|
Runbox Forum Everything related to Runbox should go here: suggestions, comments, complaints, questions, technical issues, etc. |
|
Thread Tools |
14 Aug 2013, 12:18 AM | #1 |
Junior Member
Join Date: Aug 2013
Location: Berlin, Germany
Posts: 16
|
Obsolete SSL support?
Comparing several email providers, today I stumbled over this:
https://www.ssllabs.com/ssltest/anal...l?d=runbox.com Apparently, runbox still supports SSL 2.0, which is obsolete, and also insecure renegotiation, which supposedly makes it vulnerable to MITM attacks. Other than that, Runbox's safety records seems pretty good - but this might become a problem - not just for users trusting in secure mail transport, but also for Runbox itself once customers start looking for providers without these security holes. Any comment from Runbox would be appreciated. Thanks from an otherwise happy customer! Last edited by bluelectric : 14 Aug 2013 at 12:25 AM. |
14 Aug 2013, 01:43 AM | #2 |
Ultimate Contributor
Join Date: Dec 2001
Location: Canada.
Posts: 10,355
|
|
14 Aug 2013, 02:28 AM | #3 |
Junior Member
Join Date: Aug 2013
Location: Berlin, Germany
Posts: 16
|
David,
now I did. I do admit that I haven't tested rmm6.runbox.com (yet), but I did test secure.runbox.com which I'm using for IMAP and SMTP access, as instructed by Runbox's own help pages at http://help.runbox.com/server-details/ - and secure.runbox.com got the same F grade as the plain runbox.com address. Two questions, then: Can I use rmm6.runbox.com for IMAP and SMTP access as well? And if secure solutions are already implemented, why are insecure solutions still active? |
14 Aug 2013, 02:34 AM | #4 |
Ultimate Contributor
Join Date: Dec 2001
Location: Canada.
Posts: 10,355
|
I will leave your question for Runbox staff to reply to. I too was surprised that secure.runbox.com received an F rating.
|
14 Aug 2013, 03:14 AM | #5 |
Cornerstone of the Community
Join Date: Nov 2008
Location: UK
Posts: 549
Representative of:
Runbox.com |
We are aware of the lower security specification of secure.runbox.com and why this isn't as it should be. We are planning to upgrade the server and the SSL certificate in the near future.
Unfortunately you can't use rmm6.runbox.com for IMAP, POP and SMTP. |
14 Aug 2013, 03:39 AM | #6 |
Junior Member
Join Date: Aug 2013
Location: Berlin, Germany
Posts: 16
|
|
14 Aug 2013, 12:34 PM | #7 |
Cornerstone of the Community
Join Date: Mar 2011
Location: ~$
Posts: 652
|
But your browser most likely doe not support SSL 2.0, or if it does, it will be turned off by default. So you actually won't be using SSL 2.0 to communicate with runbox. You'll be using either SSL 3.0 or TLS 1.0.
|
14 Aug 2013, 07:05 PM | #8 |
Junior Member
Join Date: Aug 2013
Location: Berlin, Germany
Posts: 16
|
It's not the browser I'm worried about - Runbox's webmail server, rmm6.runbox.com has a perfect security record, anyway. I'm rather concerned about mail clients, particularly those on mobile systems (which have their own security issues time and again). The makers of mail apps are not always forthcoming with technical specifications for their products, and those are communicating with Runbox through the less-than-secure secure.runbox.com server.
|
14 Aug 2013, 07:23 PM | #9 |
Essential Contributor
Join Date: Nov 2007
Posts: 236
|
Just to point out - it gets an F for product support (I'm guessing that means browser support).
Everything else is very strong. In other words - you may have problems connecting to it, but if you do, then you're probably pretty secure. |
14 Aug 2013, 07:27 PM | #10 |
Junior Member
Join Date: Aug 2013
Location: Berlin, Germany
Posts: 16
|
Nope. It says "Protocol support" which doesn't mean browser support but support for secure or less secure transfer protocols. Which - again - doesn't affect browsers because you are able to (and should) access Runbox through rmm6.runbox.com - which has an excellent security rating. It's the standalone mail clients that are (or rather may be) affected by unsufficent protocol support.
|
26 Aug 2013, 10:02 AM | #11 | |
Essential Contributor
Join Date: Dec 2012
Posts: 343
|
Quote:
|
|
25 Sep 2013, 12:32 AM | #12 |
Junior Member
Join Date: Sep 2013
Posts: 1
|
Ssl
It seems to me that they still could improve their server config regarding SSL, especially
- remove support of MD5 ciphers (MD5 is widely seen as insecure if not broken) - i would prefer to see a SSL root certificate used which has NOT been issued by a british company, as it is not unlikely that the private keys are in access of british and/or U.S: government agencies. |
25 Sep 2013, 02:54 AM | #13 |
Essential Contributor
Join Date: Nov 2007
Posts: 236
|
Hi Ez2517
Your first point is fair enough. A bit of technical background to your second point: If Runbox's root certificate authority's (CA) private key was made available to whatever agencies it would not allow them to read your communication to Runbox. You need Runbox's private certificate to do that. All the CA's certificate does it prove that Runbox's certificates are valid. However, if someone managed to get any CA private certiciate, it would allow them to create a clone of Runbox's certificate allowing a man-in-the-middle attack (that does allow them to read your communication) so it's moot point what CA Runbox uses. Also it would be pretty noticeable and big news, and very very damaging for whatever CA provided their private certificate. |
27 Sep 2013, 05:40 PM | #14 |
Cornerstone of the Community
Join Date: Sep 2013
Posts: 536
|
Does anyone know any info about when exactly they're planning to secure their connection?
It has been almost 2 months now, since they said they'd fix it "shortly". |
28 Sep 2013, 08:19 PM | #15 |
The "e" in e-mail
Join Date: Sep 2001
Location: Oslo, Norway
Posts: 2,938
Representative of:
Runbox.com |
We are planning to move https://runbox.com over to our Runbox 6 servers next week, and are in the process of acquiring stronger SSL certificates.
- Geir |
Thread Tools | |
|
|