Report on April Availability Issues for Android/Desktop Users
We blocked IP addresses of some of our users by accident and would like to apologize for this.
Library update cause of connection issues
After careful investigation we have now mitigated the issue and can report the root cause.
At Tuta Mail we are dedicated to develop the most secure mail system of all times. One important part of our mission is to keep our implementations and used libraries up to date. Between end of March and beginning of April, we updated core libraries of our webserver. In this process a bug was included that led to downtimes for some users due to the fact that their IP addresses got blocked by our system.
We have a large automated set of unit and integration tests to make sure that no regression occurs. We also invest a substantial amount of time into manual testing before we deploy new software to our production systems. However, in this case these measures were not enough to prevent the issue.
So during the first days of April, a couple hundred users of our Android app and desktop client were blocked from accessing the Tuta servers accidentally. To the user, this looked like Tuta Mail was offline for hours. While most affected users were still able to login to their encrypted mailboxes via a different connection like mobile data or a VPN, not all users were aware of this work-around.
What happens next
At Tuta we are committed to fighting for the right to privacy and our core principles guide this mission. We work hard to bring privacy to the masses, and when faced with technical issues, such as those experienced in the last weeks, our emergency response team instantly tackle them head-on.
Commitment to security and availability
When choosing any platform for secure communication it is crucial that the service is available at all times. We have now put into place additional measures that enable us to detect and prevent similar issues in the future. We are fully committed to keeping Tuta’s encrypted email service online and available to all users around the world. The threats to privacy don’t sleep, so neither do we.
Full transparency
At Tuta, we are committed to full transparency and open source software. By releasing our code publicly, we are making Tuta and its entire encryption protocol visible to the eyes of our users as well as to security experts. You can inspect our client code entirely to make sure that we are protecting your data the way we claim to. The transparency of our open source code is strengthened by our company’s choice to communicate as transparently as possible with our users. Every six months we release a detailed transparency report. We also maintain a warrant canary so that you can trust that your data is safe with Tuta.
What is most important is that we are transparent even when making mistakes. We are committed to taking responsibility for our actions and for the performance of our encrypted email platform. The last weeks have been turbulent, but we are working harder than ever to ensure availability for all of our users. We take this responsibility seriously, and for that reason we will be compensating all affected users who are on a paid plan.
Compensating affected users
We are deeply sorry for the inconvenience experienced by affected users. It is not acceptable that Tuta Mail appeared to be offline to hundreds of users.
Unfortunately this bug was not noticeable immediately. We were only able to understand what was causing the availability issue for affected users after a user had created multiple connections to the server. The bug was also hard to trace down because we couldn’t reproduce it initially.
The bug has been fixed since April 6th. To prevent a similar issue in the future, we added additional tests and monitoring to our system.
All affected users who are on a paid subscription will get a compensation as well as an email informing them about the compensation. The compensation to affected users will be granted automatically. Every affected customer will receive a separate notice about this within the next couple of hours.
Thank you for supporting our fight for privacy!