We are pleased to announce the start of the Open Beta Testing Phase of our new Dovecot IMAP servers.

We are introducing new IMAP servers to resolve errors that have been experienced by many customers, to simplify the set up in email clients and to improve IMAP performance.

We expect that customers using Apple Mail (OS X) and the native Mail app (iOS) on iPhones and iPads will see the most benefit from our new servers, but performance and reliability will be improved for all customers.

Problems we believe will be resolved are:

• Read/Unread synchronisation issues
• Moving messages from one folder to another resulted in a copy in the new and old locations
• Error messages of the kind “Cannot connect to server”
• With iOS the native Mail app would fail to update and would continue to show a date in the past

At some future date the current servers will be retired, and all customers will need to use the new IMAP servers.

If you would like to switch to the new servers now, and take part in our Beta testing phase, please see the information on the Open Beta Phase page (the previous link now directs to the official launch details). Please note that although the software is already thoroughly tested and performing well, changes and disruptions may occur as we continue improving it.

If you have any questions about these changes, please contact Runbox Support.

 

Continue Reading →

Today we have upgraded the remaining Runbox 5 users to the latest version of the Runbox webmail interface. We introduced Runbox 6 in January 2013 and gradually most of our customers have moved over to this.

This latest interface has a number of new features, and is built on programming that is more stable and allows us to add new features more easily.

You can read more about the features in the original blog post about Runbox 6.

The change to the latest webmail version also allows those customers previously using Runbox 5 to access the new webmail design called Runbox Aero. This is a modern and more user-friendly design, with graphics that are compatible with the newer high resolution screens featured on laptop and desktop computers.

If you have any questions about this change, please get in touch with us at Runbox Support or email support@nullrunbox.com

Continue Reading →

As each day goes by there seem to be new revelations about which countries are spying on each other, or have secret agreements to monitor traffic by putting “taps” on strategically important cables entering or leaving countries. It is hard to keep track of all this information, and even harder to verify what is fact and what is speculation.

Questions, questions!

If you care about your data or email and whether it is private or not, then all of this should bother you; in fact it should bother you quite a lot. But how do you make sense of it all, and what action can you take, assuming you can take action that is? Which countries will look after your data best? And who can actually read your email as it is delivered to and from your email provider?

At Runbox we get asked a lot of questions like the ones above, and we have come to the conclusion that often we are worrying about the wrong things.

Who are the players in this real-life James Bond story?

The United States National Security Agency (NSA) and the British Government Communications Headquarters (GCHQ) have featured heavily in the media, and along with three other countries (Canada, Australia and New Zealand) they make up the so called “Five Eyes” countries that are known to be monitoring communications.

These countries have an agreement to share data that they collect through their extensive networks. This is not speculation, this is hard fact in the public domain, and together they form the single biggest data sharing network ever conceived. The allegations that they spy on each others citizens and then share data with each other to get around domestic regulations relating to spying on your own citizens is one of the most controversial claims that have been made in the last few years.

There are other revelations that suggest many countries also have agreements with the NSA and GCHQ in return for various kind of technological assistance that might benefit the collaborating nation.

More recently, and closer to home for Runbox, we have seen allegations that Denmark is monitoring data entering and leaving Norway, and that Sweden is pretty much in league with the NSA about as much as the other “five eyes” countries. At a glance this can seem worrying given that Runbox is based in Norway.

But does it really matter?

Data everywhere, and no place to hide

On a political front it probably does matter, but on a practical level if you email someone who is outside of Norway the chances are the data passes through a number of countries and worrying about the ones geographically adjacent to Norway seems a little pointless. For example, if you email anyone on Gmail, Yahoo, Outlook, iCloud or any of the other major providers, the chance is your data is going to end up in the one country that is at the centre of the recent revelations – the USA.

The reason we get asked questions about security is because people want to take positive action to protect their data, so what can you actually do?

Stored email and data

The question about which email provider will protect your data best when it is on their servers is a separate issue to the one surrounding your data when it is being transferred from one place to another. In respect of your email provider, you are better to keep your email data in a country that has strong privacy laws, and with a provider that tries to encrypt the transfer of that data to and from your account. Runbox is based in a country that does have strong privacy laws, and we always try to encrypt your data when transferring it to and from your account.

So choosing an email provider isn’t too difficult once you know what to look for.

So what about data transfer?

Given that we know agencies are monitoring Internet communications (it doesn’t matter how much or little of this is going on) it is best to assume that anything that you do on the Internet, or anything you email can be monitored by someone. You can think of this as being like sending a private message on a postcard through the usual mail where everyone including the post office and your family can read the postcard.

Fundamentally the data that makes up your email can be read by any server it passes through on its way to its destination. Mail servers also write information to their hard drives and then use that data when sending your email on to the next destination. This means that temporary copies of your email are also made!

There is very little you can do about this, it’s how email works.

An obvious solution to prevent prying eyes from reading your email is to use some sort of code that only the sender and recipient can decode, and that is exactly what encryption is. If you encrypt a message with a strong enough key then it is currently not possible for anyone to read it without having the private key and passphrase. For now we will ignore allegations that encryption has been subverted by governments as it is clear that strong encryption does still work adequately.

Regardless of whether you encrypt messages yourself, Runbox attempts to encrypt your email when it sends to and receives email from other providers on your behalf. This is an important security feature, but it isn’t universally used and even some major email providers do not offer this kind of encryption. Where it is not offered your email is delivered unencrypted and it is just as vulnerable to interception then as a postcard is.

End-to-end encryption

Email is about 40 years old, and it hasn’t changed much in all that time. For decades computer security experts have been aware of the insecure nature of email, which is why email encryption has been around for about half the time email has existed. Encrypting your email is not a new idea at all, but as a proportion of email sent very little is encrypted by the sender.

The best overall solution is to encrypt the message before it leaves your computer and not rely on anyone else to protect the data for you. The data can then only be decrypted at the recipients end if the correct key is available and the passphrase for that key is known. This is called end-to-end encryption.

There are various ways in which you can encrypt your email, some involve email client (app/program) like Thunderbird, Outlook or Apple Mail and others are integrated in to the webmail service of email providers.

You don’t need to be an expert to encrypt your email

Encrypting your email is not as difficult as you might think, but you might need to make some changes to how you use email.

We are used to having a very wide variety of email providers at our fingertips, and encryption isn’t necessarily going to be compatible with all of those various interfaces. Elsewhere on this blog and on the Runbox help website we explain some of the easier ways to implement strong email encryption that can be used with most email providers.

Yes, you are going to have to give your friends, family and colleagues keys so they can decrypt email and also send encrypted email to you, but is that really much more difficult than having to give them a key to get in to your home (assuming you want them in your home that is)?

If you encrypt your email it won’t matter what revelations are in the news next week, only you and your recipients will be able to read your email. Unless of course the revelations are about encryption having been compromised…

For more information

• Email Encryption with Runbox
• Secure Transfer of Email
• Encrypting Your Email
• OpenPGP Set Up Guides

Continue Reading →

We have become aware of at least one email app (application software) available for smartphones and tablets that undermines the security of email sent using your Runbox account.

The email app is very easy to set up with only your email address and password, and you can get it working within a few minutes at most. It was due to this ease of set-up that we became suspicious. There is always a push towards making things easier for users of technology, but we believe that this is one step too far.

We discovered that the email app was not sending email through the Runbox mail servers. There was no SSL encryption between the email client and the servers, and no onwards encryption to a destination that we know normally uses encryption when sent via our servers. Instead of using our servers in Norway, the app used a mail server in another European country!

If this wasn’t bad enough, there was no user notification that the app hadn’t used the correct servers and was instead using an alternative server.

We won’t mention this particular app by name here as that wouldn’t be fair, especially when there may be others that do the same. We do not recommend this type of email app for phones, tablets or computers in general, and we cannot be held responsible for the delivery of email not sent through our servers, but apparently coming from your Runbox email address.

We would urge all Runbox customers to consider the following:

If you are not asked to enter the secure server settings as detailed on our settings page, then you are not in control of how your email is received or sent.

If you have any further questions about this, or would like further advice, please contact Runbox Support.

Continue Reading →

From 1st October 2013 the Runbox websites will no longer use browser-based tracking cookies to collect anonymous statistics about visitors to the public part of our website.

We have never used tracking cookies on the logged-in pages of the website that make up the email service itself.

What are tracking cookies?

Tracking cookies are small pieces of code embedded into web pages that can collect useful information about browsers that access those pages. The statistics are used to find out how visitors use a website, and in turn this information can be useful to improve the website for visitors. The cookies we used could also tell us something about the types of browsers being used, and help us identify problems with our web pages. Statistics such as which countries people visit the web site from can also help with our marketing, and in turn this can help make Runbox more cost effective for our members.

So if tracking cookies are so useful, why are you removing them?

Over recent months there has been increased awareness of privacy and security in online communications. You will probably have heard about this in the news on many occasions. Runbox is very certain of what it does with the personal details of its members, and Norwegian law makes it illegal for us to share that information with anyone without a Norwegian court order.

Like some of our members, we have become uncomfortable with us sharing even anonymous information with other services. Therefore, we have taken the decision to remove Google Analytics from our website. We also tried an open source alternative that recorded data only on our own servers. However, after various conversations both within the Runbox team and with some members, we felt we needed to move away from tracking that uses code inserted into the web pages themselves.

How can I check that you have removed tracking cookies?

If you want to see what kind of tracking cookies are used on any website, you can download a free browser add-on such as Ghostery. This add-on shows you the cookies being used, and also allows you to block them.

Are you using any kind of cookies on your website?

Yes, we use session cookies when you log in so that you can use the webmail interface. These sorts of cookies are very common on websites where you need to log in to an account and mean that you only have to provide your details at the login page and not on each page you access. You can read more about why we use session cookies in our Privacy Policy. Session cookies are not tracking cookies and do not record information about which pages you visit on our website.

So are you collecting any kind of statistics?

Like any other responsible service our servers automatically log^* each request in case something goes wrong. This anonymous information is considered essential information from an administration and technical point of view. Many would regard us as being irresponsible if we didn’t know something about what pages had been accessed on our own servers. No personal information is recorded in these logs. Anonymous statistics can be compiled from the logs, and when we do this we will use that information internally only. This information will be subject to the same rules as any personal information we have about members, and not shared with third parties.

A note about IP addresses

Some members tell us they are concerned that the IP (Internet Protocol) address assigned to them by their Internet Service Provider (ISP) could be used to find where they live. It is true that some IP addresses are arranged regionally by ISPs, and this might reveal some information about where the Internet connection that IP address is assigned to is located. If you are concerned that your IP address reveals too much information about you, then we suggest that you contact your ISP to find out if they are able to help you in any way. There are websites that can give you some idea about what geographical information your allocated IP address gives away about your Internet connection. Just do a search for “geoip”.

It is possible to use Virtual Private Network (VPN) services to get more privacy. These effectively give you an alternative IP address to the one given by your ISP, and this can even be in a different country to where you live. VPN connections like this work by providing a secure encrypted connection to a server in another location, and it is from this remote location that you access the rest of the Internet.

If I still have concerns what should I do?

If you still have questions about Runbox and how we ensure your privacy please get in touch with us by using our support website at https://support.runbox.com.

 

 * The word log is a shortening of log-book. A ship’s log-book was a record of its journey and was called this because a log would be thrown overboard with a rope attached, and the progress of the ship would be measured by the number of knots that would pass through the sailor’s hands in a given time.

Continue Reading →

Update 01-Sep-2013 0915 CEST: We believe the routing issue has now been resolved. If you know otherwise, please get in touch.
——–

A small number of our customers are reporting that they cannot access the Runbox servers via their Internet service provider.

It appears that there is a problem with one or more Internet service providers outside the Runbox network. Our network carrier Blix, along with carriers Cogent and Telia, are working to identify the problem but as yet there is no known cause and no estimated time for a solution.

If you are experiencing problems reaching the Runbox servers and wish to send us your IP address and a traceroute to www.runbox.com, please do as they are useful to the Internet providers trying to sort this out. To do this, enter “tracert runbox.com” in a Command Prompt window on Windows (or “traceroute runbox.com” in Terminal on OS X), and copy & paste the result into a support request via https://support.runbox.com.

We will post updates here when we know more.

Continue Reading →