Thank you for your support in 2013!

2013 was the year online privacy really came to the forefront of people’s consciousness, after the surveillance revelations especially in the US and the UK. This had a significant impact on Runbox, whose location in Norway made it the service of choice for many people who were concerned about email privacy.

This in turn increased our focus on privacy and security, and over the past 6 months we have taken steps to improve the security of our services further.

We are now investing heavily in new hardware and are deploying privacy features such as support for PGP encryption in order to push Runbox to the forefront of email security and privacy globally.

So thank you for supporting Runbox in 2013 — let’s make next year even better!

Continue Reading →

Privacy is Priceless

To highlight the importance of online privacy, we have created two privacy-themed Runbox T-shirts now available from our Cafepress store.

Organic Women's T-Shirt: Privacy Is Priceless
Organic Women’s T-Shirt: Privacy Is Priceless
Organic Men's T-Shirt: Privacy Is Priceless
Organic Men’s T-Shirt: Privacy Is Priceless

In line with our values they are of course organic, which also means they’re a little pricier than your regular T-shirt.

But as a Runbox member, you will receive a free year added to your subscription when purchasing one or more of these T-shirts.

They are currently available in two colors, one for men and one for women.

Just forward your receipt to billing@nullrunbox.com and we will happily extend your subscription by one year!

 

Continue Reading →

Extended Validation SSL certificate installed

In order to further increase the security of our services we have now installed an Extended Validation SSL certificate on our main website https://runbox.com.

The certificate is issued by the WebTrust certified certificate authority GlobalSign and verifies that Runbox Solutions AS owns and operates the website and domain name runbox.com.

What is Extended Validation SSL?

The Extended Validation SSL (Secure Sockets Layer) certificate provides the strong encryption included with regular certificates, and additonally validates our company’s identity by showing our company name and country code in green to the left of the browser address bar:

runbox.com EV SSL

Extended Validation certificates are only issued after rigorous vetting to verify the legal identity and physical presence of the website owner, establish their exclusive control over the domain name, and confirm the identity and authority of the individuals acting for the website owner.

This Extended Validation certificate also covers https://secure.runbox.com and https://www.runbox.com. Other runbox.com subdomains are still using a regular SSL certificate, which has the same encryption level but not the “green bar” identity validation.

Continue Reading →

Runbox now supports Forward Secrecy

In recent weeks there has been some discussion in news outlets about SSL/TLS, which is used by many websites to encrypt the data being transferred between web servers and web browsers.

Since it’s theoretically possible for outsiders to break such encryption, an increasing number of people are requesting improved encryption methods.

What is SSL/TLS?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic methods used to secure communication on the Internet. By using pairs of private and public keys, the web server and the client can securely encrypt and decrypt the data being transferred between two parties.

Gold-padlock.svgWhen a web browser connects to a website protected with SSL or TLS (indicated by a padlock icon in the browser) it receives the public key from the server, which is then used to encrypt the subsequent communication. The data can only be decrypted using the private key, which resides on the server.

The problem with keys

However, if someone was able to break in and copy the private key from a server, they would theoretically be able to decrypt any communication to/from that server — provided that they were also able to eavesdrop on the communication.

The solution: Unique keys

To counter this it’s recently become possible to configure web servers to issue a unique key pair for every single connection, and immediately destroy the keys once the session is complete.

This method is called Forward Secrecy because it prevents anyone from retroactively breaking the encryption.

Forward Secrecy on Runbox

Runbox has now implemented Forward Secrecy in order to further improve the security and privacy of our services. It’s now virtually impossible to eavesdrop on the data being transmitted between your web browser and Runbox’ web servers — and you don’t have to do anything in order to enjoy this new level of security.

For those who are interested in the technical details, here is an analysis of the security provided by https://runbox.com, which is now our main address:

https://www.ssllabs.com/ssltest/analyze.html?d=runbox.com

Continue Reading →

Runbox No Longer Uses Tracking Cookies

From 1st October 2013 the Runbox websites will no longer use browser-based tracking cookies to collect anonymous statistics about visitors to the public part of our website.

We have never used tracking cookies on the logged-in pages of the website that make up the email service itself.

What are tracking cookies?

Tracking cookies are small pieces of code embedded into web pages that can collect useful information about browsers that access those pages. The statistics are used to find out how visitors use a website, and in turn this information can be useful to improve the website for visitors. The cookies we used could also tell us something about the types of browsers being used, and help us identify problems with our web pages. Statistics such as which countries people visit the web site from can also help with our marketing, and in turn this can help make Runbox more cost effective for our members.

So if tracking cookies are so useful, why are you removing them?

Over recent months there has been increased awareness of privacy and security in online communications. You will probably have heard about this in the news on many occasions. Runbox is very certain of what it does with the personal details of its members, and Norwegian law makes it illegal for us to share that information with anyone without a Norwegian court order.

Like some of our members, we have become uncomfortable with us sharing even anonymous information with other services. Therefore, we have taken the decision to remove Google Analytics from our website. We also tried an open source alternative that recorded data only on our own servers. However, after various conversations both within the Runbox team and with some members, we felt we needed to move away from tracking that uses code inserted into the web pages themselves.

How can I check that you have removed tracking cookies?

If you want to see what kind of tracking cookies are used on any website, you can download a free browser add-on such as Ghostery. This add-on shows you the cookies being used, and also allows you to block them.

Are you using any kind of cookies on your website?

Yes, we use session cookies when you log in so that you can use the webmail interface. These sorts of cookies are very common on websites where you need to log in to an account and mean that you only have to provide your details at the login page and not on each page you access. You can read more about why we use session cookies in our Privacy Policy. Session cookies are not tracking cookies and do not record information about which pages you visit on our website.

So are you collecting any kind of statistics?

Like any other responsible service our servers automatically log* each request in case something goes wrong. This anonymous information is considered essential information from an administration and technical point of view. Many would regard us as being irresponsible if we didn’t know something about what pages had been accessed on our own servers. No personal information is recorded in these logs. Anonymous statistics can be compiled from the logs, and when we do this we will use that information internally only. This information will be subject to the same rules as any personal information we have about members, and not shared with third parties.

A note about IP addresses

Some members tell us they are concerned that the IP (Internet Protocol) address assigned to them by their Internet Service Provider (ISP) could be used to find where they live. It is true that some IP addresses are arranged regionally by ISPs, and this might reveal some information about where the Internet connection that IP address is assigned to is located. If you are concerned that your IP address reveals too much information about you, then we suggest that you contact your ISP to find out if they are able to help you in any way. There are websites that can give you some idea about what geographical information your allocated IP address gives away about your Internet connection. Just do a search for “geoip”.

It is possible to use Virtual Private Network (VPN) services to get more privacy. These effectively give you an alternative IP address to the one given by your ISP, and this can even be in a different country to where you live. VPN connections like this work by providing a secure encrypted connection to a server in another location, and it is from this remote location that you access the rest of the Internet.

If I still have concerns what should I do?

If you still have questions about Runbox and how we ensure your privacy please get in touch with us by using our support website at https://support.runbox.com.

 

 * The word log is a shortening of log-book. A ship’s log-book was a record of its journey and was called this because a log would be thrown overboard with a rope attached, and the progress of the ship would be measured by the number of knots that would pass through the sailor’s hands in a given time.

Continue Reading →

Moving to Runbox 6

In order to improve the security of our email services have moved our front page to a new and upgraded server running Runbox 6 at https://runbox.com.

In preparation for this we have modified Runbox 6 to redirect Runbox 5 users to the corresponding server, if your account settings indicate that you have not yet upgraded to Runbox 6.

In other words, if you have been logging in at https://rmm6.runbox.com and have never clicked the “Switch to Runbox 6” button in Runbox 5, you will be redirected to Runbox 5.

To continue using Runbox 6, please click “Switch to Runbox 6” at the bottom of the folder list in Webmail.

Continue Reading →

Runbox not Accessible (routing problems outside our network)

Update 01-Sep-2013 0915 CEST: We believe the routing issue has now been resolved. If you know otherwise, please get in touch.
——–

A small number of our customers are reporting that they cannot access the Runbox servers via their Internet service provider.

It appears that there is a problem with one or more Internet service providers outside the Runbox network. Our network carrier Blix, along with carriers Cogent and Telia, are working to identify the problem but as yet there is no known cause and no estimated time for a solution.

If you are experiencing problems reaching the Runbox servers and wish to send us your IP address and a traceroute to www.runbox.com, please do as they are useful to the Internet providers trying to sort this out. To do this, enter “tracert runbox.com” in a Command Prompt window on Windows (or “traceroute runbox.com” in Terminal on OS X), and copy & paste the result into a support request via https://support.runbox.com.

We will post updates here when we know more.

Continue Reading →

Emails being rejected

UPDATE: As of midnight EST on August 25 this block appears to have been removed. We have yet to be told what caused it however.

Some members may find that emails they are sending are being rejected by some email services. The Runbox servers have been blacklisted for some reason by Proofpoint despite their own website saying there is no recent reason for doing so. We have contacted Proofpoint to find out why we are listed and to get our servers removed.

Addresses affected will vary but we are aware that Apple use Proofpoint on their @me.com, @mac.com and @icloud.com addresses and it seems a variety of educational organizations also use their list on email addresses ending in .edu

Rejected emails will usually include mention of Proofpoint in them, and this is how you will know if your emails are being affected by this.

We apologize for any inconvenience.

Continue Reading →