EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > Runbox Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Runbox Forum Everything related to Runbox should go here: suggestions, comments, complaints, questions, technical issues, etc.

Reply
 
Thread Tools
Old 8 Jul 2013, 10:07 PM   #1
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
Email Privacy, Security and Runbox

Today's Runbox Blog:

http://blog.runbox.com/2013/07/email...cy-and-runbox/
FredOnline is offline   Reply With Quote

Old 9 Jul 2013, 04:35 AM   #2
dbowdley
Cornerstone of the Community
 
Join Date: Nov 2008
Location: UK
Posts: 549

Representative of:
Runbox.com
I have just updated a link that was broken at the end of the post (sorry about that).

We've been moving a few things around while we write the new Runbox documentation (to be launched soon) and a few things got broken.
dbowdley is offline   Reply With Quote
Old 10 Jul 2013, 12:45 PM   #3
emebrs
Essential Contributor
 
Join Date: Dec 2012
Posts: 343
Has Runbox ever shared the number of court orders they receive over the course of a typical year?
emebrs is offline   Reply With Quote
Old 10 Jul 2013, 11:25 PM   #4
Liz
The "e" in e-mail
 
Join Date: Jul 2001
Location: Los Angeles,CA
Posts: 4,652

Representative of:
Runbox.com
No, we haven't. Does any company do that? It is a very small number at any rate. The majority of them have concerned trial accounts and fraudulently paid accounts, and the number of requests has only gone down over the years.
Liz is offline   Reply With Quote
Old 10 Jul 2013, 11:38 PM   #5
petergh
Master of the @
 
Join Date: Jan 2002
Location: Denmark
Posts: 1,302
Cotse has done it recently: http://www.cotse.net/legal-process.html
petergh is offline   Reply With Quote
Old 11 Jul 2013, 03:05 AM   #6
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
Quote:
Originally Posted by petergh View Post
Cotse has done it recently: http://www.cotse.net/legal-process.html
And what does that actual information prove? Numbers?

Meaningless.
FredOnline is offline   Reply With Quote
Old 9 Aug 2013, 05:49 AM   #7
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
Quote:
Originally Posted by FredOnline View Post
I thought it worth while, in view of recent events, to re-post this, and another valid link:

https://rmm6.runbox.com/why-runbox/e...ffshore-email/

And another point to mention is that Runbox are currently offering a "2 years for the price of 1" on certain account plans.

Note: I'm not an employee of Runbox, I just have an account with them.
FredOnline is offline   Reply With Quote
Old 10 Aug 2013, 05:45 AM   #8
kservik
Cornerstone of the Community
 
Join Date: Sep 2005
Location: Oslo, Norway
Posts: 555

Representative of:
Runbox.com
Quote:
Originally Posted by emebrs View Post
Has Runbox ever shared the number of court orders they receive over the course of a typical year?
No, but we have only given out information for one user once as far as I know.

What happens normally is that some government contacts us and we tell them to get a court order i Norway. As you might imagine, that almost never happen.

Kim
kservik is offline   Reply With Quote
Old 4 Sep 2013, 06:03 AM   #9
smithmb001
Senior Member
 
Join Date: May 2013
Posts: 162
Future Upgrades - Security Enhancement Suggestion

I know RunBox has a number of "security" upgrades planned for the near future and I thought I would toss in an additional suggestion. As you know, every email message sent contains the metadata in the header that includes the sending hosts ip address. How about replacing the sending hosts' ip address in the header with a RunBox ip address? From my perspective, if you cannot encrypt the meta data then make it harder for "them" to make use of what "they" do get.

Michael
smithmb001 is offline   Reply With Quote
Old 4 Sep 2013, 06:51 AM   #10
gecko
Senior Member
 
Join Date: Feb 2010
Posts: 107
I am not 100% sure but I believe Runbox have changed this already. I could not spot the sender's (=my) IP address lately when using the web interface for sending mails.

BR,
gecko
gecko is offline   Reply With Quote
Old 4 Sep 2013, 07:24 AM   #11
smithmb001
Senior Member
 
Join Date: May 2013
Posts: 162
Smile Suggestion Already Implemented

This is what happens when you don't do your homework and why I am only a junior member. RunBox does strip the x-originating-ip: [#.#.#.#]. I sent an email from RunBox to my "other" email service and there was no originating ip address meta data! I replied and checked on RunBox and the x-originating-ip: [#.#.#.#] was in the message. This is just one of the reasons I love RunBox!
smithmb001 is offline   Reply With Quote
Old 7 Sep 2013, 07:20 AM   #12
digp
Master of the @
 
Join Date: May 2003
Posts: 1,319
Quote:
Originally Posted by kservik View Post
No, but we have only given out information for one user once as far as I know.

Kim
was a norwegian court order in place?
digp is offline   Reply With Quote
Old 7 Sep 2013, 01:47 PM   #13
malcontent
Essential Contributor
 
Join Date: Oct 2008
Posts: 274
I don't have a Runbox account but I was looking at their website and noticed that they are only using rc4_128 bit encryption. They are not using AES.

This is on their main website.

Does this carry through to their webmail and payment options also?

I would have thought they would be using 256 bit encryption with AES.

Is this anything to be concerned about?

EDIT:

http://www.emaildiscussions.com/show...31&postcount=3

Last edited by malcontent : 8 Sep 2013 at 02:38 AM.
malcontent is offline   Reply With Quote
Old 7 Sep 2013, 05:37 PM   #14
gecko
Senior Member
 
Join Date: Feb 2010
Posts: 107
Malcontent, I see your point and I sort of share your concerns...

RC4 is still considered secure as yet but fresh developments (see e.g. http://www.theregister.co.uk/2013/09...lrun_analysis/) put this into question.

Re the ciphers used by Runbox: I used to login on https://beta.runbox.com which used AES-256 by default but forwarded to RMM5.
Now I am using https://rmm6.runbox.com which uses RC4 by default. I disabled RC4 in my browser settings and -- voila -- AES-256 was used.
I then tried https://runbox.com with RC4 disabled and TripleDES was used instead (which I find even more alarming). Next I disabled TripleDES which resulted in not being able to establish a secure connection at all. In other words, https://runbox.com does *not* support any modern cipher.

The gist of this little experiment is IMO that runbox should urgently check the SSL configurations of their various servers, disable deprecated cipher suites, and by default enable AES.

Disclaimer: This was just a quick experiment, No guarantee it can be reproduced.

BR,
gecko

Last edited by gecko : 7 Sep 2013 at 05:38 PM. Reason: corrected URL
gecko is offline   Reply With Quote
Old 9 Sep 2013, 02:59 PM   #15
emebrs
Essential Contributor
 
Join Date: Dec 2012
Posts: 343
Quote:
Originally Posted by gecko View Post
The gist of this little experiment is IMO that runbox should urgently check the SSL configurations of their various servers, disable deprecated cipher suites, and by default enable AES.
What would be a reasonable timeframe to get these issues resolved? Several months?
emebrs is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 02:14 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy