Update on the continuous DDoS attack on Tutanota.

Tutanota keeps being attacked - together we must fight for our right to privacy.

This weekend continuous DDoS attacks and an infrastructure issue led to downtimes for hundreds of users. While we were able to mitigate most of the DDoS, an overreacting IP-block to fight the attacks led to hundreds of users not being able to access Tutanota for multiple hours this Sunday. We deeply apologize for this mistake; it has now been fixed. Here we want to quickly explain why we have to build the DDoS mitigation ourselves, how the progress is so far, and what you can expect as next steps. Thank you very much for supporting our fight against the attackers and for our right to privacy!


Focus on privacy & security

Why we are building the anti-DDoS measures ourselves

Tutanota focuses on privacy and security. During the recent weeks of continuous DDoS attacks against Tutanota, many users have suggested that we use a different service to mitigate the DDoS attacks.

We are already collaborating with the German DDoS mitigation service, Link11, which is protecting Tutanota from low-level volume attacks by re-routing encrypted traffic through them.

For the DDoS mitigation service Link11 is providing, they do not need access to our SSL certificates. So far, we have succeeded in mitigating DDoS attacks without sharing our SSL certificates, and we plan to continue to do so in order to protect your privacy. This involves building protection measures against high-level attacks on the application ourselves.

That’s one of the main challenges for a privacy-respecting service when fighting DDoS attacks.

Progress of our anti-DDoS measures

So far we have made huge improvements to the Tutanota infrastructure. We are now able to mitigate DDoS attacks much faster.

This weekend, however, we have made a mistake when improving the DDoS mitigation system. This mistake led to an overreaction of the anti-DDoS system, which then led to IP blocks of multiple normal users. As a consequence, hundreds of users were not able to access Tutanota last Sunday, even though Tutanota was online and accessible to most.

We deeply apologize to the affected users. We have now fixed the issue.

Status of anti-DDoS measures

In general, despite the setback on Sunday, our DDoS mitigation has improved a lot. We are now able to mitigate most attacks within short times.

While the DDoS attacks are a nuisance to us, we see that they only affect a very small portion of our millions of users. Nevertheless, we deeply apologize to the users affected, and we will keep fighting the attacks.

We are confident to be successful continuing on this path, and thank you for your continuous support.

We will also stay true to our credo to never give in to any attacker. And we will never pay any ransom.

Instead, we will invest all support in growing our team to make Tutanota even stronger in the future.

We are very glad to see that most users support our values and principles, and stick with us despite the attacks. We thank you so much as only your support enables us to follow the path we have chosen: Fight for your right to privacy - no matter what!

Development plans

We would also like to share some development updates with you:

While implementing DDoS mitigation measures, we have also improved speed. Please log in to your mailbox now, and enjoy how blazingly fast we’ve made Tutanota!

Currently, we are still working on improving our DDoS mitigation system. In parallel, two developers are continuing to work on future-proofing Tutanota by implementing quantum-secure algorithms in Tutanota. With this project, we are close to finishing a first prototype, which we will present soon.

For this week, we have also planned to kick-off our development project for offline support. This is a complex project and will take some time to implement. However, you will be glad to know that offline support now has highest priority.

If you have further questions about the recent DDoS attacks and how this might affect you, please check this post.