Runbox now supports Forward Secrecy

In recent weeks there has been some discussion in news outlets about SSL/TLS, which is used by many websites to encrypt the data being transferred between web servers and web browsers.

Since it’s theoretically possible for outsiders to break such encryption, an increasing number of people are requesting improved encryption methods.

What is SSL/TLS?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic methods used to secure communication on the Internet. By using pairs of private and public keys, the web server and the client can securely encrypt and decrypt the data being transferred between two parties.

Gold-padlock.svgWhen a web browser connects to a website protected with SSL or TLS (indicated by a padlock icon in the browser) it receives the public key from the server, which is then used to encrypt the subsequent communication. The data can only be decrypted using the private key, which resides on the server.

The problem with keys

However, if someone was able to break in and copy the private key from a server, they would theoretically be able to decrypt any communication to/from that server — provided that they were also able to eavesdrop on the communication.

The solution: Unique keys

To counter this it’s recently become possible to configure web servers to issue a unique key pair for every single connection, and immediately destroy the keys once the session is complete.

This method is called Forward Secrecy because it prevents anyone from retroactively breaking the encryption.

Forward Secrecy on Runbox

Runbox has now implemented Forward Secrecy in order to further improve the security and privacy of our services. It’s now virtually impossible to eavesdrop on the data being transmitted between your web browser and Runbox’ web servers — and you don’t have to do anything in order to enjoy this new level of security.

For those who are interested in the technical details, here is an analysis of the security provided by https://runbox.com, which is now our main address:

https://www.ssllabs.com/ssltest/analyze.html?d=runbox.com

4 thoughts on “Runbox now supports Forward Secrecy”

  1. So probably a silly question, but does this apply when you are using an email client program (e.g. Thunderbird) as well?

  2. Great stuff. Thank you for your efforts in this area. Can you offer some scenarios in which this might be used? I understand it’s possible to do it between mail servers and for client -> server connections via IMAP. What about client -> server SMTP? And does this have positive impact on the security / privacy of communications between person x on runbox and person y on yahoo?

  3. The German magazine c’t Magazin has recently (issue 4/2014) done a test on secure e-mail providers. Runbox was also tested. According to the test results, runbox fails to provide perfect forward secrecy on pop, imap and smtp-inbound connections, which seems to contradict the above information on PFS. Could you comment on these test results?

  4. I’m sorry, I re-read the statements above, and now realize that PFS has only been implemented for webmail access to a runbox mailbox. Test results and above statement thus seem in agreement…

Leave a Reply

Your email address will not be published. Required fields are marked *