- cross-posted to:
- [email protected]
- [email protected]
- canada
- cross-posted to:
- [email protected]
- [email protected]
- canada
A storefront, said Ortis, is a fake business or entity, either online or bricks-and-mortar, set up by police or intelligence agencies.
The plan, he said, was to have criminals use the storefront — an online end-to-end encryption service called Tutanota — to allow authorities to collect intelligence about them.
Tutanota (now Tuta) denies this: https://tuta.com/blog/tutanota-not-a-honeypot
Why not?
Who is accusing them of this and what is the accuser’s reputation? According to this article, one Canadian official was told by someone that they had a PLAN to use tutanota is a malicious way, but there’s not even an accusation that anything ever happened. https://cyberwarzone.com/is-tutanota-a-honeypot-for-intelligence-agencies/
Tutanota’s reply: "Hi there, these allegations are absolutely false. Tuta was founded in 2011 by Arne Möhle and Matthias Pfau who knew each other from studying together at FHWD university in Germany. To this day, the company is wholly owned by Matthias and Arne, and is not liable to anyone else.
The Tutao GbmH is not owned by any secret service, nor is it a “storefront” as claimed by Cameron Ortis. These allegations are completely untrue.
With offices in Germany we only respond to valid warrants issued by German courts. You can read more on this in our Transparency Report: https://tuta.com/blog/transparency-report
In addition, Tuta is open source and the entire client code is published on GitHub. Thus, everyone can inspect the code and verify how the end-to-end encryption in Tuta works and that there are no backdoors hidden in the code."
One can freely share “good” source code while actually using something different; which might be an intrinsic problem of an “open-source” web service. Plus, one has no reason to believe that the service has never been compromised: someone might have a backdoor that Tuta itself is unaware.
I’d like to believe that Tuta is not evil, but ultimately that’s anyone’s guess. I’d recommend true e2e (local-to-local) such as PGP, rather than trusting a middle-man e2e provider.