Security improvements to our services

November 7, 2019 Geir 4 Comments

At Runbox we are continuously working to improve the security of our services. We are now strengthening the security of your web browser’s connection to our servers to ensure that it utilizes modern web security standards.

If you are using an updated version of one of the major web browsers such as Firefox, Chrome, Safari, Opera, and Edge you will probably not notice any effects. You can then continue using our services just like before, while knowing that the strongest encryption protocols are being utilized.

If you’re using a non-standard or not updated web browser, then please read the information below for more details about these changes and how they may affect you.

Those who are interested in the technical details of these changes may also find this information useful.

What we are doing

When you visit our website the connection between your web browser and our web servers is encrypted. This means that no one can intercept your username, password or any other transmitted data including the content of your email messages.

It’s important to use a modern browser that supports modern encryption methods to prevent that encryption from being broken and compromised. This is essential to web security because hackers increasingly use more powerful computers and techniques in their attempts to decrypt data and eavesdrop on unsuspecting users.

In order to ensure that Runbox is providing the latest and most secure encryption between your browser and our service we will therefore end support for outdated encryption methods.

This entails that we will only support the strongest encryption cipher suites that are compatible with most major web browsers.

It also helps us prevent unauthorized access to our servers and helps keep the Runbox services safe for all of our customers.

On December 1, 2019 we will retire some outdated encryption methods and this might affect some older web browsers.

Once these changes are made the TLS protocol version and cipher suites will be the same for all access methods to our email services, including web, POP, IMAP, and SMTP.

The technical details

You don’t need to delve into all the technical details, but we know many customers are interested in this and it is useful for everyone to stay educated about web security.

The changes involve retiring support for TLS (Transport Layer Security) version 1.0 and 1.1, and only provide support TLS 1.2 or later. We will also only support a small suite of strong encryption cipher suites that are recommended by the reputable organizations Mozilla and OWASP.

TLS 1.2 has been around for 10 years so there has been a long time for browsers to adopt the use of this type of encryption. However, you don’t need to understand anything about this to make any necessary changes.

All the cipher suites we will be utilizing are of the type Diffie-Hellman Ephemeral (DHE), which means that a unique cryptographic key is generated each time a new connection is made.

This in turn means that even in the unlikely event that one set of keys is compromised it cannot be used for another connection made from another client (“forward secrecy”).

An updated list of cipher suites that are supported currently include the following:

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256

More information about these cipher suites can be found on Wikipedia: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

How this may affect you

The vast majority of web browsers already support TLS 1.2 and you are only likely to have a problem if you are using an outdated browser and/or an outdated operating system.

We have tested the following browsers and they all work with the modern encryption that we will use:

Firefox
Chrome
Safari
Opera
Edge

Many other modern browsers are also likely to work with TLS 1.2 and those listed above are just commonly used ones that we have tested.

What you can do

If you are not using an upgraded version of one of the major web browsers listed above, please upgrade your web browser and/or operating system now. This is the most important action you can take to ensure that your data and communications are secure.

If you’re using a web browser not listed above and are unsure whether it will continue to work with the specifications we have provided, we recommend that you keep one of the major web browsers available as an alternative.

We generally recommend Firefox as it is free, standards compliant, and open source, and therefore reviewed by the security community.

Further help

If you need any further information or help on this issue please contact Runbox Support with details of how we can help you.

Continue Reading →

The secret behind Runbox 7’s speed

January 26, 2019 Geir Leave a comment

Runbox 7 Webmail recently entered open beta, and if you haven’t tried it yet you are missing out!

When you log into Runbox 7 the first thing you’ll notice — aside from its beautiful design — is the speed.

Your folders and messages will load instantly, and no matter how many messages you have the message list will scroll without delay and without any limit.

Gone are the days of waiting for the next screen-full of messages to load, or having to click to navigate between pages. Switching between folders, sorting the message list, and moving messages — any action you perform is executed instantly.

And the message search is lightning fast — results will show up immediately while you type into the search field. Combined with message threading and inline message previews, this makes email management extremely efficient with Runbox 7.

Under the hood

We have modified Xapian by porting Xapian to WebAssembly using the C to WebAssembly compiler from emscripten, which lets it run both in NodeJS on the server and in the browser. Our fork of Xapian will be merged into Xapian’s repository on Github so that it will become available for others to use.

This is accomplished by utilizing a custom version of the open source Xapian email indexer. We have always been impressed with Xapian’s processing speed, reliability, and adaptability, and it’s ability to index large amounts of messages.

The Runbox 7 Webmail App is open source and is available in our main repo at https://github.com/runbox/runbox7. We encourage you to check out our code base, and invite you to join the Runbox revolution by getting involved in our growing community at https://community.runbox.com!

A separate repo at https://github.com/runbox/runbox-searchindex generates the xapian.wasm module in WebAssembly in C++.

The Xapian database is stored in the browser using IndexedDB, which is available through the IDBFS file system of emscripten.

Combined with a central message database and the use of websockets, this allows the indices to stay in sync when new email arrives on the server and when changes are made locally.

The user interface

The power of the WebAssembly Xapian port is matched by the message listing which is written in HTML5 Canvas. This makes it possible to handle large tables and quick re-rendering, and provides good control of the rendering process.

Ordinary HTML tables would suffer slowdown penalties on sorting, filtering, and resizing, and would require pagination, and would not be efficient enough for our needs.

The Canvas element is wrapped in a user interface written in HTML/Typescript using Angular 2+, and is built using UI elements from https://material.angular.io/.

Mail parsing is done using the HTML parser from Andris Reinmann which is written for NodeJS and can be found here: https://github.com/andris9/mailparser.

Continue Reading →

New search function in Runbox 6

December 5, 2018 Geir 11 Comments

We have now replaced the search function in Runbox 6 with an improved version that is based on the groundbreaking search feature we have developed for Runbox 7.

You will find the new search area at the top of the message list when clicking Search in the Webmail menu.

The new search function will show results while you type into the search field, so there is no need to manually click on a Search button.

Note that in Runbox 7 the search function is dramatically faster and returns results instantaneously thanks to its innovative search index synchronization. Runbox 7 also introduces many new features such as infinite message listing, inline message previews, threaded conversation view, and a mobile app version. Give it a test drive!

Search options

By clicking on the wrench icon to the right, the following options will be shown:

to: Search by recipient address
from: Search by sender address
subject: Search by subject line
current folder: Limit search to the current folder
year/month/date: Shows a calendar where you can select a time frame

Selecting an option will insert an example into the search field which you can then modify.

You can also just type these operators directly into the the search field and you can can combine them with the AND operator, like: folder:Inbox AND subject:something

More information can be found on our Help pages.

Continue Reading →

Runbox 7 Webmail entering open beta phase

November 21, 2018 Geir 28 Comments

We are excited to announce that the Runbox 7 Webmail beta test is now open to the public!

A large number of improvements and bug fixes have been made since our previous update, including an even faster Webmail, web push notifications on incoming email, and inline message previews.

There is now a Runbox 7 mobile app (Progressive Web App) available too, making Runbox a joy to use on your mobile phone!

We’d like to thank the hundreds of beta testers in our beta test community for all their contributions thus far, and helping us build the fastest webmail app on the planet!

What Runbox 7 Webmail is…

Runbox 7 isn’t merely an upgrade to our existing services, its a bold step into a new world of synchronized Webmail apps that provides unprecedented speed and usability.

Our new app is the cornerstone of Runbox 7, and is the first of several development stages that will culminate in a completely new user interface.

Runbox 7 Webmail features superior speed, incremental search, infinite listing, message previews, threaded views, a draft desk, as well as a mobile app version.

…and what it isn’t (just yet)

Note that we are initially focusing on the core Webmail service, and that the Runbox 7 Webmail therefore currently only includes this service.

Other areas such as Manager, Files, etc. will be added as we continue working on Runbox 7, so clicking on these menu items in Runbox 7 will currently take you back to Runbox 6.

Runbox 7 roadmap

We have an ambitious plan for the development of Runbox 7, with the following planned activities:

Open beta test phase
Open source Runbox 7 App
Profiles and Contacts integration
Files, Manager, and Settings
End-to-end encryption
Web calendar
Message/task management
Synchronous messaging

How to provide feedback

Our Runbox 7 team is working hard to make Runbox 7 the best webmail app on the planet, and your feedback will help decide what we develop next.

Tell us what you think about Runbox 7 Webmail in our dedicated forum at https://community.runbox.com/. Sign up to the forum using your Runbox email address so that there will be no issues gaining access to the forum.

Note that before you post requests or bug reports, it’s a good idea to review other posts to see if your issue has already been mentioned.

With that out of the way, please find the Runbox 7 Webmail app here:

https://runbox.com/app

We hope you’ll enjoy a modern, user-friendly, beautiful, and above all fast webmail experience!

Screenshots

Check out the screenshots below for a few highlights, and click on each one to bring up a hi-res version with more details.

Message list view

When you first log in to Runbox 7 Webmail you will find a beautiful interface with a design that is clean and efficient, yet packed with features. Its speed can’t be conveyed by a screenshot however, so try it out for yourself to get the real experience.

Two- or three-pane message preview

You can preview messages either in a horizontal pane beneath the message list, or to the right of the message list as shown below.

Draft Desk

The Draft Desk shows your current drafts in a convenient desk-like layout.

Ready for a test drive?

Just head to https://runbox.com/app and then join our community at community.runbox.com to take part in the Runbox revolution!

Continue Reading →

Runbox 7 Webmail app for mobile phones

October 10, 2018 Geir 19 Comments

We are making great progress with the Runbox 7 Webmail app and we are very excited that a version customized for mobile phones is now available for our beta testers!

This version is what is called a Progressive Web App (PWA), built on emerging technologies that combine the open standards of the web to provide a rich mobile experience on your phone or tablet.

How do I use the mobile app?

If you’re using an Apple device you can access the mobile app by first opening the regular address of the Runbox 7 Webmail app in the Safari browser, and then tapping the Share icon in the bottom menu bar. Then tap “Add to Home Screen” to add the Runbox 7 Webmail app to your phone.

On Android, you should get a prompt to download the app as soon as you go to the regular address of the Runbox 7 Webmail app in the browser.

You can now use the Runbox 7 Webmail app just by tapping on the Runbox 7 icon!

Join the beta test!

And if you haven’t yet joined our Runbox 7 Webmail beta test, just contact support@nullrunbox.com with the subject “Runbox 7 Webmail beta test”.

You will then gain access to the Runbox 7 Community with a discussion forum dedicated to the Runbox 7 Webmail app.

There you’ll meet Runbox staff and developers as well as fellow beta testers, and be able to influence the development of Runbox 7.

Runbox 7 mobile app screenshots

Here are a few screenshots of what the app looks like on Apple iPhone 6.

Login screen

Landscape view of message list

Landscape view of message list with main menu pullout

Landscape view of opened message

Landscape view of message list in search mode

Landscape view of opened message, full height

Portrait view of message list

Portrait view of message list with opened message

Landscape view of Compose (new message)

Continue Reading →

Runbox 7 Webmail beta test update

July 27, 2018 Geir 5 Comments

The Runbox 7 Webmail beta test is progressing quickly and the new webmail app has been updated with many new features since our previous blog post. If you are an existing beta tester and haven’t checked in for a while, we encourage you to do so now!

If you haven’t joined the beta test it’s still possible to participate — just send an email to support@nullrunbox.com with the subject “Runbox 7 Webmail beta test”.

Aside from many improvements to the speed and smoothness of the core functionality, the following features have been added or improved:

Drag and drop of messages
HTML message handling
Resizable folder pane
Resizable message preview pane
Both horizontal and vertical (3-pane) message preview pane
Mobile phone screen improvements
Automatic and manual adjustment of message list width
Support for sending inline images
Multi-message selection
Buttons for read/unread, flag/unflag, and report spam/not spam
Print version of messages
Show folder column in search results
Show read and flagged status in message list
Pre-load and cache messages in message list view for faster access
New font face and message layout

We are working hard to improve the Runbox 7 Webmail further, and appreciate your help in making it the fastest webmail app on the planet!

Check out the screenshots below to see some of the new features.

New look and new font face

The webmail has been updated with more colors and a new font face for improved legibility.

2- or 3-pane message preview

You can now preview messages either in a horizontal pane beneath the message list, or to the right of the message list as shown below.

Toggle horizontal/vertical message preview pane

Easily switch between horizontal (2-pane) and vertical (3-pane) message preview with these buttons in the message toolbar.

Message toolbar

There is now a fully featured message toolbar including Reply, Reply all, Forward, Move to folder, Mark read, Mark flagged, Report as spam, and Move to Trash.

On the right hand side you will find message view buttons such as Print, Vertical/Horizontal preview, Full height, and Close.

Adjust message list columns

You can now easily adjust both the folder pane width and the message list column widths by using the sliders as shown.

Otherwise the webmail will automatically adjust the column widths to show as much content as possible.

Continue Reading →

Runbox 7 Webmail closed beta test

December 19, 2017 Geir 6 Comments

Runbox 7

We are excited to announce the closed beta test phase of Runbox 7 Webmail!

This release is not merely an upgrade to our existing services, it’s a bold step into a new world of Webmail apps that will provide unprecedented speed and usability.

Runbox 7 aims to be the fastest webmail on the planet with:

Instant folder views and search results.
Endless, smooth scrolling of folder contents.
Drag & drop message selection and moving to folders.
Incremental, instant search functionality.

The new webmail will be the cornerstone of Runbox 7, and is the first of several development stages that will culminate in a completely new user interface.

Please read on for details about Runbox 7 Webmail and how you can participate in the closed beta test.

Superior speed

Runbox 7 started with a crazy idea:

How can we create a webmail that’s not just faster, but responds instantly?

The solution we developed is a combination of database accelerated email storage, innovative message indexing, and cutting-edge web technology.

When you log into Runbox 7 Webmail, you enter a modern webmail environment built with Angular 5 and Material Design. Your email folders and messages will be shown instantly, giving you an immediate overview of your email.

The spacious layout, clean lines, and powerful engine lets you efficiently navigate the new features and get down to the business of effectively managing your email.

Incremental search

One of the core features of Runbox 7 Webmail is its search capabilities. We have built the search functionality in such a way that the browser doesn’t need to query the server at all.

Not only that, but this webmail will show you search results incrementally while you are typing in the Search field.

You have better things to do than waiting for search results, so we put a lot of effort into making the search function as fast as possible — and this is as fast as it’s possible to get.

Lots of cool functionality

Infinite listing: No more clicking back and forth to navigate your Inbox — just scroll down and the next messages will load automatically.

Threaded view: Want to see your messages in conversation view? Just tick the Threaded checkbox to the top right.

Unread messages: Only interested in the latest news? Tick the Unread checkbox.

Multi-select messages: Want to select many messages in a hurry? Just click the check box of a message, and drag up or down while holding the mouse button down to select several messages in a row.

Preview pane: Who has time to actually open a message? Just select one in the list and a preview will be shown in the bottom half of the message list pane. To see more, click the ^ arrow in the preview menu.

Hide folders: Want more space for your messages? Just click the icon to the left of the Search area to hide the folder pane.

Draft Desk

Another key feature of Runbox 7 Webmail is the Draft Desk — a completely new way of managing drafts.

In our world of non-stop online communication, we often find ourselves multitasking and working on several threads in parallel. With our new Draft Desk you get a full overview of the messages you are currently working on, previewed side by side in an efficient interface.

Simply click on a draft preview to expand it, write down your thoughts, and send, save, or close the message to return to it later.

Mobile ready

We believe that you shouldn’t have to switch between different apps or user interfaces just because you switch between a laptop, a tablet, or a smart phone.

Therefore we built Runbox 7 Webmail to be mobile-ready and responsive from the ground up. This means that it will automatically adapt to your device’s screen size and orientation while retaining the basic functionality you are used to from a regular browser.

Join the closed beta test

To join the closed beta test of Runbox 7 Webmail, contact support@nullrunbox.com with the subject “Runbox 7 Webmail beta test”. If you are selected to participate, we will then be in touch with further details.

Continue Reading →

Runbox Two-Factor Authentication

June 14, 2017 Geir 12 Comments

Runbox recently launched Two-Factor Authentication (2FA). 2FA is a log in procedure where an additional piece of information is required in addition to your username and account password.

This additional factor is a code that can only be used once, or for a limited period of time.

Runbox 2FA currently supports Timed One-Time Passwords (TOTP) and One-Time Passwords (OTP) as additional factors. We are planning to expand this with Yubikey or U2F support.

Runbox is the only 2FA-enabled email provider in Norway

Runbox is located in Norway, which has some of the strongest privacy regulations in the world.

By choosing Runbox as your email provider, your data will be protected by these regulations while ensuring your email is secure from unauthorized access.

Read on to find out how Runbox 2FA works and which options are available.

Timed One-Time Passwords (TOTP)

To use this option you will need a smartphone and some free software.

Timed one-time passwords works by giving you a login code which changes over time, in addition to your password.

To get started, download a TOTP app such as Authy, FreeOTP or Google Authenticator onto your mobile phone and follow their instructions.

Note: It is essential that your smartphone has the correct date/time set as this is used by the TOTP app to generate the correct codes that allow you to log in.

One-Time Passwords (OTP)

When you enable this option, the system will generate random passwords that you can use only once. Used passwords are discarded automatically and cannot be used again.

You can download the the list of passwords to a computer or mobile device, or you can print them out if necessary. However, you must keep the list secure as these passwords can be used to access your account along with your usual username and account password.

Trusted browsers

This option allows the server to trust your current web browser so that you don’t have to use a 2FA code. The option places a small piece of code in your browser (a cookie) that tells the server not to require the 2FA details and you can just log in with username and password.

You should only use this method of bypassing 2FA on a computer or device that you are confident nobody else can log in to. You can temporarily turn on/off individual browsers from the trusted list, or you can delete the browser entry entirely which will force that browser to require the 2FA details.

Unlock code

If for some reason you are unable to log in with 2FA after it has been enabled, this code can be used to disable 2FA.

The code can be used in conjunction with a secure question/answer for additional security.

Continue Reading →

New Account Security features launched

March 14, 2017 Geir Leave a comment

We are excited to announce the launch of a new Account Security interface with Two-Factor Authentication (2FA) for Runbox.

This completes more than a year of development, and we are quite proud of the result. The new features will significantly improve the security of your Runbox account when you activate them.

Account Security features

The new Account Security interface includes 4 main features: Two-Factor Authentication, Manage Services, App Passwords, and Last Logins.

Used separately or in combination, these features add extra layers of security to your Runbox account.

Two-Factor Authentication

Two-Factor Authentication (2FA) is a log in procedure where an additional piece of information is required in addition to your username and account password.

This additional factor is a code that can only be used once, or for a limited period of time.

Runbox 2FA currently supports Timed One-Time Passwords (TOTP) and One-Time Passwords (OTP) as additional factors. We are planning to expand this with Yubikey or U2F support.

Manage Services

The new Account Security interface lets you disable various services such as IMAP, POP, and SMTP. These are the services you use when using an email app/program to access your mail.

By disabling services you are not using, you prevent attempts at unauthorized access to your account via those services.

App Passwords

You can also set up unique passwords for each of your apps or devices, giving you complete control over the access to your account.

If you then happen to lose a device you can simply delete the corresponding app password, effectively disabling access from that device.

Last Logins

This section shows a list of the most recent login attempts to your account from each service such as web, IMAP, POP, and SMTP.

If you suspect that there have been unauthorized login attempts to your account, you can review this list and take appropriate action.

How to set up Account Security features

To get started, just go to the Account Security screen to set up 2FA and the other security features.

We encourage you to review our Account Security help page for details about the new functionality first. This will ensure that you understand how 2FA works and prevent you from getting locked out of your account.

We welcome any questions or feedback you might have, either as comments to this blog post or via our contact form or support system.

Continue Reading →

New Web Servers Deployed

February 3, 2017 Geir 12 Comments

Yesterday we deployed our new web servers, which are powering the Runbox web app at https://runbox.com. There are a few changes and improvements that were deployed at the same time, and that we would like to tell you about.

New login screen

Among other things you may have noticed that the login procedure has changed. This is related to the roll-out of our new Account Security features, which include Two-Factor Authentication. We will post more about this soon, but the important thing to note is that the new login regime is more secure than before. This also completes our transition to a new, global authentication system which we have described previously.

If you have problems logging in

If you are experiencing problems logging in, please make sure that your browser has the latest version of the login screen. You can do this by pressing Ctrl + F5 on Windows and Cmd + R on macOS. If this doesn’t help, please try to clear your browser’s cache and restart it. If this doesn’t help or if you are unsure how to accomplish this, please contact Runbox Support.

There are a few other wrinkles on the new web servers that we are currently ironing out, and besides a more powerful and reliable webmail service we have also deployed a new spam filter.

New spam filter in beta

The new spam filter is powered by Cloudmark, which is one of the strongest authorities on spam analysis in the world. You can try out the new spam filter by going to Manager > Filter and selecting “Cloudmark (beta)” under “Detect junk mail”. If you are already using Dspam (the trainable spam filter) you can select “Both” to activate Cloudmark and Dspam.

The Cloudmark spam filter will automatically catch more spam by comparing spam signatures (fingerprints) with the central Cloudmark database. If you click “Not spam” or “Report spam” to correct spam filter behavior in the webmail, a report will be sent encrypted to the central Cloudmark service. Select “Train using reduced email details” to only send a message signature instead of the full message when reporting misclassified messages.

The Runbox Aero webmail theme

And if you haven’t already done so, we recommend that you try out the Runbox Aero webmail theme, which you can find in Webmail > Preferences. This theme has a more modern design and includes larger and more legible fonts.

More new features to come!

Finally, with the new web servers we have also established a streamlined deployment system that makes the path from development to production much more efficient. We won’t bore you with details, but we can say that you can expect more exciting features from Runbox going forward.

Continue Reading →