Anyone looked at it with Fiddler?
So in taking a passive look with Fiddler (which the site does not complain about - such does mail.google.com):
SSL on Welcome page:
Secure Protocol: Tls
Cipher: Rc4 128bits
Hash Algorithm: Sha1 160bits
Key Exchange: RsaKeyX 2048bits
Note: The above cert was purchased after app.tutanota.com's cert, which is AES. Though it did try to negotiate TLS/1.2 ... (Firefox and all).
Missing header elements like:
X-Frame-Options, Content Security Policy (Src, Script Src, Obj Src), anti-mime sniffing and XSS Protection directives.
Spotty Cache-Control .... esp with JSON, which contains Symemtric and Pre-Shared Keys....though I will not try to speak to their encryption practices.
404 error shows that Jetty is in use, and though it could be fake, Apache/2.2.22?
Why would they use the URL for to/from email addresses? Those get stuff into logs.
GET request: /--SNIP--2mailAddress%22%3A%22awood495%40yahoo.com%22%7D--/snip-
POSTs are not redirected.
And some of the stuff on their site is large - non-min'd JS, pics, etc. Bandwidth is cheap, unless you live where it is not.
I could go on, but there could be some tightening of this site.