New IMAP servers deployed with Perfect Forward Secrecy

April 11, 2014 Geir 5 Comments

Our new IMAP servers were successfully deployed today after upgrading the new ZFS based storage, which resolved an error that had previously caused problems. The technical details of this error can be found in the official bug report from the operating system distributor.

The combination of new, powerful IMAP servers and a modern, ZFS based SAN (Storage Area Network) should significantly improve IMAP performance in the coming days and weeks as we move email accounts to the new storage unit.

Perfect Forward Secrecy support for IMAP

Additionally, the new IMAP servers support Perfect Forward Secrecy on SSL (encrypted) connections, which prevents an unlikely eavesdropper to decrypt the communication between client and server.

You do not have to change anything in your email client to enjoy these new technologies, but do let us know if you experience any problems.

Continue Reading →

[Resolved] “Heartbleed” SSL vulnerability

April 10, 2014 Geir 4 Comments

On April 8, it was revealed in the media that a vulnerability in the internet encryption standard OpenSSL had been discovered. This vulnerability could potentially allow someone to access additional parts of the memory of servers protected by the OpenSSL software.

As stated in the OpenSSL Security Advisory:

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

This could potentially compromise sensitive data such as the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of users, and actual content.

Runbox’ servers are secured

Runbox immediately upgraded our installations of OpenSSL on April 8 upon learning about this vulnerability. We have also reissued and reinstalled all our SSL certificates for both Web, POP, IMAP, and SMTP services.

Additionally Runbox web services already supports Perfect Forward Secrecy, which issues unique SSL key pairs for each connection. This prevents an unlikely eavesdropper from retroactively decrypting communications between server and client even if they managed to get the private key.

What you can do

We have no indications that any information has leaked from our systems, and our assessment is that the risk of such leaks is very small. Client computers and software are not affected by this vulnerability.

However, we recommend that you change your Runbox password to be entirely certain that no one else can access your account. It’s a good idea to change your password regularly, and use different passwords for different services. Please see Tips for choosing and protecting passwords for some useful rules about password generation and usage.

More information about Heartbleed from the security company Codenomicon is available at http://heartbleed.com/.

Continue Reading →

Extended Validation SSL certificate installed

November 17, 2013 Geir 3 Comments

In order to further increase the security of our services we have now installed an Extended Validation SSL certificate on our main website https://runbox.com.

The certificate is issued by the WebTrust certified certificate authority GlobalSign and verifies that Runbox Solutions AS owns and operates the website and domain name runbox.com.

What is Extended Validation SSL?

The Extended Validation SSL (Secure Sockets Layer) certificate provides the strong encryption included with regular certificates, and additonally validates our company’s identity by showing our company name and country code in green to the left of the browser address bar:

Extended Validation certificates are only issued after rigorous vetting to verify the legal identity and physical presence of the website owner, establish their exclusive control over the domain name, and confirm the identity and authority of the individuals acting for the website owner.

This Extended Validation certificate also covers https://secure.runbox.com and https://www.runbox.com. Other runbox.com subdomains are still using a regular SSL certificate, which has the same encryption level but not the “green bar” identity validation.

Continue Reading →

Runbox now supports Forward Secrecy

October 1, 2013 Geir 4 Comments

In recent weeks there has been some discussion in news outlets about SSL/TLS, which is used by many websites to encrypt the data being transferred between web servers and web browsers.

Since it’s theoretically possible for outsiders to break such encryption, an increasing number of people are requesting improved encryption methods.

What is SSL/TLS?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic methods used to secure communication on the Internet. By using pairs of private and public keys, the web server and the client can securely encrypt and decrypt the data being transferred between two parties.

When a web browser connects to a website protected with SSL or TLS (indicated by a padlock icon in the browser) it receives the public key from the server, which is then used to encrypt the subsequent communication. The data can only be decrypted using the private key, which resides on the server.

The problem with keys

However, if someone was able to break in and copy the private key from a server, they would theoretically be able to decrypt any communication to/from that server — provided that they were also able to eavesdrop on the communication.

The solution: Unique keys

To counter this it’s recently become possible to configure web servers to issue a unique key pair for every single connection, and immediately destroy the keys once the session is complete.

This method is called Forward Secrecy because it prevents anyone from retroactively breaking the encryption.

Forward Secrecy on Runbox

Runbox has now implemented Forward Secrecy in order to further improve the security and privacy of our services. It’s now virtually impossible to eavesdrop on the data being transmitted between your web browser and Runbox’ web servers — and you don’t have to do anything in order to enjoy this new level of security.

For those who are interested in the technical details, here is an analysis of the security provided by https://runbox.com, which is now our main address:

https://www.ssllabs.com/ssltest/analyze.html?d=runbox.com

Continue Reading →