What happened to Ctemplar email?

submitted by raven9 from (self.censorship)

Ctemplar seemed to be the real deal. Secure encrypted email based in Iceland. If you read their website they clearly put a lot of thought and effort into it.

When I contacted them about a security issue with their Android app that was similar to one the tutanota devs blatantly refuse to fix, the Ctemplar devs got onto it and fixed it. That was just a few months ago.

(The security issue was the Android app manager taking screenshots of the unencrypted email while the user reads it)

So then in April Ctemplar posted an announcement that they would be shutting down in May. No explanation. They shut down a couple of weeks ago.

all 7 comments
sorted by:
top
newinsightfulfun

[–][deleted] 7 insightful - 1 fun7 insightful - 0 fun8 insightful - 1 fun -  (3 children)

CTemplar has totally lost all its client directory and all their emails on July 2021.

It all went downhill for them after that.

[–]raven9[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (2 children)

Some kind of a cyber attack?

[–][deleted] 5 insightful - 1 fun5 insightful - 0 fun6 insightful - 1 fun -  (1 child)

We recently had a system failure and some of our customer's data were irrecoverably lost.

We truly apologize for that. We cannot restore data from backups because we do not keep backups for security reasons. We will be revisiting that policy in the future. We will be happy to process refunds for anyone regardless of when they created their account.

If you have trouble accessing your account, please contact support@ctemplar.com. If you need help with anything else feel free to reach out to us.

Once again, we apologize for any inconveniences this might have caused.

Respectfully, The CTemplar team

[–][deleted] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

Did they nuke it under pressure?

[–]Gaydolf_Titler 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (2 children)

What do you mean by "The security issue was the Android app manager taking screenshots of the unencrypted email while the user reads it"?

You mean the Android app manager takes screenshots of the open app as part of telemetry, or that there was a broken or missing function in Ctemplar that should disable screenshots by other apps through the app manager?

[–]raven9[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (1 child)

Developers working with apps that handle sensetive information have options they can implement to prevent screenshots of their app from being captured by the app manager. For example if you are creating encryption keys you dont want the screenshot of those keys to be captured and used in Androids "Recent Apps" menu display because who knows where else those images might end up at. They might even get uploaded to google for all we know.

So there are ways to prevent that happening. One is the Android method FLAG_SECURE that prevents the app manager from capturing the screen and so it places a blank image in it's place in the recents menu. There are also other more secure ways of doing that but they are more complicated to explain so I wont do that here but either way, most password managers and other security related apps implement those methods to secure their apps from screen capture.

So when I brought that to the attention of the Tutanota devs, they ridiculed the idea that there was even an issue, even though as developers of an app that is all about security and encryption they damn sure know about the standard security features and practices in Android. They then banned me from their reddit sub for arguing with them about it and they just ignored it when I posted about it on the Tutanota site forum. This was all years ago and to this day if you log into your secure encrypted tutanota email app on Android and read your email, look at the recent apps menu you will see a clear screen capture of the email you just read.

So yeah, if you read Tutanotas website and all their claims about privacy and encryption the only explanation for their blatent refusal to fix such a well known and fundamental security issue is that Tutanota is a honeypot and they enable google to use the Android app manager's screen captures to bypass encryption and capture images of their users decrypted email.

So towards the end of last year when I noticed the Ctemplar devs also had not implemented any screen capture security in their Android app I notified them directly and they fixed it right away so the latest version of their app prevented screen captures.

[–]Gaydolf_Titler 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

Understood, thanks for taking the time to explain. Good work!

Been using Tuta on LineageOS for about a year, but have been too busy/lazy to spin up a couple of nodes to test email packages like Roundcube or iRedMail. Guess it's time, no one to trust.