Runbox now supports Forward Secrecy

October 1st, 2013  |  Published in News, Security, Webmail  |  4 Comments

In recent weeks there has been some discussion in news outlets about SSL/TLS, which is used by many websites to encrypt the data being transferred between web servers and web browsers.

Since it’s theoretically possible for outsiders to break such encryption, an increasing number of people are requesting improved encryption methods.

What is SSL/TLS?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic methods used to secure communication on the Internet. By using pairs of private and public keys, the web server and the client can securely encrypt and decrypt the data being transferred between two parties.

Gold-padlock.svgWhen a web browser connects to a website protected with SSL or TLS (indicated by a padlock icon in the browser) it receives the public key from the server, which is then used to encrypt the subsequent communication. The data can only be decrypted using the private key, which resides on the server.

The problem with keys

However, if someone was able to break in and copy the private key from a server, they would theoretically be able to decrypt any communication to/from that server — provided that they were also able to eavesdrop on the communication.

The solution: Unique keys

To counter this it’s recently become possible to configure web servers to issue a unique key pair for every single connection, and immediately destroy the keys once the session is complete.

This method is called Forward Secrecy because it prevents anyone from retroactively breaking the encryption.

Forward Secrecy on Runbox

Runbox has now implemented Forward Secrecy in order to further improve the security and privacy of our services. It’s now virtually impossible to eavesdrop on the data being transmitted between your web browser and Runbox’ web servers — and you don’t have to do anything in order to enjoy this new level of security.

For those who are interested in the technical details, here is an analysis of the security provided by https://runbox.com, which is now our main address:

https://www.ssllabs.com/ssltest/analyze.html?d=runbox.com

Tags: , ,

Responses

  1. Paul says:

    November 21st, 2013 at 17:21 (#)

    So probably a silly question, but does this apply when you are using an email client program (e.g. Thunderbird) as well?

  2. zeek says:

    November 28th, 2013 at 18:55 (#)

    Great stuff. Thank you for your efforts in this area. Can you offer some scenarios in which this might be used? I understand it’s possible to do it between mail servers and for client -> server connections via IMAP. What about client -> server SMTP? And does this have positive impact on the security / privacy of communications between person x on runbox and person y on yahoo?

  3. Alex says:

    February 2nd, 2014 at 21:56 (#)

    The German magazine c’t Magazin has recently (issue 4/2014) done a test on secure e-mail providers. Runbox was also tested. According to the test results, runbox fails to provide perfect forward secrecy on pop, imap and smtp-inbound connections, which seems to contradict the above information on PFS. Could you comment on these test results?

  4. Alex says:

    February 2nd, 2014 at 22:41 (#)

    I’m sorry, I re-read the statements above, and now realize that PFS has only been implemented for webmail access to a runbox mailbox. Test results and above statement thus seem in agreement…

Leave a Response