SSLv3 disabled on POP connections

For security reasons we have turned off SSLv3 on POP connections (port 995) today. That means we now only allow TLS 1.0, TLS 1.1 and TLS 1.2 on POP connections.

As a Runbox user you should not have to do anything — your email program should already support TLS and use it automatically. If not, please make sure your email program is up-to-date.

Apple Mail users: Please see our notice regarding APOP.

If you do experience any problems, please contact Runbox Support.

Continue Reading →

Special Holiday/New Year offer from Runbox

Gift BoxTo celebrate a great year and to further the cause of secure and private communication, we would like to give all our customers:

A free Sub-Account for one year
…if you subscribe or renew your main account by Jan 15th!

A Runbox account is a great gift to someone you know who cares about secure and private communication — and of course a fully featured, professional email service.

Just proceed to payment now to get your free sub-account!

And make sure you lock in our current great prices by taking advantage of our 3 years for the price of 2 offer on the Medium subscription plan!

Please contact us after you have completed your payment to let us know you want to take advantage of this offer so that we can add the sub-account slot to your main account.

You will then be able to set up the sub-account by going to Account > Sub-Accounts.

Note that whenever you renew your main account the additional time will simply be added to the end of your subscription, so you won’t lose any subscription time by renewing early.

Happy Holidays from everyone at Runbox, with our best wishes for the new year!

Terms of this offer:

  • The free sub-account will be of the same type as your main subscription (Micro, Mini, Medium, or Max).
  • The offer is for an additional free account and cannot be used to renew an existing sub-account.
  • The offer can be combined with the 2 years for the price of 1 offer upon subscribing to a new main account within 24 hours of signing up, and the 3 years for the price of 2 years offer which is available to everyone.

Continue Reading →

Projects in the pipeline 2015

We have worked hard on upgrading our email server park to accommodate all our new customers — and things will only get better: Based on our recent success, our shareholders decided to invest fresh capital to start several new projects that will take Runbox to the next level.

To boost IMAP performance and improve the experience especially for iPhone and iPad users we will soon deploy new Dovecot-based IMAP software.

We have started implementing an SSD (Solid-state Drive) based storage strategy to dramatically improve the performance of our email storage units. SSDs are up to 100 times faster than regular, rotating disks, so this will improve the speed of our IMAP services.

We are also expanding our server park with new servers and upgrades to continue improving reliability and overall performance.

Projects planned for 2015

We will continue working hard to ensure the privacy and security of your data, and have the following projects lined up for next year:

  • Implementation of two-factor authentication for improved login security.
  • Integration of PGP email encryption with our Webmail in order to make PGP easier to use with Runbox (note that you can already use PGP in your email client).
  • Improvements and upgrades to our spam servers and software to keep up with the ever-present spam challenge.
  • Implementation of a CalDAV server for calendar synchronization.

We look forward to continue providing great email services in the year to come.

Continue Reading →

New Webmail design: Runbox Aero

2014 has been an exciting year for Runbox and we’ve seen a substantial increase in popularity and growth. This has really boosted our progress — we now have several major upgrades in the pipeline, and we are very happy to be launching a new Webmail design!

Runbox Aero PreviewWe’ve called the new design Runbox Aero because it’s lighter, airier, and simpler — and it makes using email a breeze!

Runbox Aero is inspired by modern, state-of-the-art design, and we have listened carefully to feedback from you in order to make it both aesthetically pleasing and user-friendly.

You can try the new design now by going to
Webmail > Preferences and selecting Runbox Aero from the drop-down menu. Make sure you click Save Settings afterwards!

You will quickly notice some of the improvements, but the following changes are worth mentioning:

Modernized look

  • The font face has been replaced with a larger, lighter, and more modern font. A bolder font face is available in an alternative design.
  • The header has been shrunk to make more room for your email.
  • All the icons have been redesigned and optimized for retina (high resolution) displays.
  • All buttons have been enlarged and are now dark blue to make them easier to see.

Better menu navigation

  • The sub-menus have been enlarged to make them easier to navigate.
  • The Compose button has been moved to the far left and made more prominent.
  • The Folder Management button has been removed — just click Folders at the top of the folder list or the Folder Management link underneath it to access the Folders screen.
  • The Read, Unread, Flag, and Unflag buttons can now be accessed by hovering the cursor over the new Mark button.

Simplified Compose screen

  • The Compose screen has been simplified to only show the most important fields. To see the BCC, Attachments, Tags, and Nicknames fields, just click “Show all fields”.

We hope you like the new design, and please let us know if you have any comments or suggestions!

Continue Reading →

Upgrading Runbox 5 Customers

Today we have upgraded the remaining Runbox 5 users to the latest version of the Runbox webmail interface. We introduced Runbox 6 in January 2013 and gradually most of our customers have moved over to this.

This latest interface has a number of new features, and is built on programming that is more stable and allows us to add new features more easily.

You can read more about the features in the original blog post about Runbox 6.

The change to the latest webmail version also allows those customers previously using Runbox 5 to access the new webmail design called Runbox Aero. This is a modern and more user-friendly design, with graphics that are compatible with the newer high resolution screens featured on laptop and desktop computers.

If you have any questions about this change, please get in touch with us at Runbox Support or email support@nullrunbox.com

Continue Reading →

Migration from bigdog.runbox.net

We’d like to let you know that we’ll migrate all Runbox Web Hosting accounts currently residing on bigdog.runbox.net on:

Sunday, 28th and Monday 29th of December 2014

The accounts will be moved to a new server named host02.runbox.net, with better performance and increased reliability.

Please continue reading for important information about how this affects your website.

NEW SERVER: host02.runbox.net

Our new US based web hosting server Host02 is equipped with a Xeon E5 processor, 48 GB memory, and 2 * 500 GB SSD (Solid-State Drive) for super fast response times. Performance monitoring and backup of stored data is of course included.

Note: Runbox also offers Norwegian web hosting — please contact us for more information.

Upgraded software packages

This migration will also include some software upgrades:

  • MySQL will be upgraded from MySQL 5.0.96 to Percona Server 5.5.37.
  • Default PHP version will be upgraded from 5.3.15 to 5.5.16.

CHANGE OF IP ADDRESS FOR YOUR DOMAIN

When we migrate to the new server, all accounts must change their DNS (Domain Name System) record to point their domain to the new server’s IP address.

You either have your domain’s DNS records hosted on Runbox’ servers or with an external domain registrar. If you don’t know where your DNS is hosted you can look it up for instance at http://intodns.com

  • If the Name Server field is ns1.runbox.net and ns2.runbox.net, your DNS is hosted with Runbox.
    If you have DNS hosted with Runbox, you don’t have to do anything as we will update your DNS settings to point to the new server’s IP address.
  • If you are using an external DNS service such as GoDaddy or Enom, the IPs your domain(s) are resolving to won’t auto-update. You will have to manually change all occurrences of the old IP address 209.217.235.179 to the new IP address: 69.73.177.202.

DOWNTIME DURING MIGRATION

During the account migration and for up to a few hours, your domain name might still be pointing to the old server because it takes time for the DNS updates to propagate through the Internet. This depends on your domain’s DNS settings and the ISP you’re using.

Accessing your account during migration

Once the migration of the data in your account has been performed, and before the new DNS settings have propagated, you may see a page on your website noting that ‘This account has been moved.’ Don’t fret! You can access your cPanel and your files immediately on the new server by going to https://host02.runbox.net/cpanel and logging in with your Web Hosting username.

If you use an FTP client to manage your files on the server and you’re using bigdog.runbox.net as FTP host instead of your domain name, you will have to change to host02.runbox.net after migration.

If you have a dedicated IP address, you can also find the new IP address for your domain by logging in to https://host02.runbox.net/cpanel.

If you want to contact us about this migration, please open a support ticket here https://support.runbox.com or use the contact form: https://runbox.com/contact/

UPDATE 31.12.2014 18:15 CET: The migration is taking longer than expected due to the large number of accounts. The sysadmins are working as quickly as possible, but note that there might be some downtime for your website during this process.

UPDATE 01.01.2015 12:00 CET: The migration has completed and all websites should be running normally again. The new server is performing very well with plenty of capacity to spare, so all websites should be responding quickly and reliably.

Continue Reading →

Scheduled network maintenance

Due to network maintenance there will be some periods of downtime on 2014-10-06, between 00:01 and 07:59 CET.

This maintenance will require rebooting routers, which will cause about 10 minutes of downtime for
each router.

We apologize for any inconvenience caused.

Continue Reading →

Why Runbox being in Norway is important

We are emphasizing Runbox’ location in Norway as something that is important to you as an email user, and you may wonder why. This article will explain it all.

Summary

  • Norwegian ShieldAll your Runbox email is privacy protected because our servers are located in Norway, and Runbox strictly adheres to the Norwegian privacy legislation.
  • Runbox protects your data against disclosure because the authorities must present a valid court order based on evidence of criminal activity to seize any data.
  • Any foreign nation requesting account information or contents have to send a formal request to Norwegian judicial authorities, and only with a Norwegian court order can any data be disclosed.
  • Norwegian authorities are not allowed to perform surveillance of data traffic without a court order.
  • Under Norwegian legislation, Runbox is not required to keep any traffic logs, and is permitted to delete your data if you ask us to.

Norwegian privacy legislation and regulations

First of all, Norway has enacted strong legislation regulating the collection, storage, and processing of personal data, mainly in The Personal Data Act (Lov om behandling av personopplysninger; Personopplysningsloven) and Regulations on the Processing of Personal Data (Forskrift om behandling av personopplysninger; Personopplysningsforskriften).

The first version of The Personal Data Act was implemented as early as 1978. This was a result of the pioneering work provided by the Department of Private Law at the University of Oslo, where one of the first academic teams within IT and privacy worldwide was established in 1970.

Additionally, the Norwegian Data Protection Authority (Datatilsynet), an independent authority, facilitates protection of individuals from violation of their right to privacy through processing of their personal data. It also verifies that statutes and regulations which apply to the processing of personal data are complied with, and that errors or deficiencies are rectified.

Any complaint against decisions made by The Data Protection Authority may be reported to The Privacy Tribunal (Personvernnemda), another independent authority, for decision.

The Norwegian Criminal Procedure Act (Lov om rettergangsmåten i straffesaker; Straffeloven, unofficial translation) is an important law governing the seizure of objects or data when a criminal act has been reported to the police. Section 211 states that mail may only be seized from an electronic communication service pursuant to a court order.

Another important law in this context is the Norwegian Penal Code (NPC, Almindelig borgelig straffelov; Straffeloven, unofficial translation) which states that it is illegal to access information systems or data unauthorized (NPC §145), and this includes all employees in the public sector (NPC §116).

We must also mention Norwegian Law on Electronic Communications (Lov om elektronisk kommunikasjon; Ekomloven), which regulates telecommunications in Norway. This law contains rules for the interception of electronic communications and for the duration of storage of personal data.

Because Runbox is similar to an Internet service provider and not a telecommunications company, Runbox is NOT affected by this law. This means that Runbox for instance is permitted to delete your email data upon your request at any time, and that we are not required to store any traffic logs.

The bottom line is that a request from Norwegian police authorities to disclose data from any Runbox account will be rejected by Runbox unless a Norwegian court has decided otherwise.

What does compliance with Norwegian privacy laws mean?

So what does Runbox’ compliance to Norwegian laws mean regarding your personal data when using Runbox, and the content of your emails stored on our servers?

Runbox does not collect any data about you except what is necessary to provide you with our services. This is in accordance with our Terms of Service and Privacy Policy, which is compliant to The Personal Data Act §8. This paragraph states that personal details can only be collected and processed with consent from the registrant.

Similarly important is §11, stating that personal data must not be used for purposes inconsistent with the initial purpose of collection except with consent from the user.

Only if presented with a court ordered seizure pursuant to the Norwegian Criminal Procedure Act may Runbox be forced to disclose information to The Norwegian Police Service. It is therefore an absolute prerequisite that a crime has been committed.

What about requests from authorities outside Norway?

A request from foreign authorities or agencies regarding Runbox account details or user data has a long way to go before it reaches Runbox:

It will in general start with a legal request (letter rogatory) submitted through diplomatic channels to the Norwegian Ministry of Foreign Affairs, who sends it to the Attorney General at the Norwegian Office of the Prime Minister, who will, if appropriate, forward the request to the Ministry of Justice and Public Security who in turn sends it to the appropriate police unit, for example the National Criminal Investigation Service, Norway (Den nasjonale enhet for bekjempelse av organisert og annen alvorlig kriminalitet; Kripos) or The Norwegian Police Security Service (Politiets sikkerhetstjeneste; PST) for independent investigation. All requests will of course be evaluated with regards to Norwegian laws and regulations.

The Norwegian police authorities may then present Runbox with a subpoena, which will be rejected by Runbox as a matter of principle. The case may then be submitted to a Norwegian court, and an attorney will be appointed to represent the account owner. If the court finds that there is evidence or probable cause for suspicion of criminal activity on the part of the account owner, Runbox may be presented with a court order requesting us to disclose the requested information.

Norway has entered into agreements with some foreign nations to cooperation in criminal matters regarding disclosure of objects and data, that may simplify the procedure above:

Through the European Convention on Mutual Assistance in Criminal Matters requests go directly to the Ministry of Justice and Public Security, through the Schengen Agreement requests go to the public prosecutor in Norway, and between Nordic countries, requests go to central or local police (district chiefs of police). Requests from Canada and Thailand go directly to the Ministry of Justice and Public Security.

All other nations, the United States included, have to follow the general rule outlined above: Requests must be sent through diplomatic channels to the Norwegian Ministry of Foreign Affairs. The agreement between Norway and the United States (and Australia) is about extradition of criminals only, not about assistance in “ordinary” legal matters.

Since Runbox Solutions was founded in 2011 we have received 0 court orders for disclosure of account details or user data. We have received 3 requests directly from attorneys in the United States, all of which have been rejected outright.

What about surveillance…

According to the laws mentioned above, the Norwegian police authorities can not execute communication control, for instance surveillance of electronic messages, without a valid court order. An independent tribunal, the Control Committee for Wiretapping (Kontrollutvalget for kommunikasjonskontroll) is established to control that the police’s use of wiretapping occurs within the framework of the law and that the use of such methods is as limited as possible.

This means that no surveillance of traffic to or from Runbox can occur unless a valid court order is presented. However, the regulation that governs wiretapping (Forskrift om kommunikasjonskontroll; Kommunikasjonskontrollforskriften) and the Control Committee for Wiretapping do not pertain to intelligence, which is the domain of The Norwegian Parliamentary Intelligence Oversight Committee (Stortingets kontrollutvalg for etterretnings-, overvåkings- og sikkerhetstjeneste), see below.

…and intelligence?

Let us examine the various Norwegian intelligence agencies and their mandates:

The Norwegian Intelligence Service (Etterretningstjenesten) is a body established in order to survey and monitor civil and military activities outside Norway. This body is not authorized to survey or collect information about Norwegian natural or legal persons, which includes companies. For that reason, Runbox is beyond the authority of this agency.

The Norwegian Police Security Service (Politiets sikkerhetstjeneste; PST) do NOT have any legal rights beyond The Norwegian Police Service, which is discussed above.

The Norwegian Defence Security Department (Forsvarets sikkerhetsavdeling, FSA) applies to military institutions only, and is not relevant for Runbox customers at all.

The National Security Authority (Nasjonal sikkerhetsmyndighet, NSM) is established to control governmental and civil institutions regarding security, and because Runbox does not provide services to such institutions, this authority is not relevant to Runbox or our customers.

Joint Counter-terrorism Center (Felles kontraterrorsenter, FKTS), is a recently established department within PST staffed with people from PST and EtterretningstjenestenFKTS is a cooperation agency sharing information and analyzing terror threats against Norway. FKTS is subject to the laws and regulations governing the activities of The Norwegian Police Security Service and the Norwegian Intelligence Service.

In order to monitor these agencies and ensure they are acting in accordance with laws and regulations, the Norwegian Parliament has established The Norwegian Parliamentary Intelligence Oversight Committee (Stortingets kontrollutvalg for etterretnings-, overvåkings- og sikkerhetstjeneste), and Control Committee for Wiretapping (Kontrollutvalget for kommunikasjonskontroll). Their mandate is to ensure that the police’s use of wiretapping is in accordance with the law and is as limited as possible.

What is the conclusion of all this?

All your Runbox email stored on our servers is safe because Runbox is located in Norway. Runbox strictly adheres to the Norwegian Personal Data Act and the Norwegian Criminal Procedure Act, which is the main legislation governing our operations. This fact, along with our ethics, prevent us from doing anything unauthorized with your data.

Specifically, Runbox protects your data against disclosure requested by the authorities because they must present a valid court order to seize any data. Such a court order is difficult to obtain, because it must be based on evidence of criminal activity related to the account owner.

Norwegian authorities are not allowed to perform surveillance of data traffic without a valid court order. Norway has established independent agencies to ensure that these agencies follow the laws and regulations under which they operate. In addition, Norway is an open democracy with a critical and investigative press which readily publicizes any suspicion of breached laws and regulations.

Any foreign nation asking for data have to send a formal request according to established protocols and strict rules. And any such legal request will be scrutinized by Norwegian judicial authorities, and only in cases where Norwegian law is breached could a request result in a court ordered seizure which is necessary to obtain data from Runbox.

In short, no authority or agency can monitor Runbox’ data or traffic without a court order, which can only be issued on evidence of criminal activity in violation of Norwegian penal code.

Additional protection

Runbox customers automatically have an advantage by storing their email in Norway, and you can add another layer of protection by encrypting your communication with Runbox.

To protect your privacy even further, Runbox does NOT use Google Analytics or any other third-party tracking of our customers’ usage. We never use data or traffic information for any other purpose than anonymous statistics in order to improve our services and our system’s performance. Our service is absolutely ad-free, and we do not share or sell your personal details to anyone.

The combination of the strict Norwegian legal environment, our solid IT infrastructure, Runbox’ ethics and Privacy Policy, and the technology Runbox provides, means that Runbox provides a service that is uniquely private and secure.

For more information about the privacy and security of Runbox’ services, please see the following links — and feel free to contact us with any questions or concerns.

Continue Reading →

[Resolved] Email service network problems

We are currently experiencing problems with either our network or our firewall, and all Runbox email services are currently unavailable.

Our system administrators are working to correct the problem. Meanwhile, any incoming email will be queued on other servers for later delivery.

Our web and domain hosting services are not affected by this problem.

UPDATE 23:50 CET: A power strip inside a server rack had died, causing the firewall server to go down. We expect this to be resolved shortly.

UPDATE 23:51 CET: Problem has been resolved and email services are back online.

Continue Reading →

Email Encryption with Runbox

There has been much talk in the media recently about using email encryption to avoid surveillance and monitoring. In this article we help you understand what email encryption is, how it works, and the options that are available to you as a Runbox customer.

Summary of this Article

  • Email communication involves at least a sending email client, a sending email server, a receiving email server, and a receiving email client.
  • Email communication between client and server is typically encrypted using basic encryption methods such as TLS or SSL.
  • In addition to this, you can use end-to-end encryption with any email service — and we show you how to use encryption with Runbox.

First, the Basics

Email Communication
Email Communication
The client establishes a connection with the sending server, which passes the message on to the receiving server from which the recipient downloads the message.

In order to understand how email encryption works, we need to cover the basics of email communication. Don’t worry, we’ll keep it non-technical and it’s pretty simple.

To send an email to someone, 4 things are usually needed (in addition to the Internet itself):

  1. A sending email client such as Outlook, Apple Mail, and Thunderbird.
    An email client is a program or app, which is running on a computer, tablet, or smart phone. When you use a webmail service such as Runbox Webmail, your browser acts as the email client. Whatever it’s called, it’s the program you use to write your email messages.
  2. A sending email server such as Runbox.
    When you use Runbox your email client connects to our servers, which takes care of figuring out where on the Internet the recipient is located. More correctly, it looks up the domain name part of the recipient’s email address and connects to the servers responsible for that domain name.
  3. A receiving email server such as Gmail.
    The receiving email server accepts the message and stores it until the recipient downloads it to her email client.
  4. A receiving email client such as Outlook, Apple Mail, and Thunderbird.
    Similar to the sending email client, the recipient uses an email program to send and receive email. The email client regularly connects to the receiving email server to check for new email, and usually keeps a copy of the messages on the server so that they are available to other devices the recipient may be using.

Standard Email Encryption

Encrypted Communication
Encrypted Communication
The server presents a valid SSL/TLS certificate and the encrypted connection is indicated by a padlock and green bar in the browser.

The email communication between the client and server (#1 and #2 above) is already encrypted by default if you are using the recommended settings. When using Runbox Webmail encryption is always enabled, which you can tell by the padlock in the address bar and the web address starting with “https” (where the “s” stands for secure).

This type of encryption is called Transport Layer Security or TLS for short (which has succeeded Secure Sockets Layer, SSL) and protects your data from being eavesdropped on its way from your email client to our servers.

After accepting the message for relay, the Runbox outbound email server then looks up the email service responsible for the recipient’s domain name and connects to one of their servers. Runbox always attempts to establish an encrypted connection using TLS, but many services do not support such connections yet.

After connecting to the receiving server (#3 above), Runbox hands over the message for further processing.

The final step (#4 above) between the receiving email server and the recipient is usually encrypted, but it depends on the encryption support of the receiving email service’s servers and the settings in the recipient’s email client. More details: Secure Transfer of Email

Why this type of encryption isn’t sufficient

In other words, there is no way of knowing whether the communication is actually encrypted all the way from you to the recipient. Although some email services provide encrypted email storage, this doesn’t resolve the problem of unencrypted connections further down the message’s path.

In the event that someone was able to eavesdrop on communication encrypted using SSL/TLS, they would in principle not be able to decrypt the contents without somehow accessing the private encryption key which is only stored on the provider’s servers (unless Perfect Forward Secrecy was implemented, which is the case with Runbox).

However, this type of encryption is still theoretically vulnerable to surveillance because the encryption standards used have been developed in cooperation with US intelligence agencies, although any such weakening has been denied by NIST (National Institute of Standards and Technology).

End-to-end encryption of email

End-To-End Encryption
End-To-End Encryption
Sender and recipient have exchanged encryption keys and the communication is encrypted from end to end, in addition to the SSL/TLS encryption which is attempted established by the sending server.

The best solution available is to add another layer of encryption on the email communication all the way from sender to recipient. This is called end-to-end encryption and is already available for use with virtually any email service or provider.

When using end-to-end encryption, the contents of messages will be unreadable to a potential eavesdropper all the way from sender to recipient. It is of course always important that the two parties take great caution to secure their computers or devices to prevent them from being compromised.

Note that the metadata (sender and recipient addresses, subject line, timestamp, etc) of email messages is always unencrypted in order for the message to be routed to its recipient.

There are two main email encryption standards available: PGP and S/MIME. This may look cryptographic in itself, but we will explain both of them. Runbox supports both standards, which can be used with an email client or with Runbox Webmail.

See Encrypting Your Runbox Email for an overview of email clients and their encryption support.

PGP: Pretty Good Privacy

Despite the name, PGP is considered to be cryptographically very strong and is probably the most popular email encryption standard today.

PGP is the easiest encryption standard to get started with because it doesn’t involve anyone but the sender and recipient of a message. It is based on a “web of trust” because it only involves the sender and recipient and assumes that they trust each other.

  • Both parties must have a PGP enabled email client or webmail service.
  • The sender must have generated a private/public encryption key pair using software that is downloaded and installed locally.
  • The recipient must have downloaded the sender’s public key, because the recipient’s public key is used by the sender to encrypt the message. The recipient’s private key is used to decrypt the message.
  • Can be used with webmail services with a web browser.

To get started, see our Encrypting and Securing Email Using OpenPGP help page.

S/MIME: Secure/Multipurpose Internet Mail Extensions

S/MIME is a standard being adopted by the IETF (Internet Engineering Task Force) and requires some more preparation on the part of the email user.

  • S/MIME functionality is built into most major email client programs.
  • Both parties must have an S/MIME enabled email client.
  • A certificate must be obtained from a Certificate Authority and installed in the sender’s email client.
  • Is based on a “chain of trust” because the Certificate Authority validates the sender’s identity and makes the public key available to others.
  • Is not suitable for use with webmail services using a web browser.

We hope this article helped you understand how email encryption works and how to get started using it. And as always, please contact us if you have any questions.

Continue Reading →