Thread: ixquick Secure Email
View Single Post
Old 11 Mar 2014, 06:59 AM   #11
Geir
The "e" in e-mail
 
Join Date: Sep 2001
Location: Oslo, Norway
Posts: 2,938

Representative of:
Runbox.com
Quote:
Originally Posted by smithmb001 View Post
If the RB team have not already done so, it might be worth taking a look at the new email service in beta by ixquick. And, if possible, matching the features.
Thanks for the tip about ixquick -- it looks like an interesting service and we wish them the best of luck getting their email service off the ground.

Let me reply to your questions one by one.

1. We have started initial planning of two-factor authentication, which should be pretty straight forward to develop and implement. We are also going to need global text message support if we are to use mobile phones for authentication.

2. Runbox is unlikely to implement encryption of data stored on our servers without the ability to decrypt the data. That would render us almost helpless in fighting abuse and fraud, and enforcing our terms of service in general. What we will do is whatever we can -- both with concrete security measures and by helping our customers make informed decisions about privacy -- to ensure that your data is stored and transmitted as securely as possible.

3. As you know we already offer plus/sub-addressing (username+anystring@runbox.com will be delivered to username@runbox.com), and we hope to extend this with true disposable email addresses in the future.

4. The Runbox Files area is accessible over encrypted connections (SSL) and is just as secure as the email service, when accessed at https://runbox.com/files. We'd be interested to know which security features you'd be interested in.

5. Notifying the sender about whether the message was transmitted securely is a good idea, but it would of course only let you know that it was encrypted until the receiving server accepted it. What happens to the message thereafter is impossible for the sending server to know -- it might be downloaded in any of a number of insecure ways, or forwarded to another server unencrypted. For true end-to-end encryption you need something like PGP, which is available in the alternative webmail interface we're currently testing (Roundcube). By the way, Runbox always attempts to connect to receiving servers over TLS, and Google is one of the few services that accepts it.

6. To our knowledge there are no back doors to any of the security measures implemented on the Runbox system, and we would of course never accept such an intrusion.

- Geir
Last edited by Geir : 11 Mar 2014 at 07:25 AM.
Geir is offline   Reply With Quote