Runbox Two-Factor Authentication

June 14th, 2017  |  Published in News, Security

Runbox recently launched Two-Factor Authentication (2FA). 2FA is a log in procedure where an additional piece of information is required in addition to your username and account password.

This additional factor is a code that can only be used once, or for a limited period of time.

Two-Factor Authentication

Runbox Two-Factor Authentication

Runbox 2FA currently supports Timed One-Time Passwords (TOTP) and One-Time Passwords (OTP) as additional factors. We are planning to expand this with Yubikey or U2F support.
 

Runbox is the only 2FA-enabled email provider in Norway

NorwayRunbox is located in Norway, which has some of the strongest privacy regulations in the world.

By choosing Runbox as your email provider, your data will be protected by these regulations while ensuring your email is secure from unauthorized access.

Read on to find out how Runbox 2FA works and which options are available.

 

Timed One-Time Passwords (TOTP)

2FA Timed One-Time Passwords

2FA Timed One-Time Passwords

To use this option you will need a smartphone and some free software.

Timed one-time passwords works by giving you a login code which changes over time, in addition to your password.

To get started, download a TOTP app such as Authy, FreeOTP or Google Authenticator onto your mobile phone and follow their instructions.

Note: It is essential that your smartphone has the correct date/time set as this is used by the TOTP app to generate the correct codes that allow you to log in.

 

One-Time Passwords (OTP)

2FA One-Time Passwords

2FA One-Time Passwords

When you enable this option, the system will generate random passwords that you can use only once. Used passwords are discarded automatically and cannot be used again.

You can download the the list of passwords to a computer or mobile device, or you can print them out if necessary. However, you must keep the list secure as these passwords can be used to access your account along with your usual username and account password.

 

 

Trusted browsers

2FA Trusted Browsers

2FA Trusted Browsers

This option allows the server to trust your current web browser so that you don’t have to use a 2FA code. The option places a small piece of code in your browser (a cookie) that tells the server not to require the 2FA details and you can just log in with username and password.

You should only use this method of bypassing 2FA on a computer or device that you are confident nobody else can log in to. You can temporarily turn on/off individual browsers from the trusted list, or you can delete the browser entry entirely which will force that browser to require the 2FA details.

 

Unlock code

2FA Unlock Code

2FA Unlock Code

If for some reason you are unable to log in with 2FA after it has been enabled, this code can be used to disable 2FA.

The code can be used in conjunction with a secure question/answer for additional security.

 

 

Tags: , , , ,

New Account Security features launched

March 14th, 2017  |  Published in News, Security

We are excited to announce the launch of a new Account Security interface with Two-Factor Authentication (2FA) for Runbox.

This completes more than a year of development, and we are quite proud of the result. The new features will significantly improve the security of your Runbox account when you activate them.

Account Security features

The new Account Security interface includes 4 main features: Two-Factor Authentication, Manage Services, App Passwords, and Last Logins.

Used separately or in combination, these features add extra layers of security to your Runbox account.

Two-Factor Authentication

Two-Factor Authentication (2FA) is a log in procedure where an additional piece of information is required in addition to your username and account password.

This additional factor is a code that can only be used once, or for a limited period of time.

Two-Factor Authentication

Runbox Two-Factor Authentication

Runbox 2FA currently supports Timed One-Time Passwords (TOTP) and One-Time Passwords (OTP) as additional factors. We are planning to expand this with Yubikey or U2F support.

Manage Services

The new Account Security interface lets you disable various services such as IMAP, POP, and SMTP. These are the services you use when using an email app/program to access your mail.

By disabling services you are not using, you prevent attempts at unauthorized access to your account via those services.

App Passwords

You can also set up unique passwords for each of your apps or devices, giving you complete control over the access to your account.

If you then happen to lose a device you can simply delete the corresponding app password, effectively disabling access from that device.

Last Logins

This section shows a list of the most recent login attempts to your account from each service such as web, IMAP, POP, and SMTP.

If you suspect that there have been unauthorized login attempts to your account, you can review this list and take appropriate action.

How to set up Account Security features

To get started, just go to the Account Security screen to set up 2FA and the other security features.

We encourage you to review our Account Security help page for details about the new functionality first. This will ensure that you understand how 2FA works and prevent you from getting locked out of your account.

We welcome any questions or feedback you might have, either as comments to this blog post or via our contact form or support system.

Tags: ,

New Web Servers Deployed

February 3rd, 2017  |  Published in News

Yesterday we deployed our new web servers, which are powering the Runbox web app at https://runbox.com. There are a few changes and improvements that were deployed at the same time, and that we would like to tell you about.

New login screen

Among other things you may have noticed that the login procedure has changed. This is related to the roll-out of our new Account Security features, which include Two-Factor Authentication. We will post more about this soon, but the important thing to note is that the new login regime is more secure than before. This also completes our transition to a new, global authentication system which we have described previously.

If you have problems logging in

If you are experiencing problems logging in, please make sure that your browser has the latest version of the login screen. You can do this by pressing Ctrl + F5 on Windows and Cmd + R on macOS. If this doesn’t help, please try to clear your browser’s cache and restart it. If this doesn’t help or if you are unsure how to accomplish this, please contact Runbox Support.

There are a few other wrinkles on the new web servers that we are currently ironing out, and besides a more powerful and reliable webmail service we have also deployed a new spam filter.

New spam filter in beta

The new spam filter is powered by Cloudmark, which is one of the strongest authorities on spam analysis in the world. You can try out the new spam filter by going to Manager > Filter and selecting “Cloudmark (beta)” under “Detect junk mail”. If you are already using Dspam (the trainable spam filter) you can select “Both” to activate Cloudmark and Dspam.

The Cloudmark spam filter will automatically catch more spam by comparing spam signatures (fingerprints) with the central Cloudmark database. If you click “Not spam” or “Report spam” to correct spam filter behavior in the webmail, a report will be sent encrypted to the central Cloudmark service. Select “Train using reduced email details” to only send a message signature instead of the full message when reporting misclassified messages.

The Runbox Aero webmail theme

And if you haven’t already done so, we recommend that you try out the Runbox Aero webmail theme, which you can find in Webmail > Preferences. This theme has a more modern design and includes larger and more legible fonts.

More new features to come!

Finally, with the new web servers we have also established a streamlined deployment system that makes the path from development to production much more efficient. We won’t bore you with details, but we can say that you can expect more exciting features from Runbox going forward.

Tags: , ,

Hardened web server security

March 31st, 2016  |  Published in News, Security

We have recently hardened our web server security, giving Runbox an A+ rating on securityheaders.io — in addition to our existing A+ rating on ssllabs.com.

The policies we have implemented are the following:

X-Frame-Options: Tells the browser that we don’t allow the Runbox web site to be framed (included) by other web sites, which defends against attacks like click-jacking.

HTTP Strict Transport Security: Strengthens our implementation of Transport Layer Security (TLS) by making the browser enforce the use of encrypted communication (HTTPS).

Content Security Policy: Protects our web site from Cross-Site Scripting (XSS) attacks.

HTTP Public Key Pinning: Protects us from from Man-in-the-Middle attacks by making sure the TLS certificates used by the browsers are the ones implemented on our servers.

X-XSS-Protection: Sets the configuration for the cross-site scripting filters built into most browsers.

X-Content-Type-Options: Forces browsers to use the declared file content type instead of trying to be too clever, which helps to reduce the danger of drive-by downloads.

These changes will help ensure that your use of Runbox is as safe and secure as possible, and we will continue making security-related improvements in the future.

Tags: ,

New front page design

March 9th, 2015  |  Published in News

As you may have noticed we have upgraded our front page to better convey Runbox’ offering and our values. We hope you like it!

If you would like a simpler login screen, just click the “Simple Login” link underneath the login area (which you can then bookmark in your browser).

Tags:

New Webmail design: Runbox Aero

December 23rd, 2014  |  Published in News, Webmail

2014 has been an exciting year for Runbox and we’ve seen a substantial increase in popularity and growth. This has really boosted our progress — we now have several major upgrades in the pipeline, and we are very happy to be launching a new Webmail design!

Runbox Aero PreviewWe’ve called the new design Runbox Aero because it’s lighter, airier, and simpler — and it makes using email a breeze!

Runbox Aero is inspired by modern, state-of-the-art design, and we have listened carefully to feedback from you in order to make it both aesthetically pleasing and user-friendly.

You can try the new design now by going to
Webmail > Preferences and selecting Runbox Aero from the drop-down menu. Make sure you click Save Settings afterwards!

You will quickly notice some of the improvements, but the following changes are worth mentioning:

Modernized look

  • The font face has been replaced with a larger, lighter, and more modern font. A bolder font face is available in an alternative design.
  • The header has been shrunk to make more room for your email.
  • All the icons have been redesigned and optimized for retina (high resolution) displays.
  • All buttons have been enlarged and are now dark blue to make them easier to see.

Better menu navigation

  • The sub-menus have been enlarged to make them easier to navigate.
  • The Compose button has been moved to the far left and made more prominent.
  • The Folder Management button has been removed — just click Folders at the top of the folder list or the Folder Management link underneath it to access the Folders screen.
  • The Read, Unread, Flag, and Unflag buttons can now be accessed by hovering the cursor over the new Mark button.

Simplified Compose screen

  • The Compose screen has been simplified to only show the most important fields. To see the BCC, Attachments, Tags, and Nicknames fields, just click “Show all fields”.

We hope you like the new design, and please let us know if you have any comments or suggestions!

Tags: , ,

New feature: Tag management

January 26th, 2014  |  Published in News, Webmail

Many of our customers use message tags as an alternative to folders in order to organize and categorize their email.

You can now manage your message tags by clicking Tags in the left pane in Webmail, or by going directly to https://runbox.com/mail/tags. The Tag management screen lets you add and delete tags, and get an overview of the messages that are already tagged.

To add a tag to a message, just open the message, select the tag name (or [New tag] to enter a new tag name) and click “Add tag”.

Tags: ,

Runbox now supports Forward Secrecy

October 1st, 2013  |  Published in News, Security, Webmail

In recent weeks there has been some discussion in news outlets about SSL/TLS, which is used by many websites to encrypt the data being transferred between web servers and web browsers.

Since it’s theoretically possible for outsiders to break such encryption, an increasing number of people are requesting improved encryption methods.

What is SSL/TLS?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic methods used to secure communication on the Internet. By using pairs of private and public keys, the web server and the client can securely encrypt and decrypt the data being transferred between two parties.

Gold-padlock.svgWhen a web browser connects to a website protected with SSL or TLS (indicated by a padlock icon in the browser) it receives the public key from the server, which is then used to encrypt the subsequent communication. The data can only be decrypted using the private key, which resides on the server.

The problem with keys

However, if someone was able to break in and copy the private key from a server, they would theoretically be able to decrypt any communication to/from that server — provided that they were also able to eavesdrop on the communication.

The solution: Unique keys

To counter this it’s recently become possible to configure web servers to issue a unique key pair for every single connection, and immediately destroy the keys once the session is complete.

This method is called Forward Secrecy because it prevents anyone from retroactively breaking the encryption.

Forward Secrecy on Runbox

Runbox has now implemented Forward Secrecy in order to further improve the security and privacy of our services. It’s now virtually impossible to eavesdrop on the data being transmitted between your web browser and Runbox’ web servers — and you don’t have to do anything in order to enjoy this new level of security.

For those who are interested in the technical details, here is an analysis of the security provided by https://runbox.com, which is now our main address:

https://www.ssllabs.com/ssltest/analyze.html?d=runbox.com

Tags: , ,

Moving to Runbox 6

September 30th, 2013  |  Published in News, Webmail

In order to improve the security of our email services have moved our front page to a new and upgraded server running Runbox 6 at https://runbox.com.

In preparation for this we have modified Runbox 6 to redirect Runbox 5 users to the corresponding server, if your account settings indicate that you have not yet upgraded to Runbox 6.

In other words, if you have been logging in at https://rmm6.runbox.com and have never clicked the “Switch to Runbox 6” button in Runbox 5, you will be redirected to Runbox 5.

To continue using Runbox 6, please click “Switch to Runbox 6” at the bottom of the folder list in Webmail.

Tags: ,

New function: Save recipients in Contacts

June 16th, 2013  |  Published in Development, News

In Webmail > Compose (Runbox 6 only) you now have the option to save the recipients of a message in Contacts.

This option is found next to the Send button, and if checked, it will add any recipients to Contacts that aren’t already listed there. The new contacts will be saved in a separate Group called “Auto-saved” to make it easier to find them in Contacts.

The next time you compose a message, the saved recipients will show up in the Groups and Contacts list to the right. They will also appear as suggested matches when you start typing in the recipient fields.

Tags: , ,