EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > Runbox Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Runbox Forum Everything related to Runbox should go here: suggestions, comments, complaints, questions, technical issues, etc.

Reply
 
Thread Tools
Old 13 Aug 2013, 11:18 PM   #1
bluelectric
Junior Member
 
Join Date: Aug 2013
Location: Berlin, Germany
Posts: 16
Obsolete SSL support?

Comparing several email providers, today I stumbled over this:

https://www.ssllabs.com/ssltest/anal...l?d=runbox.com

Apparently, runbox still supports SSL 2.0, which is obsolete, and also insecure renegotiation, which supposedly makes it vulnerable to MITM attacks.

Other than that, Runbox's safety records seems pretty good - but this might become a problem - not just for users trusting in secure mail transport, but also for Runbox itself once customers start looking for providers without these security holes.

Any comment from Runbox would be appreciated. Thanks from an otherwise happy customer!

Last edited by bluelectric : 13 Aug 2013 at 11:25 PM.
bluelectric is offline   Reply With Quote

Old 14 Aug 2013, 12:43 AM   #2
David
Ultimate Contributor
 
Join Date: Dec 2001
Location: Canada.
Posts: 10,355
Did you read my reply in the other thread.
David is offline   Reply With Quote
Old 14 Aug 2013, 01:28 AM   #3
bluelectric
Junior Member
 
Join Date: Aug 2013
Location: Berlin, Germany
Posts: 16
David,

now I did. I do admit that I haven't tested rmm6.runbox.com (yet), but I did test secure.runbox.com which I'm using for IMAP and SMTP access, as instructed by Runbox's own help pages at http://help.runbox.com/server-details/ - and secure.runbox.com got the same F grade as the plain runbox.com address.

Two questions, then:

Can I use rmm6.runbox.com for IMAP and SMTP access as well?

And if secure solutions are already implemented, why are insecure solutions still active?
bluelectric is offline   Reply With Quote
Old 14 Aug 2013, 01:34 AM   #4
David
Ultimate Contributor
 
Join Date: Dec 2001
Location: Canada.
Posts: 10,355
I will leave your question for Runbox staff to reply to. I too was surprised that secure.runbox.com received an F rating.
David is offline   Reply With Quote
Old 14 Aug 2013, 02:14 AM   #5
dbowdley
Cornerstone of the Community
 
Join Date: Nov 2008
Location: UK
Posts: 549

Representative of:
Runbox.com
We are aware of the lower security specification of secure.runbox.com and why this isn't as it should be. We are planning to upgrade the server and the SSL certificate in the near future.

Unfortunately you can't use rmm6.runbox.com for IMAP, POP and SMTP.
dbowdley is offline   Reply With Quote
Old 14 Aug 2013, 02:39 AM   #6
bluelectric
Junior Member
 
Join Date: Aug 2013
Location: Berlin, Germany
Posts: 16
Quote:
Originally Posted by dbowdley View Post
We are planning to upgrade the server and the SSL certificate in the near future.

Unfortunately you can't use rmm6.runbox.com for IMAP, POP and SMTP.
Thanks for the clarification. I will standby and watch how things are going.
bluelectric is offline   Reply With Quote
Old 14 Aug 2013, 11:34 AM   #7
kijinbear
Cornerstone of the Community
 
Join Date: Mar 2011
Location: ~$
Posts: 652
Quote:
Originally Posted by bluelectric View Post
Apparently, runbox still supports SSL 2.0, which is obsolete, and also insecure renegotiation, which supposedly makes it vulnerable to MITM attacks.
But your browser most likely doe not support SSL 2.0, or if it does, it will be turned off by default. So you actually won't be using SSL 2.0 to communicate with runbox. You'll be using either SSL 3.0 or TLS 1.0.
kijinbear is offline   Reply With Quote
Old 14 Aug 2013, 06:05 PM   #8
bluelectric
Junior Member
 
Join Date: Aug 2013
Location: Berlin, Germany
Posts: 16
Quote:
Originally Posted by kijinbear View Post
But your browser most likely doe not support SSL 2.0, or if it does, it will be turned off by default. So you actually won't be using SSL 2.0 to communicate with runbox. You'll be using either SSL 3.0 or TLS 1.0.
It's not the browser I'm worried about - Runbox's webmail server, rmm6.runbox.com has a perfect security record, anyway. I'm rather concerned about mail clients, particularly those on mobile systems (which have their own security issues time and again). The makers of mail apps are not always forthcoming with technical specifications for their products, and those are communicating with Runbox through the less-than-secure secure.runbox.com server.
bluelectric is offline   Reply With Quote
Old 14 Aug 2013, 06:23 PM   #9
tomhab
Essential Contributor
 
Join Date: Nov 2007
Posts: 236
Just to point out - it gets an F for product support (I'm guessing that means browser support).

Everything else is very strong. In other words - you may have problems connecting to it, but if you do, then you're probably pretty secure.
tomhab is offline   Reply With Quote
Old 14 Aug 2013, 06:27 PM   #10
bluelectric
Junior Member
 
Join Date: Aug 2013
Location: Berlin, Germany
Posts: 16
Quote:
Originally Posted by tomhab View Post
Just to point out - it gets an F for product support (I'm guessing that means browser support).
Nope. It says "Protocol support" which doesn't mean browser support but support for secure or less secure transfer protocols. Which - again - doesn't affect browsers because you are able to (and should) access Runbox through rmm6.runbox.com - which has an excellent security rating. It's the standalone mail clients that are (or rather may be) affected by unsufficent protocol support.
bluelectric is offline   Reply With Quote
Old 26 Aug 2013, 09:02 AM   #11
emebrs
Essential Contributor
 
Join Date: Dec 2012
Posts: 343
Quote:
Originally Posted by bluelectric View Post
you are able to (and should) access Runbox through rmm6.runbox.com - which has an excellent security rating
Is it also okay to simply use https://runbox.com/ ?
emebrs is offline   Reply With Quote
Old 24 Sep 2013, 11:32 PM   #12
Ez2517
Junior Member
 
Join Date: Sep 2013
Posts: 1
Ssl

It seems to me that they still could improve their server config regarding SSL, especially

- remove support of MD5 ciphers (MD5 is widely seen as insecure if not broken)
- i would prefer to see a SSL root certificate used which has NOT been issued by a british company, as it is not unlikely that the private keys are in access of british and/or U.S: government agencies.
Ez2517 is offline   Reply With Quote
Old 25 Sep 2013, 01:54 AM   #13
tomhab
Essential Contributor
 
Join Date: Nov 2007
Posts: 236
Hi Ez2517

Your first point is fair enough. A bit of technical background to your second point:

If Runbox's root certificate authority's (CA) private key was made available to whatever agencies it would not allow them to read your communication to Runbox. You need Runbox's private certificate to do that. All the CA's certificate does it prove that Runbox's certificates are valid.

However, if someone managed to get any CA private certiciate, it would allow them to create a clone of Runbox's certificate allowing a man-in-the-middle attack (that does allow them to read your communication) so it's moot point what CA Runbox uses. Also it would be pretty noticeable and big news, and very very damaging for whatever CA provided their private certificate.
tomhab is offline   Reply With Quote
Old 27 Sep 2013, 04:40 PM   #14
17pm
Cornerstone of the Community
 
Join Date: Sep 2013
Posts: 536
Does anyone know any info about when exactly they're planning to secure their connection?

It has been almost 2 months now, since they said they'd fix it "shortly".
17pm is offline   Reply With Quote
Old 28 Sep 2013, 07:19 PM   #15
Geir
The "e" in e-mail
 
Join Date: Sep 2001
Location: Oslo, Norway
Posts: 2,938

Representative of:
Runbox.com
We are planning to move https://runbox.com over to our Runbox 6 servers next week, and are in the process of acquiring stronger SSL certificates.

- Geir
Geir is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 05:50 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy