Explanation on recent DDoS attacks & why we do not use third-parties for mitigation.
Protecting against DDoS attacks is an integral part of our engineering practices and we architect and design our systems in a way that we minimize attack surfaces.
Why we have to mitigate attacks ourselves
While we co-operate with partners to mitigate attacks focusing on bandwidth like large scale reflection attacks, we do this in such way that we keep the full control of our users’ data. This is different - and much more privacy-friendly - than what most of our competitors are doing:
Mitigating DDoS attacks is a lot easier if we would let third parties decrypt and inspect our traffic on their servers in a so-called scrubbing center. As an alternative, some of our competitors feed decrypted traffic into closed source third party appliances (black boxes). But both methods mean losing control over customers’ data.
This is not an option for us at Tuta: You trust us to keep your data confidential - and that’s why we have to fend off DDoS attacks without the help of third-party appliances. We are talking about very sensitive data like IP addresses and access tokens which would allow the third party to impersonate users and even delete users’ data. It would also allow the third party to keep track of assignments from IP addresses to user ids - in other words: third parties would know what IP address belongs to what email address.
So, as we at Tuta prioritize your privacy under all circumstances, using thid-party appliances is not possible.
What happened
At Tuta, we mitigate DDoS attacks on our own in order to protect our users’ data as good as possible. But keeping this high level of confidentiality and security comes at a cost. We have to mitigate DDoS attacks on our own and also invest substantial amounts of our available engineering time into implementing mitigations against DDoS attacks. We get attacked very often and usually, our users don’t notice that we were attacked as we mitigate almost all attacks with zero downtime.
This was different beginning of December. All in all we suffered a downtime of 2.5 hours spread across five days. The longest downtime was 80 minutes. We are very sorry about this inconvenience. We understand that this is not acceptable so during those five days we were not just focused on mitigating the attacks but also on improving our mitigation measures.
We found that a bug was introduced three weeks ago. This bug was the cause for the automated mitigations to not work as smoothly as before and was fixed right away. We also drastically improved two other mitigations against DDoS attacks from large scale botnets. We did that in a way so that we detect and block those botnets within seconds now. In fact, we ourselves did not even notice the last couple of attack waves on our own servers as the mitigations worked so well that even the server load kept in a completely normal range. This also means that you - our users - did not notice these attacks either. This is how it should be, and we are very happy about this achievement!
With all these improvements, we now have very good measures in place and block all kinds of attacks from volumetric reflection to distributed botnet attacks.
Does that mean that Tuta is not vulnerable to DDoS attacks anymore? Unfortunately, the answer is no. We want to be completely honest here: We do a lot to not only build the most secure email and calendar service with quantum-safe encryption, we also invest a lot into maintaining a zero-knowledge architecture and into owning our entire tech stack. Because by keeping full control over our servers, our infrastructure, and the software we use, we can best protect your data and your privacy - including your IP address. As explained, this makes things more difficult for us, but data protection much better for you. So while our systems are now well capable of fending of all sorts of attacks, it’s always possible that some attacker comes up with new attack vectors in the future.
But even if they do, we know that we are capable to improve our mitigations quickly and adequately.
Big thanks to the community
We at Tuta are very thankful of our excellent team that takes care of mitigating those DDoS attacks. And we are even more thankful for our excellent community who sticks with us and even says so on Reddit.
As always, we must say: We woulnd’t be here without you and your support means the world to us! Combined with your support, we will come out of this even stronger than before! 💪💪💪
❤️ Thank you very, very much! If you want to show us some love during these difficult times, feel free to donate or upgrade your account. ❤️
Even if someone does not want you to use secure and private email, we will keep fighting for your right to privacy.
Here we also want to answer the most frequent questions put to us via social media and email:
Is my data secure?
Yes, all data in Tuta is securely encrypted and can’t be accessed by anyone - not even by us.
What happened to my emails during DDoS?
Emails received during the DDoS attacks were queued and delivered later.
Did someone hack Tuta?
No, the attackers never hacked the Tuta servers or gained access to any data stored on our servers. No data was breached.
Do I need to change my password?
No, changing the password is not necessary. Tuta stores hashes of passwords. It is impossible to derive the actual password from this hash. Thus, no one can know your password, not even we at Tuta. To protect your password, we use Argon2.
Offline availability
Tuta Mail and Tuta Calendar can be accessed when offline if you are on any of our paid plans within the Tuta mobile apps on Android and iOS as well as within the desktop clients for Linux, Windows, and macOS. We also plan to enable write-access when offline so that you can draft messages to send later. As we are planning our roadmap for 2025 right now, we will definitely make offline write-access a priority.
