|
Runbox Forum Everything related to Runbox should go here: suggestions, comments, complaints, questions, technical issues, etc. |
|
Thread Tools |
3 Mar 2014, 06:58 AM | #1 |
Senior Member
Join Date: May 2013
Posts: 162
|
ixquick Secure Email
If the RB team have not already done so, it might be worth taking a look at the new email service in beta by ixquick. And, if possible, matching the features.
https://beta.startmail.com/ RB already supports PGP via RC. That only leaves a handful of other security features to offer. 1. Two factor authentication 2. Client controlled mailbox store encryption. (like LavaBit) 3. Disposable email addresses. (We sort of have the ability to do this manually, but why not add the ability to select disposable one time email address.) 4. Secure Vault. We have a file vault, but it could use a refresh with some added security features. 5. Some form of notification that lets users know whether their message was encrypted end to end (server to server) or was sent in the clear. RunBox may be nice and secure, but say Google does not allow for an encrypted connection. Why not let the user know? 6. Inform users if there are back doors that are accessible to government for any encryption or security measure implemented. |
5 Mar 2014, 01:28 AM | #2 |
Cornerstone of the Community
Join Date: Mar 2002
Location: Hot Springs, AR
Posts: 857
|
Is Startmail Runbox affiliate?
Just curious, but is ixquick email a Runbox affiliate?
(btw. wonder how Fastmail compare to this new ixquick service?). |
5 Mar 2014, 05:34 AM | #3 |
The "e" in e-mail
Join Date: Jan 2006
Posts: 2,626
|
Wow thanks indeed for telling us this.
I will follow this thread hope somebody will test and report how it behaves and looks and what is pro et con with the service. |
5 Mar 2014, 08:49 AM | #4 |
Senior Member
Join Date: May 2013
Posts: 162
|
Secure Email
ixquick is not affiliated with RunBox. I am simply hoping RunBox will match their features, many of which they already have implemented. And, if they take users away from Google, YaHoo, and Microsoft that is a plus for everyone.
|
5 Mar 2014, 08:22 PM | #5 |
Junior Member
Join Date: Feb 2014
Posts: 26
|
Hello,
Thanks for this link/service. I've sign-in to the beta, wait and see orelz P.S.: fun case: the email was identified as spam in my runbox mailbox. |
9 Mar 2014, 08:45 AM | #6 |
Essential Contributor
Join Date: Dec 2012
Posts: 343
|
This indeed interesting. My concern about the new service is simply that unlike Runbox, there is too much risk of it disappearing just as quickly as it came into being.
After more than a decade, Runbox has stood the test of time. This is proven simply because of the fact that Runbox is still operational. Given the tendency for internet businesses to come and go, that means a lot. |
9 Mar 2014, 08:47 AM | #7 |
Cornerstone of the Community
Join Date: Mar 2002
Location: Hot Springs, AR
Posts: 857
|
With NSA able to spy on practically anyone (including Germany's Chancellor) - why bother with securing emails?
|
9 Mar 2014, 02:38 PM | #8 | |
Cornerstone of the Community
Join Date: Sep 2013
Posts: 536
|
Quote:
NSA spying on your e-mails and your neighboor spying on your e-mails are not the same thing. Securing e-mails help with avoiding "regular" people getting your information... It also protects in case of a security breach, etc etc. Also, NSA spying is not impossible to avoid. As far as we know, they don't have the capabilities to decrypt e-mail (not well encrypted e-mail atleast). End to end encryption would probably stop NSA. Last edited by 17pm : 9 Mar 2014 at 09:54 PM. |
|
9 Mar 2014, 09:15 PM | #9 |
Cornerstone of the Community
Join Date: Mar 2002
Location: Hot Springs, AR
Posts: 857
|
Pardon my digression, but since 9/11 and the Snowden story (+ others), i just kind of get wary about all these people who worry so much about security when its done over the web.
During WWII, people who were against Hitler had to convey their messages person to person, nothing written, no phone calls etc. So, are you telling me in this day and age, that NSA (or similar) have improved the "non-personal" means of communicating important secrets without the risks of them being compromised? |
9 Mar 2014, 10:40 PM | #10 |
Essential Contributor
Join Date: Oct 2013
Posts: 413
|
About NSA (I think it's another discussion...) it only works strong encryption (gpg) and a secure and open source operative system (some gnu/linux, openbsd, etc).
|
11 Mar 2014, 06:59 AM | #11 | |
The "e" in e-mail
Join Date: Sep 2001
Location: Oslo, Norway
Posts: 2,938
Representative of:
Runbox.com |
Quote:
Let me reply to your questions one by one. 1. We have started initial planning of two-factor authentication, which should be pretty straight forward to develop and implement. We are also going to need global text message support if we are to use mobile phones for authentication. 2. Runbox is unlikely to implement encryption of data stored on our servers without the ability to decrypt the data. That would render us almost helpless in fighting abuse and fraud, and enforcing our terms of service in general. What we will do is whatever we can -- both with concrete security measures and by helping our customers make informed decisions about privacy -- to ensure that your data is stored and transmitted as securely as possible. 3. As you know we already offer plus/sub-addressing (username+anystring@runbox.com will be delivered to username@runbox.com), and we hope to extend this with true disposable email addresses in the future. 4. The Runbox Files area is accessible over encrypted connections (SSL) and is just as secure as the email service, when accessed at https://runbox.com/files. We'd be interested to know which security features you'd be interested in. 5. Notifying the sender about whether the message was transmitted securely is a good idea, but it would of course only let you know that it was encrypted until the receiving server accepted it. What happens to the message thereafter is impossible for the sending server to know -- it might be downloaded in any of a number of insecure ways, or forwarded to another server unencrypted. For true end-to-end encryption you need something like PGP, which is available in the alternative webmail interface we're currently testing (Roundcube). By the way, Runbox always attempts to connect to receiving servers over TLS, and Google is one of the few services that accepts it. 6. To our knowledge there are no back doors to any of the security measures implemented on the Runbox system, and we would of course never accept such an intrusion. - Geir Last edited by Geir : 11 Mar 2014 at 07:25 AM. |
|
20 Mar 2014, 04:35 AM | #12 | |
Senior Member
Join Date: Feb 2010
Posts: 107
|
Quote:
While I am looking forward to seeing two-factor authentication being implemented, I am much averse to having to use a mobile for that purpose for two reasons. First, it will entail costs -- either for the users or for Runbox (and I do not assume that Runbox will not levy them from their customes in one way or another). Second, I do not want to have to use my mobile every time I want to sign into my email account, even less so when travelling as this may entail even more fees for me. My favourite would be something that works 'offline' like the already often-mentioned grid of one-time passwords that one can print off from their trusted private computer. Regards, Gecko |
|
20 Mar 2014, 03:45 PM | #13 |
Essential Contributor
Join Date: Oct 2013
Posts: 413
|
When I was using lastpass I used the grid of codes and sometimes one time passwords. You could change the grid of codes everytime you want with a master password, and after some time using this grid you were obliged to change it to a new grid of codes. You could also use one time passwords and create new ones when you want.
The problem was using that master password. So, we are in the same problem "with a normal password". But at least we could use this master password 1 time every month or more. With this password you could also enable or disable the double authentication. When trying to use this master password you should confirm using another email of your choice. Last edited by jl66 : 20 Mar 2014 at 03:52 PM. |
21 Mar 2014, 04:19 AM | #14 |
Senior Member
Join Date: Feb 2010
Posts: 107
|
Now I seem to understand what you mean by 'grid of codes' -- I was thinking of a list of one-time passwords. But if I understand you correctly, you are referring to something like
Code:
|| 1 | 2 | 3 | ... ================= A || a | b | c | ... ------------------- B || d | e | f | ... ------------------- C || g | h | h | ... ------------------- ................ There could then be two login options: 'Normal' with your normal password (from a trusted computer) and 'Secure' with a second, static password plus 8 random chars from your grid as requested by the web interface, i.e. one would enter MyStaticPassWhichIsNotMyNormalPass + A3;C12;F2;[...]. @RB: Do you think it's feasible to implement something like this in the near future? Regards, gecko |
21 Mar 2014, 04:33 PM | #15 | |
Essential Contributor
Join Date: Oct 2013
Posts: 413
|
Yes, that is a grid of codes
I used it before with lastpass (lastpass.com) and I also use it in my online Bank. Normally it gives you 3 numbers, for example: "A1" could be "567" and every grid is different to every client. Regards Quote:
|
|