SPF Record Change

After careful consideration we have decided to adopt a stricter policy with regards to SPF (Sender Policy Framework) records for our own Runbox domains.

Note: This does not affect domains owned by our customers.

What are SPF records?

SPF records are used as a way to determine if email addresses are being spoofed in sent mail. They allow domain administrators (Runbox in this case) to specify which servers are allowed to send email for the domains they control.

(more…)

Continue Reading →

New IMAP Server Software

We are pleased to announce the official launch of our new IMAP server software.

We’ve been extensively testing and improving the new Dovecot-based software in an open beta phase for several months. We are now very happy with how it’s performing, and it resolves several issues with our current IMAP software (see below).

We will therefore be moving to the new software and will retire our existing Courier-based IMAP servers. Since the new software uses a more standardized configuration, all IMAP users will need to change their settings by December 1, 2015.

Note: If you have already changed your email client’s settings as part of the open beta phase you don’t need to do anything.

(more…)

Continue Reading →

New IMAP Server Software in Open Beta Test

We are pleased to announce the start of the Open Beta Testing Phase of our new Dovecot IMAP servers.

We are introducing new IMAP servers to resolve errors that have been experienced by many customers, to simplify the set up in email clients and to improve IMAP performance.

We expect that customers using Apple Mail (OS X) and the native Mail app (iOS) on iPhones and iPads will see the most benefit from our new servers, but performance and reliability will be improved for all customers.

Problems we believe will be resolved are:

  • Read/Unread synchronisation issues
  • Moving messages from one folder to another resulted in a copy in the new and old locations
  • Error messages of the kind “Cannot connect to server”
  • With iOS the native Mail app would fail to update and would continue to show a date in the past

At some future date the current servers will be retired, and all customers will need to use the new IMAP servers.

If you would like to switch to the new servers now, and take part in our Beta testing phase, please see the information on the Open Beta Phase page (the previous link now directs to the official launch details). Please note that although the software is already thoroughly tested and performing well, changes and disruptions may occur as we continue improving it.

If you have any questions about these changes, please contact Runbox Support.

 

Continue Reading →

Terms of Service and Privacy Policy updates

On July 1st, 2015 Runbox will introduce updated Terms of Service and a more detailed Privacy Policy.

We strongly recommend that you review the documents as they comprise the contract between you and Runbox. They also form the backbone of legal protection of your data, anchored in strong Norwegian privacy regulations.

We have worked hard to make the documents clear, balanced, and easy to understand, and we think you will agree upon reviewing them.

Please note that the changes apply to all current and future Runbox accounts, and that by continuing to use Runbox you in effect accept the updated terms and policies.

(more…)

Continue Reading →

Domains and Privacy

From time to time we get asked why Runbox uses runbox.com as our primary email domain rather than our runbox.no domain.

The reason we are asked this is because some people assume that by using a .com domain all the Internet traffic to and from our servers is routed via the Unites States, and could be subject to US government eavesdropping.

(more…)

Continue Reading →

Outlook for iOS – Privacy Issues

Email Apps and Privacy

Back in May 2014 we reported on our investigations in to two smartphone/tablet apps that had been launched. We were worried to find that the apps did not use our outgoing SMTP servers directly, and instead sent email through non-Runbox servers. This made for much easier set up of accounts, but we didn’t like that it wasn’t obvious to the user what was going on.

Those apps were myMail and Evomail (the later is no longer available).

Outlook and Privacy

Outlook now has IMAP compatibility and is able to work with Runbox accounts, however, like myMail and Evomail it doesn’t connect directly to the Runbox SMTP servers for outgoing mail. In fact, we don’t know if it retrieves email directly from our servers either. We do know that it stores some details of your account on servers that are part of Amazon Web Services.

If this doesn’t bother you, then that’s fine as Outlook is turning in to a nice email app that sits nicely alongside the other Microsoft offerings for iOS and Android.

Using Email Apps that Connect Directly to the Runbox Service

We believe that for maximum security and privacy email apps should be connecting directly to the Runbox service and not connecting via other servers, or storing account details anywhere other than in the app on the device.

Usually if you have to enter the server details for incoming and outgoing mail then the app is likely to connect to those services directly. If you have any doubts about an app, please get in touch with Runbox Support and we will investigate how it behaves.

Continue Reading →

Upgrading Runbox 5 Customers

Today we have upgraded the remaining Runbox 5 users to the latest version of the Runbox webmail interface. We introduced Runbox 6 in January 2013 and gradually most of our customers have moved over to this.

This latest interface has a number of new features, and is built on programming that is more stable and allows us to add new features more easily.

You can read more about the features in the original blog post about Runbox 6.

The change to the latest webmail version also allows those customers previously using Runbox 5 to access the new webmail design called Runbox Aero. This is a modern and more user-friendly design, with graphics that are compatible with the newer high resolution screens featured on laptop and desktop computers.

If you have any questions about this change, please get in touch with us at Runbox Support or email support@nullrunbox.com

Continue Reading →

Email, Encryption and Data Surveillance

As each day goes by there seem to be new revelations about which countries are spying on each other, or have secret agreements to monitor traffic by putting “taps” on strategically important cables entering or leaving countries. It is hard to keep track of all this information, and even harder to verify what is fact and what is speculation.

Questions, questions!

If you care about your data or email and whether it is private or not, then all of this should bother you; in fact it should bother you quite a lot. But how do you make sense of it all, and what action can you take, assuming you can take action that is? Which countries will look after your data best? And who can actually read your email as it is delivered to and from your email provider?

At Runbox we get asked a lot of questions like the ones above, and we have come to the conclusion that often we are worrying about the wrong things.

Who are the players in this real-life James Bond story?

five-eyesThe United States National Security Agency (NSA) and the British Government Communications Headquarters (GCHQ) have featured heavily in the media, and along with three other countries (Canada, Australia and New Zealand) they make up the so called “Five Eyes” countries that are known to be monitoring communications.

These countries have an agreement to share data that they collect through their extensive networks. This is not speculation, this is hard fact in the public domain, and together they form the single biggest data sharing network ever conceived. The allegations that they spy on each others citizens and then share data with each other to get around domestic regulations relating to spying on your own citizens is one of the most controversial claims that have been made in the last few years.

There are other revelations that suggest many countries also have agreements with the NSA and GCHQ in return for various kind of technological assistance that might benefit the collaborating nation.

More recently, and closer to home for Runbox, we have seen allegations that Denmark is monitoring data entering and leaving Norway, and that Sweden is pretty much in league with the NSA about as much as the other “five eyes” countries. At a glance this can seem worrying given that Runbox is based in Norway.

But does it really matter?

Data everywhere, and no place to hide

surveillanceOn a political front it probably does matter, but on a practical level if you email someone who is outside of Norway the chances are the data passes through a number of countries and worrying about the ones geographically adjacent to Norway seems a little pointless. For example, if you email anyone on Gmail, Yahoo, Outlook, iCloud or any of the other major providers, the chance is your data is going to end up in the one country that is at the centre of the recent revelations – the USA.

The reason we get asked questions about security is because people want to take positive action to protect their data, so what can you actually do?

Stored email and data

The question about which email provider will protect your data best when it is on their servers is a separate issue to the one surrounding your data when it is being transferred from one place to another. In respect of your email provider, you are better to keep your email data in a country that has strong privacy laws, and with a provider that tries to encrypt the transfer of that data to and from your account. Runbox is based in a country that does have strong privacy laws, and we always try to encrypt your data when transferring it to and from your account.

So choosing an email provider isn’t too difficult once you know what to look for.

So what about data transfer?

Given that we know agencies are monitoring Internet communications (it doesn’t matter how much or little of this is going on) it is best to assume that anything that you do on the Internet, or anything you email can be monitored by someone. You can think of this as being like sending a private message on a postcard through the usual mail where everyone including the post office and your family can read the postcard.

Fundamentally the data that makes up your email can be read by any server it passes through on its way to its destination. Mail servers also write information to their hard drives and then use that data when sending your email on to the next destination. This means that temporary copies of your email are also made!

There is very little you can do about this, it’s how email works.

Email-EncryptionAn obvious solution to prevent prying eyes from reading your email is to use some sort of code that only the sender and recipient can decode, and that is exactly what encryption is. If you encrypt a message with a strong enough key then it is currently not possible for anyone to read it without having the private key and passphrase. For now we will ignore allegations that encryption has been subverted by governments as it is clear that strong encryption does still work adequately.

Regardless of whether you encrypt messages yourself, Runbox attempts to encrypt your email when it sends to and receives email from other providers on your behalf. This is an important security feature, but it isn’t universally used and even some major email providers do not offer this kind of encryption. Where it is not offered your email is delivered unencrypted and it is just as vulnerable to interception then as a postcard is.

End-to-end encryption

Email is about 40 years old, and it hasn’t changed much in all that time. For decades computer security experts have been aware of the insecure nature of email, which is why email encryption has been around for about half the time email has existed. Encrypting your enigmail_gnupg_thunderbirdemail is not a new idea at all, but as a proportion of email sent very little is encrypted by the sender.

The best overall solution is to encrypt the message before it leaves your computer and not rely on anyone else to protect the data for you. The data can then only be decrypted at the recipients end if the correct key is available and the passphrase for that key is known. This is called end-to-end encryption.

There are various ways in which you can encrypt your email, some involve email client (app/program) like Thunderbird, Outlook or Apple Mail and others are integrated in to the webmail service of email providers.

You don’t need to be an expert to encrypt your email

Encrypting your email is not as difficult as you might think, but you might need to make some changes to how you use email.

We are used to having a very wide variety of email providers at our fingertips, and encryption isn’t necessarily going to be compatible with all of those various interfaces. Elsewhere on this blog and on the Runbox help website we explain some of the easier ways to implement strong email encryption that can be used with most email providers.

Yes, you are going to have to give your friends, family and colleagues keys so they can decrypt email and also send encrypted email to you, but is that really much more difficult than having to give them a key to get in to your home (assuming you want them in your home that is)?

If you encrypt your email it won’t matter what revelations are in the news next week, only you and your recipients will be able to read your email. Unless of course the revelations are about encryption having been compromised…

For more information

Continue Reading →

Warning About Insecure Email Apps

We have become aware of at least one email app (application software) available for smartphones and tablets that undermines the security of email sent using your Runbox account.

The email app is very easy to set up with only your email address and password, and you can get it working within a few minutes at most. It was due to this ease of set-up that we became suspicious. There is always a push towards making things easier for users of technology, but we believe that this is one step too far.

We discovered that the email app was not sending email through the Runbox mail servers. There was no SSL encryption between the email client and the servers, and no onwards encryption to a destination that we know normally uses encryption when sent via our servers. Instead of using our servers in Norway, the app used a mail server in another European country!

If this wasn’t bad enough, there was no user notification that the app hadn’t used the correct servers and was instead using an alternative server.

We won’t mention this particular app by name here as that wouldn’t be fair, especially when there may be others that do the same. We do not recommend this type of email app for phones, tablets or computers in general, and we cannot be held responsible for the delivery of email not sent through our servers, but apparently coming from your Runbox email address.

We would urge all Runbox customers to consider the following:

If you are not asked to enter the secure server settings as detailed on our settings page, then you are not in control of how your email is received or sent.

If you have any further questions about this, or would like further advice, please contact Runbox Support.

Continue Reading →

Runbox No Longer Uses Tracking Cookies

From 1st October 2013 the Runbox websites will no longer use browser-based tracking cookies to collect anonymous statistics about visitors to the public part of our website.

We have never used tracking cookies on the logged-in pages of the website that make up the email service itself.

What are tracking cookies?

Tracking cookies are small pieces of code embedded into web pages that can collect useful information about browsers that access those pages. The statistics are used to find out how visitors use a website, and in turn this information can be useful to improve the website for visitors. The cookies we used could also tell us something about the types of browsers being used, and help us identify problems with our web pages. Statistics such as which countries people visit the web site from can also help with our marketing, and in turn this can help make Runbox more cost effective for our members.

So if tracking cookies are so useful, why are you removing them?

Over recent months there has been increased awareness of privacy and security in online communications. You will probably have heard about this in the news on many occasions. Runbox is very certain of what it does with the personal details of its members, and Norwegian law makes it illegal for us to share that information with anyone without a Norwegian court order.

Like some of our members, we have become uncomfortable with us sharing even anonymous information with other services. Therefore, we have taken the decision to remove Google Analytics from our website. We also tried an open source alternative that recorded data only on our own servers. However, after various conversations both within the Runbox team and with some members, we felt we needed to move away from tracking that uses code inserted into the web pages themselves.

How can I check that you have removed tracking cookies?

If you want to see what kind of tracking cookies are used on any website, you can download a free browser add-on such as Ghostery. This add-on shows you the cookies being used, and also allows you to block them.

Are you using any kind of cookies on your website?

Yes, we use session cookies when you log in so that you can use the webmail interface. These sorts of cookies are very common on websites where you need to log in to an account and mean that you only have to provide your details at the login page and not on each page you access. You can read more about why we use session cookies in our Privacy Policy. Session cookies are not tracking cookies and do not record information about which pages you visit on our website.

So are you collecting any kind of statistics?

Like any other responsible service our servers automatically log* each request in case something goes wrong. This anonymous information is considered essential information from an administration and technical point of view. Many would regard us as being irresponsible if we didn’t know something about what pages had been accessed on our own servers. No personal information is recorded in these logs. Anonymous statistics can be compiled from the logs, and when we do this we will use that information internally only. This information will be subject to the same rules as any personal information we have about members, and not shared with third parties.

A note about IP addresses

Some members tell us they are concerned that the IP (Internet Protocol) address assigned to them by their Internet Service Provider (ISP) could be used to find where they live. It is true that some IP addresses are arranged regionally by ISPs, and this might reveal some information about where the Internet connection that IP address is assigned to is located. If you are concerned that your IP address reveals too much information about you, then we suggest that you contact your ISP to find out if they are able to help you in any way. There are websites that can give you some idea about what geographical information your allocated IP address gives away about your Internet connection. Just do a search for “geoip”.

It is possible to use Virtual Private Network (VPN) services to get more privacy. These effectively give you an alternative IP address to the one given by your ISP, and this can even be in a different country to where you live. VPN connections like this work by providing a secure encrypted connection to a server in another location, and it is from this remote location that you access the rest of the Internet.

If I still have concerns what should I do?

If you still have questions about Runbox and how we ensure your privacy please get in touch with us by using our support website at https://support.runbox.com.

 

 * The word log is a shortening of log-book. A ship’s log-book was a record of its journey and was called this because a log would be thrown overboard with a rope attached, and the progress of the ship would be measured by the number of knots that would pass through the sailor’s hands in a given time.

Continue Reading →