Vanadium Navigator

Anti2030

Hello, I am having trouble accessing my tutamail account from the vanadium browser. Why does this happen? How to fix it? Thank you.

Your browser does not support WebAssembly. Refer to the documentation below to fix this issue: https://tuta.com/support/#enable-webassembly Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Mobile Safari/537.36 NoWASMS Support NoWASMS support in https://mail.tutanota

MetropleX

Anti2030 when on the tuta login screen tap the settings icon next to the url and then tap permissions, ENABLE JIT.

Anti2030

MetropleX Your information has worked for me and I have been able to access it from the vanadium browser. Thanks a lot. Why does this usually happen?

r134a

Anti2030 It is disabled by default to improve security. U can enable it like u just did with consent.

Looking at CVE (Common Vulnerabilities and Exposures) data after 2019 shows that roughly 45% of CVEs issued for V8 were related to the JIT engine.

Source: https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/
I recommend if time allows u, to read the whole article, it is packed with insight regarding this specific topic.

Anti2030

r134a Thank you,
I will read the article and draw conclusions.
What I don't understand is why tutamail that preaches security and privacy, forces you to activate this function, that's my doubt.
Thanks

DeletedUser495

Anti2030 for enhanced functionality, maybe? You're going to have to trust their word on that they get their coding right.

r134a

Anti2030 What I don't understand is why tutamail that preaches security and privacy, forces you to activate this function,

According to tuta itself, the webapp has to do Argon2 key derivation and it is a very slow operation without WASM or JIT. This doesn't mean tuta will exploit your browser. So to enhance functionality / user experience as @DeletedUser495 already pointed out.

While in practice JIT and WASM are 'parts' of the browser that get leveraged relatively frequently by malicious actors, it doesn't mean every website that uses it is malicious. Hence why it is disabled by default and user consent has to be given to explicitly enable it for trusted websites.