What is a tech stack and how Tuta makes sure it's secure

Open Source audited technologies and self-built solutions give the Tuta team full control over their tech stack - an important factor when it comes to security.

A computer screen with a logo of React on it, a library used in many tech stacks.
Privacy and security is only as strong as the weakest link. That's why at Tuta we make sure to have full control over our tech stack. By only using open source technologies and tooling we can provide transparent trustworthy security. If a pre-built tool doesn't exist as open source, then we roll up our sleeves and build our own. But why is this investment into our technology stack worth it? And how does it improve your security? Let me explain!

What is a tech stack?

Nothing exists in isolation. This applies to the natural world, language, people, and software.

In technology, this is very true as well. Even though the average internet user will think “Hey, I’m using Gmail so Google owns this product, and Google makes sure it is safe” – this is not the case entirely. Any product is build with a technology stack which comprises of programming languages, tools, utilities, libraries, and frameworks that are required to build this software application. The app provider (here: Google) might own and build some of these themselves, but they will always rely on third-party tech stack as well. This is just how the online world is made up.

The same is true for your browser that you are currently using to read this article:The software running in your browser right now is not a single entity, but it is composed of smaller bits of codes, implementations of utilities and libraries, and software frameworks. If all of these unique elements come together in the form of a final software product, that product can only be said to be as secure as its weakest part. For example, if there is a major vulnerability in a crucial library used by some software, this vulnerability will compromise the overall security of that software. One example that shows the significance of securing all parts of a software is the XZ backdoor: We narrowly avoided one of the worst security incidents in the recent past with the discovery of the XZ vulnerability that was about to infect several Linux distros, but got caught beforehand due to the open source nature of the XZ code.

In order to mitigate the risk for such vulnerabilities, at Tuta we only make use of audited open source tooling. This allows us to personally review any and all code that is being used to build our encrypted email service. In the cases where we are unable to find the necessary open source technology needed to solve a given problem, we develop our own. Of course, all client-side parts of these creations are also published fully open source in order to make all code available for public security review and discussion. Privacy and trust can only prosper through transparent solutions.

How it's made: Tuta!

At Tuta, we are not interested in needing to import a vast number of bloated libraries or using closed source software. We provide a solution which exactly fits to the needs of our apps, without adding extra baggage to our tech stack.

While many email services rely on third-party tech to build their own products such as Postfix, Dovecot, Roundcube and similar ones, one must be aware of the fact that every time a third-party application is used – particularly when it’s closed source, it becomes more difficult to secure said product. Just think about the earlier example of the XZ vulnerability – these things happen in closed source code as well, but can not be easily spotted and mitigated there.

That’s why we at Tuta focus on open source: We have built our entire clients - web, Android, iOS, and all desktop clients - on our own and published them as open source.

One main differentiator of Tuta Mail to basically any other email provider in the world is that we build all major parts of our encrypted solutions ourselves. Besides that, we make sure that the open source tools Tuta does rely on are safe and do not contain any vulnerabilities: We regularly commence internal security reviews of all tools used in Tuta as well as of our own clients, for example when we pushed our desktop clients out of beta.

Only with open source - of our own clients as well of the software, libraries, and frameworks that we selectively choose to include in our technology stack - tech-savvy people can audit the code and verify that Tuta is doing what we promise: Protecting your private emails, calendars and contacts with quantum-safe cryptography.

Open source solutions we are proud of

One of our solutions in Tuta that we are particularly proud of is our own custom built push notification service!

A Google-free push notification service

The world's most popular push notification service is Google's Firebase Cloud Messaging (FCM) service – for which we need alternatives to break Google’s monopolistic power. In Google's own words "Firebase Cloud Messaging (FCM) is a cross-platform messaging solution that lets you reliably send messages at no cost." But we have all learned that if Google is offering something for free, then it means that your data is the true hidden cost of admission. By having developed our own fully open source push notification service we can ensure that your email notifications in the Tuta Android app are delivered securely - and without leaking any private information to Google. This is not the case if we were to add Google's FCM service to our mobile tech stack.

By implementing our own notification service to the Tuta tech stack we can completely avoid leaking any information to Big Tech companies like Google. Other services which are using FCM are passively exposing user data to the snooping eyes of companies seeking to sell this data.

A truly private captcha

In order to balance preventing abusive signups and not sharing any information with Google, we have also implemented our own custom open source captcha to the web application tech stack. This captcha helps us combat automated bot account creation by verifying that there is a human behind the keyboard. This captcha is especially relevant for users who are creating anonymous accounts through the Tor browser. When using Tor, a successful captcha verification will always be required by Tuta before an account will be created.

To no one's surprise, Google also provides their own proprietary reCaptcha service for free, but again it comes at the cost of exposing user data. For us that makes it an unacceptable anti-bot solution. Currently in its third iteration, the Google reCaptcha has been criticized for tracking users across the web through tracking cookies. The reCaptcha v3 also ranks user behavior as more or less botlike. If you are logged into a Google account when visiting a site using the reCaptcha service, it will wave you along like an honored guest. It does seem odd to assume that Google accounts are never bot operated; after all a large percentage of global spam emails are sent through Gmail accounts. If you are using a VPN or the Tor browser or are taking steps to avoid tracking cookies, Google will rank you as being more "botlike" and you may need to process these captchas more often.

At Tuta, we don't want to make any of this information available to Google or other Big Tech companies. Our custom captcha can be easily solved by a human, stumps bots, and doesn't share any information about you. In cases of Tor browser signups the captcha is mandatory, but does not share any information about the user with external parties. It only confirms with our servers that you are a human who is interested in protecting their privacy.

The Tuta Blob Store

Another behind-the-scenes solution which we have built for our infrastructure is the development of our own Tuta blob storage. By developing our own blob storage solution, we have implemented an optimized means of storing encrypted attachment data as well as encrypted mail bodies without bogging down our own database. By building an open source blob storage we are able to be using a storage platform that fits the exact needs of our backend. The Tuta blob store is built from the ground up including low-level hard disk and Linux kernel integration.

By utilizing blob storage as opposed to standard file storage we are able to efficiently store encrypted data in a distributed manner which keeps your data securely stored on at least 3 separate hardware instances. This allows for layers of redundency which protect your data from the unlikely event of hardware failure. By using a distributed data storage solution, we can also increase the overall performance of our service by increasing the number of possible writes at any given time.

In addition to the security and efficiency provided, the blob store also includes an extensive testing suite so that we can properly review and test any changes that impact the storage of encrypted data.

The Tuta blob store may not be a flashy new user facing feature, but it greatly boosts the performance, security, and efficiency of Tuta. This is especially important when moving forward with the introduction of Tuta Drive!

Tuta's post-quantum hybrid protocol vs PGP

Tuta's world-first quantum resistant encryption for email could be the greatest example of how we are creating a better and more private tech stack. Rather than relying on PGP which has a number of weaknesses and doesn't encrypt as much data as is technically possible, we have moved forward together with cryptography experts from the University of Wuppertal to develop and implement Tuta Crypt. Tuta Crypt is publicly available for review and has undergone cryptanalysis by cryptography and security professionals.

Tuta Crypt combines the publicly available cryptographic algorithms such as Kyber in combination with AES 256 and ECDH x25519 in a hybrid protocol to protect your emails, shared calendars and contacts with quantum-safe encryption. This approach allows us to provide Tuta users with the greatest possible security and the ability to pursue new goals faster, like "Perfect Forward Secrecy". The OpenPGP project is also working towards post-quantum encryption, but their solution is still in development. In the meantime, this means that emails encrypted with PGP are still susceptible to the "Harvest now, decrypt later" tactics employed by three-letter intelligence agencies around the world.

Transparency is a cornerstone of privacy.

In order to provide you with the best possible security, we transparently make our code available on GitHub where anyone can review it. Not only does publishing our code transparently allow for additional security review, but it strengthens the trust. Tuta is built by open-source enthusiasts who are working hard to make the internet a safe and open space for everyone. The tortoise always beats the hare, and by taking our time and always putting security first, Tuta continues to bring privacy to the masses, one step at a time.

Don't settle for less secure solutions, create your free quantum resistant Tuta account today!

Stay safe and happy encrypting.