Protonmail strengths not mentioned above: Protonmail launched May 16, 2014 and CTemplar launched September 5th 2018. Protonmail’s added experience in this industry has created a more polished service than CTemplar. Protonmail also maintains the OpenPGPjs library that we use. We are grateful for their contributions and wrote a post about it.
Tutanota’s strengths not mentioned above: Tutanota was the first secure email service to go open source for F-Droid.
- Brute force attacks are only successful when thousands of combinations can be rapidly attempted. CTemplar, Tutanota & Protonmail all disable login attempts when multiple failed password attempts are detected.
- The “Zero-Knowledge Password Proof” involves hashing and salting users passwords. You can read a simplified version or the version published by Stanford’s cryptography department. When this technology is utilized no one is able to know the users password except the user. The webmail service only has the users hashed password and can not reverse the hash. Only the user can log into their account.
- Subresource Integrity (SRI) makes it impossible for an attacker to hack you (serving malicious code) during your website visit. CTemplar was the very first secure email service to enable this functionality. You can read more about it here, or here.
- CTemplar developed a combination of SRI & Checksums that has never been used before. This makes it impossible for CTemplar to hack you (serve you malicious code). You can read more about this on our blog post about it. This makes CTemplar the very first “Zero Access” end to end encrypted webmail service provider. We are the first webmail service that cant access users data even if we wanted to.
- The “14 Eyes” are a group of 14 countries that have agreements to share information with each other. Edward Snowden revealed that this agreement results in extensive privacy violations. The majority of privacy experts strongly recommend that you should avoid using a service within the 14 eyes.
- MLAT treaties require broad and all-encompassing cooperation. If the US asks for data from a country with an MLAT treaty then the country must do everything within its power to provide what is requested. The treaty can be utilized to turn your mobile device into a tracking device recording your location. An example of this is the Swiss MLAT treaty which can require a Swiss company to “make every effort to ascertain
the whereabouts and addresses” of their users. Countries with MLAT treaties include Belgium, Switzerland, and Canada.
- Users use 2 Factor Authentication (2FA) to provide greater security for their accounts. Some email services, like Protonmail, maintain backdoor access to all users 2FA. They provide this as a service so they can restore access to users’ accounts if a user loses 2FA.
- Users who log into their account will be shown an “Anti-Phishing Phrase”. If you log into your account and you do not see that phrase then you know that you have logged into a fake website that is trying to steal your account. When a user notices the absence of this phrase they should visit “www.ctemplar.com and change their account’s password immediately. CTemplar is the first to offer Phishing Protection.
- Protonmail and CTemplar both accept Bitcoin. Tutanota does not. Bitcoin is NOT anonymous. CTemplar is the only email service that accepts payment using the most anonymous currency, Monero(XMR). Currently, we are only accepting Monero (XMR) payment via email. After the user sends the Monero the user’s account will be credited & upgraded. Some service allows paying with cash through the mail. However, this can be problematic with recent developments in tracking physical mail.