Runbox now supports Forward Secrecy

In recent weeks there has been some discussion in news outlets about SSL/TLS, which is used by many websites to encrypt the data being transferred between web servers and web browsers.

Since it’s theoretically possible for outsiders to break such encryption, an increasing number of people are requesting improved encryption methods.

What is SSL/TLS?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic methods used to secure communication on the Internet. By using pairs of private and public keys, the web server and the client can securely encrypt and decrypt the data being transferred between two parties.

Gold-padlock.svgWhen a web browser connects to a website protected with SSL or TLS (indicated by a padlock icon in the browser) it receives the public key from the server, which is then used to encrypt the subsequent communication. The data can only be decrypted using the private key, which resides on the server.

The problem with keys

However, if someone was able to break in and copy the private key from a server, they would theoretically be able to decrypt any communication to/from that server — provided that they were also able to eavesdrop on the communication.

The solution: Unique keys

To counter this it’s recently become possible to configure web servers to issue a unique key pair for every single connection, and immediately destroy the keys once the session is complete.

This method is called Forward Secrecy because it prevents anyone from retroactively breaking the encryption.

Forward Secrecy on Runbox

Runbox has now implemented Forward Secrecy in order to further improve the security and privacy of our services. It’s now virtually impossible to eavesdrop on the data being transmitted between your web browser and Runbox’ web servers — and you don’t have to do anything in order to enjoy this new level of security.

For those who are interested in the technical details, here is an analysis of the security provided by https://runbox.com, which is now our main address:

https://www.ssllabs.com/ssltest/analyze.html?d=runbox.com

Continue Reading →

Moving to Runbox 6

In order to improve the security of our email services have moved our front page to a new and upgraded server running Runbox 6 at https://runbox.com.

In preparation for this we have modified Runbox 6 to redirect Runbox 5 users to the corresponding server, if your account settings indicate that you have not yet upgraded to Runbox 6.

In other words, if you have been logging in at https://rmm6.runbox.com and have never clicked the “Switch to Runbox 6” button in Runbox 5, you will be redirected to Runbox 5.

To continue using Runbox 6, please click “Switch to Runbox 6” at the bottom of the folder list in Webmail.

Continue Reading →

Email Privacy, Security and Runbox

In recent weeks (for some reason) we have seen an increase in demand for information about whether Runbox collaborates with any government law enforcement agencies when it comes to the email sent and received by our members.  We have also had numerous enquiries asking what we do to ensure the privacy of email sent and received by Runbox members.

It seems like a good time to review what Runbox does and doesn’t do.

Monitoring by Law Enforcement & Security Agencies

Runbox is not involved in any routine exchange of members’ data with anyone.

All email data is stored in a secure facility in Norway and access to the data center is very strictly controlled.

Casual requests for information about Runbox members and their email are categorically rejected.  More formal requests are always directed to the Norwegian court system.  Only if a valid Norwegian court order is received, and the proper procedures have been followed, will the request be considered. At that point it will be referred to our legal representatives.

We adhere to our own strict Terms of Service as well as Norwegian laws and regulations, and if we become aware of activity that is contrary to those we will take appropriate action.

Details of laws and regulations as they apply to Runbox can be found on our Email Privacy and Offshore Email page.

Email Privacy and Security

In recent weeks certain claims have been made that email can be intercepted by government agencies as it crosses international borders. Regardless of any truth or otherwise in these claims, the security of email transfer is essential.

It is important to distinguish between three points of security.

  1. Security of the connection between you and the Runbox email service.
  2. Security of the connection used between the Runbox email service and other email services.
  3. Securing the content of your email in addition to 1 and 2 above.

In the case of the first point Runbox provides the facility for email to be encrypted during transmission to and from our members. All that the member needs to do is use our server secure.runbox.com with the appropriate settings.

On the second point, we employ encryption techniques when sending to and receiving from other email services. However, this is only available if the other service also offers this facility.  If it doesn’t then we have to use an unsecured connection.

The third point is entirely under user control.  If a message’s content is encrypted before sending or receiving through Runbox, then whether it is transmitted securely or not is much less important because only the sender and recipient will be able to decrypt the message and read it.

Runbox is planning to provide a method of allowing members to encrypt and decrypt messages using PGP (Pretty Good Privacy) within the Runbox Webmail.

The best way to encrypt messages with your Runbox account today is to use the Thunderbird email client with the Enigmail Open PGP add-on.

For more information about email security see our page on Secure Transfer of Email.

Continue Reading →

Increased password strength

To protect your Runbox account, and any other online account you may have, it’s crucial to choose a good password. Your password needs to be unique enough to prevent others from guessing it or computers from cracking it.

This is becoming increasingly important since attackers can use powerful password cracking software and attacks are happening more often.

We see that many users choose passwords that are too simple, perhaps thinking that no one will try to gain access to their account, or that they don’t have anything to hide anyway.

The importance of strong passwords

However, if someone did gain access to your account unauthorized they could potentially use the contents to break into other accounts you may have, since email often contains login information to other services.

An intruder could also hijack an account in order to send large amounts of spam, which would  hurt not only the recipients of the messages, but also the account owner (due to returned, undeliverable messages). Furthermore, it could negatively impact Runbox as a whole, since it could get our service blocked by other email services.

Creating a good password

In Runbox 6, you can create a longer and more complex password using many different special characters.

Your password must be between 6 and 64 characters long, and can contain the letters a-z and A-Z, the numbers 0-9, and the following special characters:

+?=()&,.:;-_/*@!#~`#$%^&[]{}|\'”<>

We know, creating and remembering a long and complex password sounds like a big hassle. But it’s actually very simple, and could even be fun!

Just see our Tips for choosing and protecting passwords for a quick how-to.

Continue Reading →

Extended website security

The Runbox website is now protected by an Extended Validation Certificate when in secure mode at https://secure.runbox.com. This is usually indicated by a green address bar in your browser.

This certificate independently verifies the identity of our company as the owner of the domain runbox.com, meaning that visitors can be certain the web pages they see are legitimate.

We recommend you always be aware of the domain name shown in your browser, especially after clicking links in email messages, to prevent so-called phishing.

We also recommend using secure mode (SSL) when logging on to Runbox. You can enable this in your browser by clicking the “Secure” link next to the login fields on the front page.

Continue Reading →

New payment system; important information about recurring billing

Runbox has switched to a new and more secure payment system to comply with requirements recently introduced by the Payment Card Industry Data Security Standard (PCI DSS).

With the new system, our customers are transferred to a payment terminal provided by our payment processor BBS Nordic when using a credit card to pay for Runbox services. BBS Nordic operates the banks’ common payment infrastructure in Norway, and is an internationally recognized provider of secure electronic business. The new system therefore increases the security and reliability of credit card transactions when making Runbox purchases.

It is only the credit card terminal and transaction handling that has changed — payments are initiated as before, by selecting the desired products from the Payment Options screen, or from your Account screen.

As a consequence of this upgrade, existing subscriptions with recurring billing activated will unfortunately not automatically renew upon expiration.

If you have had recurring billing activated on your account, please re-activate it by making a manual renewal when the expiration date of your subscription approaches.

You will be notified by email when your subscription is about to expire, and you can always check the status of your subscription or add-on products by logging in to your account and clicking Account from the main menu.

Since the new payment system is hosted by our payment processor, credit card details can only be updated when making a purchase, and not from within Runbox. This regime increases the security level and ensures that your credit card data is kept safe.

Continue Reading →