[delfinom]

Tuta is ran by absolute morons.

A few years ago, under their other domain, they accused Microsoft of suppressing them in a ranty blog post.

How?

Because their users couldn't sign up for Microsoft accounts using the tutanuta domain.

But why?

It wasn't Microsoft suppressing them. The fucking morons created an azure tenant validated against the domain. The default setting is to then validate all users with said email against the azure tenant. You can always turn it off but ill advised for security purposes.

I even validated that their tenant exists on azure using that domain.

The devil in the details mean the morons were using the same domain used by public users, for internal corporate usage which is absolutely fucking insecure to the moon.

Nobody should trust these wankers whose first response is to "blame big tech company" instead of understanding basic cybersecurity and internet. Who knows how they even store your emails. There are plenty of other services that I'll trust before the one that runs around for attention like a toddler.

[yunohn]

> The devil in the details mean the morons were using the same domain used by public users, for internal corporate usage which is absolutely fucking insecure to the moon.

Care to explain why this is so insecure?

[initplus]

If I get an email from @tuta.com, how do I know if it’s an official staff account, or a member of the public?

[yunohn]

That’s a great point, but not the point that GP was making. I’d like to learn more about the inherent domain sharing security problem they ranted about.

Edit: This public issue seems to imply they have a way to mark system/admin emails: https://github.com/tutao/tutanota/issues/6708

[delfinom]

If you work at the company, how do you know

IAmTotallyCeo@realcompanydomain.com is real or not?

And if you are an service user, how do you know,

ISwearIAmCustomerService@realcompanydomain.com is real or not?

Everyone else does it properly.

google.com/gmail.com are not mixed.

microsoft.com/(outlook.com,hotmail.com,live.com) are not mixed.

apple.com/icloud.com are not mixed

[yunohn]

You claimed it was an issue specific to internal usage?

[delfinom]

Ah yes, good reminder, it also causes IT hell.

If you register an AD tenant, you can associate an domain with it, when you do this. It means all your windows accounts are also

something@domain.com

instead of the azure default of

something@tenantname.onmicrosoft.com

It is 100% optional to associate a domain and an explicit action. This to me means they are using the domain on azure for Windows AD.

Now why is this bad?

Well, Microsoft has two types of accounts "Personal" and "Work/School" accounts. You can create "Personal" accounts against any email address/domain. However, once you register an Azure AD Tenant, the default is to disable registering further personal accounts. The goal is to avoid corporate users leaking work documents to personal non-managed accounts. There is also an option to force merge any existing personal accounts at the verified corporate domain into work accounts.

Say tutanota, being the geniuses they are disabled the setting that turns off personal account for their verified domain.

Well those IT guys will now have completely worthless audit logs because there'll be constant failed logins from people accidentally selecting "work/school accounts" in the login screen when asked what type of account it is. Not to mention you'll have the reverse of employees accidentally creating personal accounts because some microsoft prompts are weird and may refuse to offer work/school as a login option.

[arethuza]

Would it have been better if they had kept the company name as "tutanota" and called their email service "tuta" on the "tuta.com" domain?

[delfinom]

Yea that would been the sane and professional way to do it.