New Account Security features launched

March 14, 2017 Leave a comment

We are excited to announce the launch of a new Account Security interface with Two-Factor Authentication (2FA) for Runbox.

This completes more than a year of development, and we are quite proud of the result. The new features will significantly improve the security of your Runbox account when you activate them.

Account Security features

The new Account Security interface includes 4 main features: Two-Factor Authentication, Manage Services, App Passwords, and Last Logins.

Used separately or in combination, these features add extra layers of security to your Runbox account.

Two-Factor Authentication

Two-Factor Authentication (2FA) is a log in procedure where an additional piece of information is required in addition to your username and account password.

This additional factor is a code that can only be used once, or for a limited period of time.

Two-Factor Authentication
Runbox Two-Factor Authentication

Runbox 2FA currently supports Timed One-Time Passwords (TOTP) and One-Time Passwords (OTP) as additional factors. We are planning to expand this with Yubikey or U2F support.

Manage Services

The new Account Security interface lets you disable various services such as IMAP, POP, and SMTP. These are the services you use when using an email app/program to access your mail.

By disabling services you are not using, you prevent attempts at unauthorized access to your account via those services.

App Passwords

You can also set up unique passwords for each of your apps or devices, giving you complete control over the access to your account.

If you then happen to lose a device you can simply delete the corresponding app password, effectively disabling access from that device.

Last Logins

This section shows a list of the most recent login attempts to your account from each service such as web, IMAP, POP, and SMTP.

If you suspect that there have been unauthorized login attempts to your account, you can review this list and take appropriate action.

How to set up Account Security features

To get started, just go to the Account Security screen to set up 2FA and the other security features.

We encourage you to review our Account Security help page for details about the new functionality first. This will ensure that you understand how 2FA works and prevent you from getting locked out of your account.

We welcome any questions or feedback you might have, either as comments to this blog post or via our contact form or support system.

Continue Reading →

New Web Servers Deployed

February 3, 2017 12 Comments

Yesterday we deployed our new web servers, which are powering the Runbox web app at https://runbox.com. There are a few changes and improvements that were deployed at the same time, and that we would like to tell you about.

New login screen

Among other things you may have noticed that the login procedure has changed. This is related to the roll-out of our new Account Security features, which include Two-Factor Authentication. We will post more about this soon, but the important thing to note is that the new login regime is more secure than before. This also completes our transition to a new, global authentication system which we have described previously.

If you have problems logging in

If you are experiencing problems logging in, please make sure that your browser has the latest version of the login screen. You can do this by pressing Ctrl + F5 on Windows and Cmd + R on macOS. If this doesn’t help, please try to clear your browser’s cache and restart it. If this doesn’t help or if you are unsure how to accomplish this, please contact Runbox Support.

There are a few other wrinkles on the new web servers that we are currently ironing out, and besides a more powerful and reliable webmail service we have also deployed a new spam filter.

New spam filter in beta

The new spam filter is powered by Cloudmark, which is one of the strongest authorities on spam analysis in the world. You can try out the new spam filter by going to Manager > Filter and selecting “Cloudmark (beta)” under “Detect junk mail”. If you are already using Dspam (the trainable spam filter) you can select “Both” to activate Cloudmark and Dspam.

The Cloudmark spam filter will automatically catch more spam by comparing spam signatures (fingerprints) with the central Cloudmark database. If you click “Not spam” or “Report spam” to correct spam filter behavior in the webmail, a report will be sent encrypted to the central Cloudmark service. Select “Train using reduced email details” to only send a message signature instead of the full message when reporting misclassified messages.

The Runbox Aero webmail theme

And if you haven’t already done so, we recommend that you try out the Runbox Aero webmail theme, which you can find in Webmail > Preferences. This theme has a more modern design and includes larger and more legible fonts.

More new features to come!

Finally, with the new web servers we have also established a streamlined deployment system that makes the path from development to production much more efficient. We won’t bore you with details, but we can say that you can expect more exciting features from Runbox going forward.

Continue Reading →

Hardened web server security

March 31, 2016 5 Comments

We have recently hardened our web server security, giving Runbox an A+ rating on securityheaders.io — in addition to our existing A+ rating on ssllabs.com.

The policies we have implemented are the following:

X-Frame-Options: Tells the browser that we don’t allow the Runbox web site to be framed (included) by other web sites, which defends against attacks like click-jacking.

HTTP Strict Transport Security: Strengthens our implementation of Transport Layer Security (TLS) by making the browser enforce the use of encrypted communication (HTTPS).

Content Security Policy: Protects our web site from Cross-Site Scripting (XSS) attacks.

HTTP Public Key Pinning: Protects us from from Man-in-the-Middle attacks by making sure the TLS certificates used by the browsers are the ones implemented on our servers.

X-XSS-Protection: Sets the configuration for the cross-site scripting filters built into most browsers.

X-Content-Type-Options: Forces browsers to use the declared file content type instead of trying to be too clever, which helps to reduce the danger of drive-by downloads.

These changes will help ensure that your use of Runbox is as safe and secure as possible, and we will continue making security-related improvements in the future.

Continue Reading →

New Webmail design: Runbox Aero

December 23, 2014 19 Comments

2014 has been an exciting year for Runbox and we’ve seen a substantial increase in popularity and growth. This has really boosted our progress — we now have several major upgrades in the pipeline, and we are very happy to be launching a new Webmail design!

Runbox Aero PreviewWe’ve called the new design Runbox Aero because it’s lighter, airier, and simpler — and it makes using email a breeze!

Runbox Aero is inspired by modern, state-of-the-art design, and we have listened carefully to feedback from you in order to make it both aesthetically pleasing and user-friendly.

You can try the new design now by going to
Webmail > Preferences and selecting Runbox Aero from the drop-down menu. Make sure you click Save Settings afterwards!

You will quickly notice some of the improvements, but the following changes are worth mentioning:

Modernized look

  • The font face has been replaced with a larger, lighter, and more modern font. A bolder font face is available in an alternative design.
  • The header has been shrunk to make more room for your email.
  • All the icons have been redesigned and optimized for retina (high resolution) displays.
  • All buttons have been enlarged and are now dark blue to make them easier to see.

Better menu navigation

  • The sub-menus have been enlarged to make them easier to navigate.
  • The Compose button has been moved to the far left and made more prominent.
  • The Folder Management button has been removed — just click Folders at the top of the folder list or the Folder Management link underneath it to access the Folders screen.
  • The Read, Unread, Flag, and Unflag buttons can now be accessed by hovering the cursor over the new Mark button.

Simplified Compose screen

  • The Compose screen has been simplified to only show the most important fields. To see the BCC, Attachments, Tags, and Nicknames fields, just click “Show all fields”.

We hope you like the new design, and please let us know if you have any comments or suggestions!

Continue Reading →

New feature: Tag management

January 26, 2014 4 Comments

Many of our customers use message tags as an alternative to folders in order to organize and categorize their email.

You can now manage your message tags by clicking Tags in the left pane in Webmail, or by going directly to https://runbox.com/mail/tags. The Tag management screen lets you add and delete tags, and get an overview of the messages that are already tagged.

To add a tag to a message, just open the message, select the tag name (or [New tag] to enter a new tag name) and click “Add tag”.

Continue Reading →

Runbox now supports Forward Secrecy

October 1, 2013 4 Comments

In recent weeks there has been some discussion in news outlets about SSL/TLS, which is used by many websites to encrypt the data being transferred between web servers and web browsers.

Since it’s theoretically possible for outsiders to break such encryption, an increasing number of people are requesting improved encryption methods.

What is SSL/TLS?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic methods used to secure communication on the Internet. By using pairs of private and public keys, the web server and the client can securely encrypt and decrypt the data being transferred between two parties.

Gold-padlock.svgWhen a web browser connects to a website protected with SSL or TLS (indicated by a padlock icon in the browser) it receives the public key from the server, which is then used to encrypt the subsequent communication. The data can only be decrypted using the private key, which resides on the server.

The problem with keys

However, if someone was able to break in and copy the private key from a server, they would theoretically be able to decrypt any communication to/from that server — provided that they were also able to eavesdrop on the communication.

The solution: Unique keys

To counter this it’s recently become possible to configure web servers to issue a unique key pair for every single connection, and immediately destroy the keys once the session is complete.

This method is called Forward Secrecy because it prevents anyone from retroactively breaking the encryption.

Forward Secrecy on Runbox

Runbox has now implemented Forward Secrecy in order to further improve the security and privacy of our services. It’s now virtually impossible to eavesdrop on the data being transmitted between your web browser and Runbox’ web servers — and you don’t have to do anything in order to enjoy this new level of security.

For those who are interested in the technical details, here is an analysis of the security provided by https://runbox.com, which is now our main address:

https://www.ssllabs.com/ssltest/analyze.html?d=runbox.com

Continue Reading →

Moving to Runbox 6

September 30, 2013 3 Comments

In order to improve the security of our email services have moved our front page to a new and upgraded server running Runbox 6 at https://runbox.com.

In preparation for this we have modified Runbox 6 to redirect Runbox 5 users to the corresponding server, if your account settings indicate that you have not yet upgraded to Runbox 6.

In other words, if you have been logging in at https://rmm6.runbox.com and have never clicked the “Switch to Runbox 6” button in Runbox 5, you will be redirected to Runbox 5.

To continue using Runbox 6, please click “Switch to Runbox 6” at the bottom of the folder list in Webmail.

Continue Reading →

New function: Save recipients in Contacts

June 16, 2013 7 Comments

In Webmail > Compose (Runbox 6 only) you now have the option to save the recipients of a message in Contacts.

This option is found next to the Send button, and if checked, it will add any recipients to Contacts that aren’t already listed there. The new contacts will be saved in a separate Group called “Auto-saved” to make it easier to find them in Contacts.

The next time you compose a message, the saved recipients will show up in the Groups and Contacts list to the right. They will also appear as suggested matches when you start typing in the recipient fields.

Continue Reading →

How To Use Email Like a Pro 1: Use Webmail (and IMAP)

February 23, 2013 4 Comments

Use Webmail

With Runbox, all your email is stored securely on our servers and is accessible to you wherever you might be located, regardless of the computer or device you happen to be using.

The easiest and most direct access method is the Runbox Webmail, which immediately provides a complete overview of the folders and messages in your account.

Webmail is easily the fastest method too, because Runbox is a database accelerated system. On the servers, all the key information about each message (sender, subject, date/time, etc) is stored in a database. The Runbox Webmail just has to poll the database instead of checking the content of each message to display the message overview in a folder, which is what IMAP and POP would have to do.

Use IMAP instead of POP

If you want to download email to your computer, mobile phone, or tablet, consider using IMAP (Internet Message Access Protocol) instead of POP. IMAP allows your email client to stay completely synchronized with all your folders on the server while also downloading messages locally.

IMAP not only synchronizes the messages themselves, but also the read/unread status and flags of each message. It will even copy messages you send from your device to the server’s Sent folder.

POP (Post Office Protocol), on the other hand, can only download from one folder (usually the Inbox) at a time, and can be set to delete the messages from the server so that they can’t be accessed from another device.

Stay synchronized with Webmail + IMAP

The combination of Webmail and IMAP is ideal if you use more than one computer or device, if you’re traveling, and if you’d like to stay connected wherever you may be.

You’ll never have to be without your email again!

Continue Reading →