EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > Runbox Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Runbox Forum Everything related to Runbox should go here: suggestions, comments, complaints, questions, technical issues, etc.

Reply
 
Thread Tools
Old 3 Mar 2014, 06:58 AM   #1
smithmb001
Senior Member
 
Join Date: May 2013
Posts: 162
ixquick Secure Email

If the RB team have not already done so, it might be worth taking a look at the new email service in beta by ixquick. And, if possible, matching the features.

https://beta.startmail.com/

RB already supports PGP via RC. That only leaves a handful of other security features to offer.

1. Two factor authentication
2. Client controlled mailbox store encryption. (like LavaBit)
3. Disposable email addresses. (We sort of have the ability to do this manually, but why not add the ability to select disposable one time email address.)
4. Secure Vault. We have a file vault, but it could use a refresh with some added security features.
5. Some form of notification that lets users know whether their message was encrypted end to end (server to server) or was sent in the clear. RunBox may be nice and secure, but say Google does not allow for an encrypted connection. Why not let the user know?
6. Inform users if there are back doors that are accessible to government for any encryption or security measure implemented.
smithmb001 is offline   Reply With Quote

Old 5 Mar 2014, 01:28 AM   #2
dantheman
Cornerstone of the Community
 
Join Date: Mar 2002
Location: Hot Springs, AR
Posts: 855
Is Startmail Runbox affiliate?

Just curious, but is ixquick email a Runbox affiliate?

(btw. wonder how Fastmail compare to this new ixquick service?).
dantheman is offline   Reply With Quote
Old 5 Mar 2014, 05:34 AM   #3
drew
The "e" in e-mail
 
Join Date: Jan 2006
Posts: 2,626
Wow thanks indeed for telling us this.
I will follow this thread hope somebody
will test and report how it behaves and looks
and what is pro et con with the service.
drew is offline   Reply With Quote
Old 5 Mar 2014, 08:49 AM   #4
smithmb001
Senior Member
 
Join Date: May 2013
Posts: 162
Secure Email

ixquick is not affiliated with RunBox. I am simply hoping RunBox will match their features, many of which they already have implemented. And, if they take users away from Google, YaHoo, and Microsoft that is a plus for everyone.
smithmb001 is offline   Reply With Quote
Old 5 Mar 2014, 08:22 PM   #5
orelz
Junior Member
 
Join Date: Feb 2014
Posts: 26
Hello,

Thanks for this link/service. I've sign-in to the beta, wait and see

orelz

P.S.: fun case: the email was identified as spam in my runbox mailbox.
orelz is offline   Reply With Quote
Old 9 Mar 2014, 08:45 AM   #6
emebrs
Essential Contributor
 
Join Date: Dec 2012
Posts: 310
This indeed interesting. My concern about the new service is simply that unlike Runbox, there is too much risk of it disappearing just as quickly as it came into being.

After more than a decade, Runbox has stood the test of time. This is proven simply because of the fact that Runbox is still operational. Given the tendency for internet businesses to come and go, that means a lot.
emebrs is offline   Reply With Quote
Old 9 Mar 2014, 08:47 AM   #7
dantheman
Cornerstone of the Community
 
Join Date: Mar 2002
Location: Hot Springs, AR
Posts: 855
With NSA able to spy on practically anyone (including Germany's Chancellor) - why bother with securing emails?
dantheman is offline   Reply With Quote
Old 9 Mar 2014, 02:38 PM   #8
17pm
Cornerstone of the Community
 
Join Date: Sep 2013
Posts: 535
Quote:
Originally Posted by dantheman View Post
With NSA able to spy on practically anyone (including Germany's Chancellor) - why bother with securing emails?
That is stupid... I would expect different posts from someone that has been here for too long...

NSA spying on your e-mails and your neighboor spying on your e-mails are not the same thing. Securing e-mails help with avoiding "regular" people getting your information... It also protects in case of a security breach, etc etc.

Also, NSA spying is not impossible to avoid. As far as we know, they don't have the capabilities to decrypt e-mail (not well encrypted e-mail atleast). End to end encryption would probably stop NSA.

Last edited by 17pm : 9 Mar 2014 at 09:54 PM.
17pm is offline   Reply With Quote
Old 9 Mar 2014, 09:15 PM   #9
dantheman
Cornerstone of the Community
 
Join Date: Mar 2002
Location: Hot Springs, AR
Posts: 855
Pardon my digression, but since 9/11 and the Snowden story (+ others), i just kind of get wary about all these people who worry so much about security when its done over the web.

During WWII, people who were against Hitler had to convey their messages person to person, nothing written, no phone calls etc.

So, are you telling me in this day and age, that NSA (or similar) have improved the "non-personal" means of communicating important secrets without the risks of them being compromised?
dantheman is offline   Reply With Quote
Old 9 Mar 2014, 10:40 PM   #10
jl66
Essential Contributor
 
Join Date: Oct 2013
Posts: 413
About NSA (I think it's another discussion...) it only works strong encryption (gpg) and a secure and open source operative system (some gnu/linux, openbsd, etc).
jl66 is offline   Reply With Quote
Old 11 Mar 2014, 06:59 AM   #11
Geir
The "e" in e-mail
 
Join Date: Sep 2001
Location: Oslo, Norway
Posts: 2,938

Representative of:
Runbox.com
Quote:
Originally Posted by smithmb001 View Post
If the RB team have not already done so, it might be worth taking a look at the new email service in beta by ixquick. And, if possible, matching the features.
Thanks for the tip about ixquick -- it looks like an interesting service and we wish them the best of luck getting their email service off the ground.

Let me reply to your questions one by one.

1. We have started initial planning of two-factor authentication, which should be pretty straight forward to develop and implement. We are also going to need global text message support if we are to use mobile phones for authentication.

2. Runbox is unlikely to implement encryption of data stored on our servers without the ability to decrypt the data. That would render us almost helpless in fighting abuse and fraud, and enforcing our terms of service in general. What we will do is whatever we can -- both with concrete security measures and by helping our customers make informed decisions about privacy -- to ensure that your data is stored and transmitted as securely as possible.

3. As you know we already offer plus/sub-addressing ([email protected] will be delivered to [email protected]), and we hope to extend this with true disposable email addresses in the future.

4. The Runbox Files area is accessible over encrypted connections (SSL) and is just as secure as the email service, when accessed at https://runbox.com/files. We'd be interested to know which security features you'd be interested in.

5. Notifying the sender about whether the message was transmitted securely is a good idea, but it would of course only let you know that it was encrypted until the receiving server accepted it. What happens to the message thereafter is impossible for the sending server to know -- it might be downloaded in any of a number of insecure ways, or forwarded to another server unencrypted. For true end-to-end encryption you need something like PGP, which is available in the alternative webmail interface we're currently testing (Roundcube). By the way, Runbox always attempts to connect to receiving servers over TLS, and Google is one of the few services that accepts it.

6. To our knowledge there are no back doors to any of the security measures implemented on the Runbox system, and we would of course never accept such an intrusion.

- Geir

Last edited by Geir : 11 Mar 2014 at 07:25 AM.
Geir is offline   Reply With Quote
Old 20 Mar 2014, 04:35 AM   #12
gecko
Senior Member
 
Join Date: Feb 2010
Posts: 107
Quote:
Originally Posted by Geir View Post
1. We have started initial planning of two-factor authentication, which should be pretty straight forward to develop and implement. We are also going to need global text message support if we are to use mobile phones for authentication.
Hello Geir,

While I am looking forward to seeing two-factor authentication being implemented, I am much averse to having to use a mobile for that purpose for two reasons. First, it will entail costs -- either for the users or for Runbox (and I do not assume that Runbox will not levy them from their customes in one way or another). Second, I do not want to have to use my mobile every time I want to sign into my email account, even less so when travelling as this may entail even more fees for me.

My favourite would be something that works 'offline' like the already often-mentioned grid of one-time passwords that one can print off from their trusted private computer.

Regards,
Gecko
gecko is offline   Reply With Quote
Old 20 Mar 2014, 03:45 PM   #13
jl66
Essential Contributor
 
Join Date: Oct 2013
Posts: 413
When I was using lastpass I used the grid of codes and sometimes one time passwords. You could change the grid of codes everytime you want with a master password, and after some time using this grid you were obliged to change it to a new grid of codes. You could also use one time passwords and create new ones when you want.
The problem was using that master password. So, we are in the same problem "with a normal password". But at least we could use this master password 1 time every month or more. With this password you could also enable or disable the double authentication. When trying to use this master password you should confirm using another email of your choice.

Last edited by jl66 : 20 Mar 2014 at 03:52 PM.
jl66 is offline   Reply With Quote
Old 21 Mar 2014, 04:19 AM   #14
gecko
Senior Member
 
Join Date: Feb 2010
Posts: 107
Now I seem to understand what you mean by 'grid of codes' -- I was thinking of a list of one-time passwords. But if I understand you correctly, you are referring to something like

Code:
  || 1 | 2 | 3 | ...
=================
A || a | b | c | ...
-------------------
B || d | e | f | ...
-------------------
C || g | h | h | ...
-------------------
................
In case of a 15x15 grid, there would be 225 random characters.

There could then be two login options: 'Normal' with your normal password (from a trusted computer) and 'Secure' with a second, static password plus 8 random chars from your grid as requested by the web interface, i.e. one would enter MyStaticPassWhichIsNotMyNormalPass + A3;C12;F2;[...].

@RB: Do you think it's feasible to implement something like this in the near future?

Regards,
gecko
gecko is offline   Reply With Quote
Old 21 Mar 2014, 04:33 PM   #15
jl66
Essential Contributor
 
Join Date: Oct 2013
Posts: 413
Yes, that is a grid of codes
I used it before with lastpass (lastpass.com) and I also use it in my online Bank. Normally it gives you 3 numbers, for example: "A1" could be "567" and every grid is different to every client.
Regards

Quote:
Originally Posted by gecko View Post
Now I seem to understand what you mean by 'grid of codes' -- I was thinking of a list of one-time passwords. But if I understand you correctly, you are referring to something like

Code:
  || 1 | 2 | 3 | ...
=================
A || a | b | c | ...
-------------------
B || d | e | f | ...
-------------------
C || g | h | h | ...
-------------------
................
In case of a 15x15 grid, there would be 225 random characters.

There could then be two login options: 'Normal' with your normal password (from a trusted computer) and 'Secure' with a second, static password plus 8 random chars from your grid as requested by the web interface, i.e. one would enter MyStaticPassWhichIsNotMyNormalPass + A3;C12;F2;[...].

@RB: Do you think it's feasible to implement something like this in the near future?

Regards,
gecko
jl66 is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 04:59 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy