we recently released the world's first post-quantum encryption for email.

We have included a full technical write-up of the cryptography involved in these changes and we have released it for open public review.

This document specifies TutaCrypt, a protocol designed for hybrid email encryption in Tuta Mail. The protocol combines a classical Elliptic-Curve-Diffie-Hellman key exchange with a post-quantum KEM. The goal is to replace the usage of RSA in Tuta Mail.

In the remainder of this document we describe some preliminaries such as the cryptographic primitives used. We define the core algorithms of the protocol and describe the flow of messages between the communicating parties. Finally, we discuss the security properties and some limitations of the protocol in its current form.

We are eager for your constructive feedback. All cryptography related source code is available for review and experimenting here: https://github.com/tutao/tutanota/blob/master/src/api/worker...

If you have any questions or comments related to post-quantum cryptography please let us know in the comments!

• ProtonMail Web Client

  181 4,125 10.0 TypeScript

  Monorepo hosting the proton web clients

  

Project mention: Proton Mail Discloses User Data Leading to Arrest in Spain | news.ycombinator.com | 2024-05-07

> Is this password-derived key the "account key" which I see in the Proton Mail settings interface?

No, the account key is an OpenPGP key which is encrypted with a key derived from your password. The "key encryption key" is not separately visible. The address keys are in turn encrypted using the account key.

> Please clarify what key derivation function is being used.

We use bcrypt, in addition to the OpenPGP S2K (i.e. the bcrypt output is fed as the "password" to OpenPGP's key encryption).

We are in the process of rolling out OpenPGP.js v6, which supports Argon2 for the OpenPGP S2K step, after which we'll start using that - but we aren't quite yet.

> Are there instructions for verifying that all this is happening? I think a lot of folks on HN won't be convinced otherwise.

Take a look at https://github.com/ProtonMail/WebClients/blob/main/packages/..., for example. Though to be honest, if you want to verify that we aren't sending the password to the server anywhere, in principle you'd have to check the code of the entire web app. It's all open source, but it's a lot of work, of course. But you can also check the latest audit report: https://proton.me/blog/security-audit. They also verified all of this stuff.

> It's just that I'm going to create an OpenPGP identity for things like signing code commits on git, signing packages I publish. (...) So I was really hoping to be able to use Proton Mail with this identity instead of the key pair that's generated for the account.

Yeah, I understand. Though, the typical advice from a cryptographer's perspective would be, it's better to use separate keys for separate purposes; and the simplest way to do that is to generate separate OpenPGP certificates, so that's what we'd generally recommend. But, if you want to generate separate subkeys and sign them all using a common primary key, that's also reasonable enough. And, we can improve the documentation on that, although it's a bit of a niche use case (not for HN of course, but for the general audience it is).

> Thanks for reaching out here on HN. I've been a really happy Proton Mail customer and now I'm even happier.

Thanks, glad to hear! :)

• SurveyJS

  surveyjs.io featured

  Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

  

TypeScript Webmail clients related posts

• Proton Mail Discloses User Data Leading to Arrest in Spain

  1 project | news.ycombinator.com | 7 May 2024

• Show HN: TutaCrypt, post-quantum encryption protocols for securing emails [pdf]

  1 project | news.ycombinator.com | 18 Mar 2024

• How to Escape Gmail

  1 project | news.ycombinator.com | 11 Mar 2024

• secret storage

  1 project | /r/tutanota | 11 Dec 2023

• Please move away from Amazon for Tuta's Domain Name System

  1 project | /r/tutanota | 8 Dec 2023

• Apple and Google Monitor Notifications. We Need Push Notification Alternatives

  1 project | news.ycombinator.com | 8 Dec 2023

• Change current email from Tutanota to tuta

  1 project | /r/tutanota | 5 Dec 2023
• A note from our sponsor - SaaSHub
  www.saashub.com | 10 May 2024

  SaaSHub helps you find the best software and product alternatives Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com

Do not miss the trending TypeScript projects with our weekly report!