> What's stopping them (or being commandeered) to serve you modified javascript which sends them your password, or this being done via an unsanitised email viewed via their web UI?
Thinking about this more, the threat model here was an insider. This is something that Tutanota wouldn't be able to prevent with its advertised services given the same situation.
Thinking about this more, the threat model here was an insider. This is something that Tutanota wouldn't be able to prevent with its advertised services given the same situation.