Security

How To Use Email Securely

November 1st, 2016  |  Published in Commentary, Security

Much has been said and written in the media recently regarding email, and here at Runbox we’d like to take the opportunity to help make it all a bit more understandable.

What is email, anyway?

Email, or electronic mail, is the most common method of exchanging digital messages.

It is easily the most flexible online messaging service available, because it lets users send and receive unlimited text, multimedia, and other files to anyone with an email address anywhere in the world.

Email was invented in the 1960s and is still one of the most popular services currently available via the Internet, with over 90% of US Internet users actively using email.

How does email work?

Email systems consist of computers and devices that are connected via the Internet. These computers and devices can be servers that process and store electronic mail, or clients such as laptops and smartphones that are used to send and receive email.

Email clients and server Email clients connected to a server

When someone sends an email, the message is transferred from his or her device to a server that processes the message.

Based on the recipient email address, the server finds out where to send the message next.

This is usually to another server associated with the recipient’s address, and often via a number of other servers that act as dispatchers.

There are many different types of email software that can send, receive, and store email. If you use a computer or a smartphone, you might be familiar with software such as Outlook, Apple Mail, or Thunderbird.

Where is my email actually stored?

Because the volume of email is so large, email clients typically let servers store all the email that is received and sent and only download messages when they are opened.

This is very convenient because the server can then do resource intensive things like filtering out spam and viruses, and other kinds of sorting and processing.

Another important reason for keeping emails stored on a server is that it lets more than one client access the same messages.

For instance, you can set up your laptop, your tablet, and your smartphone to access all the email that is stored in your account on the server. You can also use a webmail in your web browser, which essentially works as an email client.

This means that your email will be synchronized across all your devices, without you having to do anything manually.

You can read more about how this works in our Help article Using an Email Client with IMAP.

How can I be sure that no one else can access my email?

When you sign up for an email account, you select a username and a password that only you know. This ensures that only you can access the email that is stored in your account on the server.

As you can imagine, it is important that you choose a strong password to make sure that no one else can guess it. It’s also important to be aware of scams that may try to trick you into revealing information that could let someone gain access to your account.

End-To-End Encryption

End-To-End Encryption

However, to be certain no one can read your email even if they were to gain access to it, you can use encryption.

Email encryption can protect your messages all the way from your device to the recipient’s, by encoding them in such a way that it’s virtually impossible for someone unauthorized to unscramble them.

You can read more about this in our Blog post Email Encryption with Runbox and our Help article Encrypting Your Runbox Email.

We hope this article helped clarify what email is, how it works, and how to use it securely. For a more in-depth article, please see How Email Works.

Tags: , ,

Hardened web server security

March 31st, 2016  |  Published in News, Security

We have recently hardened our web server security, giving Runbox an A+ rating on securityheaders.io — in addition to our existing A+ rating on ssllabs.com.

The policies we have implemented are the following:

X-Frame-Options: Tells the browser that we don’t allow the Runbox web site to be framed (included) by other web sites, which defends against attacks like click-jacking.

HTTP Strict Transport Security: Strengthens our implementation of Transport Layer Security (TLS) by making the browser enforce the use of encrypted communication (HTTPS).

Content Security Policy: Protects our web site from Cross-Site Scripting (XSS) attacks.

HTTP Public Key Pinning: Protects us from from Man-in-the-Middle attacks by making sure the TLS certificates used by the browsers are the ones implemented on our servers.

X-XSS-Protection: Sets the configuration for the cross-site scripting filters built into most browsers.

X-Content-Type-Options: Forces browsers to use the declared file content type instead of trying to be too clever, which helps to reduce the danger of drive-by downloads.

These changes will help ensure that your use of Runbox is as safe and secure as possible, and we will continue making security-related improvements in the future.

Tags: ,

TLS Upgraded for Incoming Email

February 12th, 2016  |  Published in News, Security

Today we have upgraded the TLS (Transport Layer Security) of our incoming email servers to support version 1.2, which is the most recent. This means that when email is sent to Runbox from other services, the highest level of encryption will be used if the other service supports it.

This also means that all communication between your email program and Runbox now uses TLS 1.2 (if supported by your email program).

 

Tags: ,

Phishing message alert 2015.09.02

September 2nd, 2015  |  Published in Security, Status

If you receive messages with the subject “ATTN: RUNBOX ACCOUNT USER” that appears to have been sent from “RUNBOX HELPDESK“, please delete them.

We are deleting all the instances of these messages we can find on the Runbox servers, but we might miss some.

These messages are not sent from Runbox staff and are an attempt to trick Runbox customers into entering their login information at malicious websites.

For more information about phishing, please see the Phishing section of this article.

Tags:

Phishing message alert

June 20th, 2015  |  Published in Security, Status

If you receive messages with the subject “Pending message” that appears to have been sent from “Runbox Admin” <cusdept@nullrunbox.com>

or

Subject “Account Update” that appears to come from “MEMBERSHIP SERVICE” <membership@nullrbox.com>, please delete them.

We are deleting all the instances of these messages we can find on the Runbox servers, but we might miss some.

These messages are not sent from Runbox staff and are an attempt to trick Runbox customers into entering their login information at malicious websites.

For more information about phishing, please see the Phishing section of this article.

Domains and Privacy

May 22nd, 2015  |  Published in News, Security

From time to time we get asked why Runbox uses runbox.com as our primary email domain rather than our runbox.no domain.

The reason we are asked this is because some people assume that by using a .com domain all the Internet traffic to and from our servers is routed via the Unites States, and could be subject to US government eavesdropping.

Read the rest of this entry »

Outlook for iOS – Privacy Issues

May 6th, 2015  |  Published in News, Security

Email Apps and Privacy

Back in May 2014 we reported on our investigations in to two smartphone/tablet apps that had been launched. We were worried to find that the apps did not use our outgoing SMTP servers directly, and instead sent email through non-Runbox servers. This made for much easier set up of accounts, but we didn’t like that it wasn’t obvious to the user what was going on.

Those apps were myMail and Evomail (the later is no longer available).

Outlook and Privacy

Outlook now has IMAP compatibility and is able to work with Runbox accounts, however, like myMail and Evomail it doesn’t connect directly to the Runbox SMTP servers for outgoing mail. In fact, we don’t know if it retrieves email directly from our servers either. We do know that it stores some details of your account on servers that are part of Amazon Web Services.

If this doesn’t bother you, then that’s fine as Outlook is turning in to a nice email app that sits nicely alongside the other Microsoft offerings for iOS and Android.

Using Email Apps that Connect Directly to the Runbox Service

We believe that for maximum security and privacy email apps should be connecting directly to the Runbox service and not connecting via other servers, or storing account details anywhere other than in the app on the device.

Usually if you have to enter the server details for incoming and outgoing mail then the app is likely to connect to those services directly. If you have any doubts about an app, please get in touch with Runbox Support and we will investigate how it behaves.

SSLv3 disabled on POP connections

January 8th, 2015  |  Published in Security, Status

For security reasons we have turned off SSLv3 on POP connections (port 995) today. That means we now only allow TLS 1.0, TLS 1.1 and TLS 1.2 on POP connections.

As a Runbox user you should not have to do anything — your email program should already support TLS and use it automatically. If not, please make sure your email program is up-to-date.

Apple Mail users: Please see our notice regarding APOP.

If you do experience any problems, please contact Runbox Support.

Tags:

Email Encryption with Runbox

July 18th, 2014  |  Published in Security

There has been much talk in the media recently about using email encryption to avoid surveillance and monitoring. In this article we help you understand what email encryption is, how it works, and the options that are available to you as a Runbox customer.

Summary of this Article

  • Email communication involves at least a sending email client, a sending email server, a receiving email server, and a receiving email client.
  • Email communication between client and server is typically encrypted using basic encryption methods such as TLS or SSL.
  • In addition to this, you can use end-to-end encryption with any email service — and we show you how to use encryption with Runbox.

First, the Basics

Email Communication

Email Communication
The client establishes a connection with the sending server, which passes the message on to the receiving server from which the recipient downloads the message.

In order to understand how email encryption works, we need to cover the basics of email communication. Don’t worry, we’ll keep it non-technical and it’s pretty simple.

To send an email to someone, 4 things are usually needed (in addition to the Internet itself):

  1. A sending email client such as Outlook, Apple Mail, and Thunderbird.
    An email client is a program or app, which is running on a computer, tablet, or smart phone. When you use a webmail service such as Runbox Webmail, your browser acts as the email client. Whatever it’s called, it’s the program you use to write your email messages.
  2. A sending email server such as Runbox.
    When you use Runbox your email client connects to our servers, which takes care of figuring out where on the Internet the recipient is located. More correctly, it looks up the domain name part of the recipient’s email address and connects to the servers responsible for that domain name.
  3. A receiving email server such as Gmail.
    The receiving email server accepts the message and stores it until the recipient downloads it to her email client.
  4. A receiving email client such as Outlook, Apple Mail, and Thunderbird.
    Similar to the sending email client, the recipient uses an email program to send and receive email. The email client regularly connects to the receiving email server to check for new email, and usually keeps a copy of the messages on the server so that they are available to other devices the recipient may be using.

Standard Email Encryption

Encrypted Communication

Encrypted Communication
The server presents a valid SSL/TLS certificate and the encrypted connection is indicated by a padlock and green bar in the browser.

The email communication between the client and server (#1 and #2 above) is already encrypted by default if you are using the recommended settings. When using Runbox Webmail encryption is always enabled, which you can tell by the padlock in the address bar and the web address starting with “https” (where the “s” stands for secure).

This type of encryption is called Transport Layer Security or TLS for short (which has succeeded Secure Sockets Layer, SSL) and protects your data from being eavesdropped on its way from your email client to our servers.

After accepting the message for relay, the Runbox outbound email server then looks up the email service responsible for the recipient’s domain name and connects to one of their servers. Runbox always attempts to establish an encrypted connection using TLS, but many services do not support such connections yet.

After connecting to the receiving server (#3 above), Runbox hands over the message for further processing.

The final step (#4 above) between the receiving email server and the recipient is usually encrypted, but it depends on the encryption support of the receiving email service’s servers and the settings in the recipient’s email client. More details: Secure Transfer of Email

Why this type of encryption isn’t sufficient

In other words, there is no way of knowing whether the communication is actually encrypted all the way from you to the recipient. Although some email services provide encrypted email storage, this doesn’t resolve the problem of unencrypted connections further down the message’s path.

In the event that someone was able to eavesdrop on communication encrypted using SSL/TLS, they would in principle not be able to decrypt the contents without somehow accessing the private encryption key which is only stored on the provider’s servers (unless Perfect Forward Secrecy was implemented, which is the case with Runbox).

However, this type of encryption is still theoretically vulnerable to surveillance because the encryption standards used have been developed in cooperation with US intelligence agencies, although any such weakening has been denied by NIST (National Institute of Standards and Technology).

End-to-end encryption of email

End-To-End Encryption

End-To-End Encryption
Sender and recipient have exchanged encryption keys and the communication is encrypted from end to end, in addition to the SSL/TLS encryption which is attempted established by the sending server.

The best solution available is to add another layer of encryption on the email communication all the way from sender to recipient. This is called end-to-end encryption and is already available for use with virtually any email service or provider.

When using end-to-end encryption, the contents of messages will be unreadable to a potential eavesdropper all the way from sender to recipient. It is of course always important that the two parties take great caution to secure their computers or devices to prevent them from being compromised.

Note that the metadata (sender and recipient addresses, subject line, timestamp, etc) of email messages is always unencrypted in order for the message to be routed to its recipient.

There are two main email encryption standards available: PGP and S/MIME. This may look cryptographic in itself, but we will explain both of them. Runbox supports both standards, which can be used with an email client or with Runbox Webmail.

See Encrypting Your Runbox Email for an overview of email clients and their encryption support.

PGP: Pretty Good Privacy

Despite the name, PGP is considered to be cryptographically very strong and is probably the most popular email encryption standard today.

PGP is the easiest encryption standard to get started with because it doesn’t involve anyone but the sender and recipient of a message. It is based on a “web of trust” because it only involves the sender and recipient and assumes that they trust each other.

  • Both parties must have a PGP enabled email client or webmail service.
  • The sender must have generated a private/public encryption key pair using software that is downloaded and installed locally.
  • The recipient must have downloaded the sender’s public key, because the recipient’s public key is used by the sender to encrypt the message. The recipient’s private key is used to decrypt the message.
  • Can be used with webmail services with a web browser.

To get started, see our Encrypting and Securing Email Using OpenPGP help page.

S/MIME: Secure/Multipurpose Internet Mail Extensions

S/MIME is a standard being adopted by the IETF (Internet Engineering Task Force) and requires some more preparation on the part of the email user.

  • S/MIME functionality is built into most major email client programs.
  • Both parties must have an S/MIME enabled email client.
  • A certificate must be obtained from a Certificate Authority and installed in the sender’s email client.
  • Is based on a “chain of trust” because the Certificate Authority validates the sender’s identity and makes the public key available to others.
  • Is not suitable for use with webmail services using a web browser.

We hope this article helped you understand how email encryption works and how to get started using it. And as always, please contact us if you have any questions.

Tags:

New IMAP servers deployed with Perfect Forward Secrecy

April 11th, 2014  |  Published in News, Security

Our new IMAP servers were successfully deployed today after upgrading the new ZFS based storage, which resolved an error that had previously caused problems. The technical details of this error can be found in the official bug report from the operating system distributor.

The combination of new, powerful IMAP servers and a modern, ZFS based SAN (Storage Area Network) should significantly improve IMAP performance in the coming days and weeks as we move email accounts to the new storage unit.

Perfect Forward Secrecy support for IMAP

Additionally, the new IMAP servers support Perfect Forward Secrecy on SSL (encrypted) connections, which prevents an unlikely eavesdropper to decrypt the communication between client and server.

You do not have to change anything in your email client to enjoy these new technologies, but do let us know if you experience any problems.

Tags: ,