Security improvements to our services

At Runbox we are continuously working to improve the security of our services. We are now strengthening the security of your web browser’s connection to our servers to ensure that it utilizes modern web security standards.

If you are using an updated version of one of the major web browsers such as Firefox, Chrome, Safari, Opera, and Edge you will probably not notice any effects. You can then continue using our services just like before, while knowing that the strongest encryption protocols are being utilized.

If you’re using a non-standard or not updated web browser, then please read the information below for more details about these changes and how they may affect you.

Those who are interested in the technical details of these changes may also find this information useful.

What we are doing

When you visit our website the connection between your web browser and our web servers is encrypted. This means that no one can intercept your username, password or any other transmitted data including the content of your email messages.

It’s important to use a modern browser that supports modern encryption methods to prevent that encryption from being broken and compromised. This is essential to web security because hackers increasingly use more powerful computers and techniques in their attempts to decrypt data and eavesdrop on unsuspecting users.

In order to ensure that Runbox is providing the latest and most secure encryption between your browser and our service we will therefore end support for outdated encryption methods.

This entails that we will only support the strongest encryption cipher suites that are compatible with most major web browsers.

It also helps us prevent unauthorized access to our servers and helps keep the Runbox services safe for all of our customers.

On December 1, 2019 we will retire some outdated encryption methods and this might affect some older web browsers.

Once these changes are made the TLS protocol version and cipher suites will be the same for all access methods to our email services, including web, POP, IMAP, and SMTP.

The technical details

You don’t need to delve into all the technical details, but we know many customers are interested in this and it is useful for everyone to stay educated about web security.

The changes involve retiring support for TLS (Transport Layer Security) version 1.0 and 1.1, and only provide support TLS 1.2 or later. We will also only support a small suite of strong encryption cipher suites that are recommended by the reputable organizations Mozilla and OWASP.

TLS 1.2 has been around for 10 years so there has been a long time for browsers to adopt the use of this type of encryption. However, you don’t need to understand anything about this to make any necessary changes.

All the cipher suites we will be utilizing are of the type Diffie-Hellman Ephemeral (DHE), which means that a unique cryptographic key is generated each time a new connection is made.

This in turn means that even in the unlikely event that one set of keys is compromised it cannot be used for another connection made from another client (“forward secrecy”).

An updated list of cipher suites that are supported currently include the following:

  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES256-SHA256

More information about these cipher suites can be found on Wikipedia: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

How this may affect you

The vast majority of web browsers already support TLS 1.2 and you are only likely to have a problem if you are using an outdated browser and/or an outdated operating system.

We have tested the following browsers and they all work with the modern encryption that we will use:

  • Firefox
  • Chrome
  • Safari
  • Opera
  • Edge

Many other modern browsers are also likely to work with TLS 1.2 and those listed above are just commonly used ones that we have tested.

What you can do

If you are not using an upgraded version of one of the major web browsers listed above, please upgrade your web browser and/or operating system now. This is the most important action you can take to ensure that your data and communications are secure.

If you’re using a web browser not listed above and are unsure whether it will continue to work with the specifications we have provided, we recommend that you keep one of the major web browsers available as an alternative.

We generally recommend Firefox as it is free, standards compliant, and open source, and therefore reviewed by the security community.

Further help

If you need any further information or help on this issue please contact Runbox Support with details of how we can help you.

4 thoughts on “Security improvements to our services”

  1. I often use a VPN (Express VPN), especially when traveling, to connect with runbox. Does this compromise the encryption? I’m very much in favor of very strong encryption and even use the OTP for some messages. I will check out the encryption with the VPN servers and would appreciate your comments. I use Firefox, Safari , Chrome and Mac OS with latest updates.

    Thanks!

    -jm

    1. When using a VPN (Virtual Private Network) your device is connected to the Runbox servers through a (typically encrypted) private network that extends across parts of the Internet.

      This doesn’t compromise the TLS encryption between your browser and our servers; rather it results in two layers of encryption and additional communication security.

  2. Why dont you have end to end encryption? As I understand it from different reviews all emails are unencrypted on your servers.

    1. Runbox 7 supports PGP decryption of incoming messages, and support for encryption of outgoing messages is planned.

      We are in the process of moving all user data to encrypted storage, and account content all new users is encrypted at rest.

Leave a Reply

Your email address will not be published. Required fields are marked *