Messages

"Current notices about Posteo: News, developments, background information and media appearances."

Blog and Media

Categories:

  • Blog
  • Press
  • Info

Cartography for Relief Organisations: Missing Maps host an evening at Posteo Lab

Created on 27. August 2018, 17:01 | Category: Blog

Improving maps in Nigeria — all the way from Kreuzberg. This was made possible on August 14th in our Berlin-located Posteo Lab, where a new Missing Maps Group hosted their first German mapathon. With guidance from Missing Maps, volunteers improve online maps at mapathons by plotting villages and streets on satellite imagery. At the events organised by Missing Maps, OpenStreetMaps of crisis regions are improved upon. This can, for example, aide relief organisations in planning their operations more effectively.

Missing Maps is a humanitarian project that was founded in November 2014 by the American and British Red Cross, the Humanitarian OpenStreetMap Team and Doctors Without Borders. Since then, Missing Maps has regularly organised mapathons in various European countries. About 17 interested parties participated in the first German event at Posteo Lab. #more#

The focus of the event in Berlin was satellite imagery of Niger State in western Nigeria. Currently there are active teams from medical relief organisations that need more precise maps of the region for their work.

The mapathon began with a detailed introduction by Marcel Werdier from the organisation Missing Maps. He clearly explained in a presentation how mapping works. He also demonstrated the required programs and outlined the most important rules for plotting maps to the volunteers.

After the presentation, the volunteers could immediately apply their newly gained knowledge and began plotting maps on the laptops they had brought with them. They analysed satellite imagery and plotted streets and villages with just a few clicks. The team from Missing Maps helped the participants and answered all questions that came up.

At the end, there was a final presentation where the volunteers could see the progress of their collective efforts made on the maps. The knowledge they gained from this experience can continue to be applied when mapping in private.

The team from Missing Maps was very satisfied with their premiere mapathon in Germany. There are plans to organise more evenings like this one in Berlin.

Background Information
Because we want to strengthen social engagement, we regularly make Posteo Lab available to charitable associations and organisations free of charge. It’s important to us that the events hosted at Posteo match our values in sustainability, technology, democracy, open source, internet politics, IT security and privacy. If you’re interested in hosting an event here, send us an inquiry at veranstaltungen@posteo.de.

Posteo is financed 100 percent by user fees. We’d like to take this opportunity to thank our user for making our social engagement possible.

Transparency notice: Our donations for 2017

Created on 12. July 2018, 15:05 | Category: Blog

Dear Posteo customers and interested parties,

In the name of transparency we have updated our donations page, where we document the organisations that we financially supported during the previous year (2017).

During last year, Posteo donated a total of 34,600.00 EUR. Of this, 33,022.05 EUR constituted voluntary donations by Posteo. The remaining 1,577.95 EUR came from users that donated remaining credit when terminating their account.
In comparison with the previous year, we were able to increase our donations in 2017 by 5,000 EUR.

It is important to us that we encourage social engagement and take responsibility as a company.
Because of this, we donate to selected charitable organisations in the areas of environment and climate protection, internet politics and freedom of opinion, as well as refugee aid. #more#

Posteo donated to the following organisations in 2017:

BUND:
Bund für Umwelt und Naturschutz Deutschland (BUND) is one of the largest German environmental organisations. Throughout Germany there are more than 2,000 voluntary BUND groups engaged with regional environmental topics. BUND is also engaged with climate protection, ecological agriculture and protection of threatened species, forests and water. BUND is the German member of the international environmental network, “Friends of the Earth”.

German Red Cross (DRK):
The German Red Cross (DRK) is one of the largest German help organisations. The DRK is active worldwide and can be present anywhere in the world in co-operation with partner organisations. In the face of the threat of climate change, the DRK has realised multiple projects along with the Ministry of Foreign Affairs to support people internationally who suffer from the effects of climate change. Our donations go towards a project in the Amazon in Peru, where 1.3 million people are acutely threatened by the increase in extreme weather events due to climate change. The donations are used to set up houses with secure architecture on raised platforms. In addition, blankets and hygiene kits are distributed and a health service set up.

ECCHR:
The European Centre for Constitutional and Human Rights (ECCHR) is engaged with legal measure for human rights. The ECCHR lawyers’ aim is to hold state and non-state actors legally accountable for grave human rights abuses. Among others, the ECCHR was founded in 2007 by human rights lawyer Wolfgang Kaleck, who represents whistleblower Edward Snowden in Germany.

netzpolitik.org:
netzpolitik.org is a journalistic platform for digital freedom rights and presents the most important debates and developments on the topic of the internet. The platform documents how politics is changing the internet and society through regulation and the continued expansion of surveillance laws. With its work, netzpolitik.org wants to encourage people to become engaged for their digital freedom rights and an open society.

Reporters Without Borders:
Reporters Without Borders engages itself worldwide for freedom of the press and freedom of information. The organisation documents violations against freedom of the press and supports journalists that are in danger. Reporters Without Borders combats censorship and restrictive media laws.

UNO-Flüchtlingshilfe:
UNO-Flüchtlingshilfe is the German offshoot of the Office of the United Nations High Commissioner for Refugees (UNHCR). It ensures the survival of refugees in acute crisis situations with life-saving emergency measures. UNO-Flüchtlingshilfe thus provides for sufficient supplies of water, food and medicines in refugee camps or regions that are hard to access, for example.

In addition to these donations, Posteo also sponsored taz.panterstiftung.

Posteo does business sustainably and is independent. Our service is financed entirely by our customers’ account fees. There are no investors or advertising partners at Posteo.
You are what makes our involvement in these projects possible. We thank you very much for helping to make a difference.

Best regards,
The Posteo team

Update: Information about "Efail" reports

Created on 14. May 2018, 18:40 | Category: Blog

Update on May 15, 15:30:

We have an update for all users of Mailvelope:
The open source encryption plug-in Mailvelope is not affected by the critical Efail vulnerabilities and can continue to be used. Mailvelope communicated this information earlier this afternoon. With Mailvelope, PGP can be used in Posteo’s webmailer. We are in contact with the Mailvelope developer, Thomas Oberndörfer.
Nevertheless, he announced that they will improve the plug-in’s handling of HTML emails in regards to privacy for example by making the loading of external content such as images optional.
He recommends that users update to today’s release (Version 2.2.2) as minor problems have been fixed.

May 14, 18:40:

Dear Posteo users,

Today, the media has reported vulnerabilities within the end-to-end encryption standards, PGP and S/MIME.

We only became aware of the investigation today. Because of this, we cannot make any final assessments about the publication yet. We’re currently examining the document for you and are getting assessments from security experts. Furthermore, we have made contact with developers from current encryption software.

We’d like to respond to some questions we’ve received and also provide some initial tips for users of PGP and S/MIME. We will update this blog entry with any news.

Summary:
1.) If you do not use end-to-end encryption with PGP or S/MIME then you are not affected by this issue.
2.) If you use PGP or S/MIME, disable HTML rendering and external content from being loaded. (We’ve provided instructions on how to do this at the end of this blog entry)
3.) All participants of an encrypted communication must take the measures described in point 2.) of this summary.

Is email encryption unsafe now?

No, as a generalisation this is not correct as there is no “singular” form of email encryption. In general, emails nowadays are simultaneously secured through various security and encryption technologies. For example, end-to-end encryption does not protect the entire email communication even if many people believe it does. It only protects the content data.
The email’s metadata and subject are protected by the providers’ transport route encryption.

In reality, the security of an email correspondence depends on the combination of various technologies. When one encryption technology is viewed separately, it doesn’t say much about the actual security of a specific email communication in practice.

Attacks are only possible under strict conditions

The creators of this investigation presume in their scenario that an attacker already has access to an encrypted communication. However, nowadays email providers utilise security technologies that effectively prevent man-in-the-middle attacks and unauthorised access to encrypted communication.

The German Federal Office for Information Security (BSI) also describes the conditions for an attack (German text):
“An attacker has to have access to the transport route, the mail server or the email account of the recipient to exploit the vulnerabilities.”

The fact is that providers today are constantly improving secure transport routes, mail servers and accounts. We always utilise state of the art technology. Users should also secure their end devices as well.
Here’s an example of how we secure transport routes. In 2014, we were the first provider to implement the innovative technology DANE that eliminates the current vulnerabilities in transport route encryption (TLS). A combination of end-to-end encryption with a DANE-based transport route encryption results in a very high level of protection.
Tip: In Posteo’s webmailer you are notified before sending an encrypted email whether it will be protected with DANE or not .

We protect email servers with numerous technologies and an infrastructure that particularly protects our internal network and customers’ mailboxes consistently from external access. You can protect your account with a strong password. We encrypt every access to your account with the latest technologies. You can achieve an even higher level of protection if you activate two-factor authentication with additional email account protection. By activating the TLS-sending guarantee, you prevent your emails from being transferred to another email server without transport route encryption.

The German Federal Office for Information Security (BSI) describes another condition for an attack:
“Additionally the recipient would have to allow active content, or in other words, the rendering of HTML code and in particular the loading of external content.”

Because of this, users of end-to-end encryption should immediately review and adjust their settings for loading HTML code and external content accordingly. This should avert any acute dangers.

Guide for disabling external content from being loaded or HTML rendering

Thunderbird:
Disable HTML rendering:
1. Click on the sandwich-button in the top right corner of Thunderbird.
2. Click on “View”.
3. Under “Message Body As” select the menu item “Plain Text”.
Disable external content:
1. Click on the sandwich-button in the top right corner of Thunder and open “Options” / “Preferences”.
2. Open the menu item “Privacy”.
3. Under the category “Mail Content”, remove the tickmark “Allow remote content in messages”.

Apple Mail:
1. From the menu bar click on “Mail” and open “Preferences”.
2. Open the menu item “Viewing”.
3. Remove the tickmark from “Load remote content in messages”.

iOS:
1. Open “Settings”.
2. Touch “Mail”.
3. In the category “Messages”, deactivate the switch next to “Load Remote Images”.

Outlook:
1. Click on “File” and on the side menu on “Options”.
2. Open the menu item “Trust Center” and click on “Trust Center Settings”.
3. Click on “Email Security”.
4. In the section “Read as Plain Text” place a tickmark next to “Read all standard mail in plain text” and also by “Read all digitally signed mail in plain text”.
5. Confirm the changes with a click on “Ok”.

Best Regards,
The Posteo Team

New security certificates

Created on 09. January 2018, 13:00 | Category: Info

Dear Posteo users,

In the coming days we will be updating our security certificates. Security certificates are only valid for a specified time period and need to be renewed from time to time. We will therefore be changing them by 22.01.2018. We continue to use certificates from Geotrust (Digicert) and the Bundesdruckerei (D-Trust).

In most cases you will not notice anything when the certificates are changed over. All programs such as Thunderbird or Outlook will find the new certificate automatically. You do not need to do anything. If your program displays a certificate error during the changeover process, please simply restart the program, which should overcome the error.

If you check the trustworthiness of certificates manually, you can find the fingerprints for the new certificates that we will shortly begin using, below. You can also find the fingerprints in our legal notice.

New fingerprints for TLS security certificates

Geotrust:
SHA256: FB:28:42:1E:23:AD:8A:23:8B:AB:C1:ED:FD:86:FD:F5:30:C6:D9:35:E0:E6:D8:91:CD:F3:77:66:05:C5:75:33
SHA1: AC:9D:4C:F6:36:78:FE:D6:EB:5C:CE:F9:DA:CB:69:CE:0A:93:F4:58
MD5: E9:B3:0A:C5:76:86:0C:FC:15:3D:43:D9:6E:CD:FC:CE

D-Trust:
SHA256: 09:63:1B:8C:35:CD:67:0E:AB:60:B3:63:1E:F3:42:DB:9F:43:5E:09:AD:09:A5:90:49:33:26:F2:FD:B4:D7:AA
SHA1: B6:B8:3C:59:23:22:33:07:88:9E:DD:B9:8D:2D:ED:6C:FA:32:E9:04
MD5: 5D:3F:4C:A3:72:7F:8B:3A:54:92:B4:C8:BC:D5:D9:B7

Best regards,

The Posteo team

New: Easy email encryption with Autocrypt and OpenPGP header

Created on 21. December 2017, 18:30 | Category: Info

Dear Posteo users,

Starting this week, we are now supporting the new encryption method Autocrypt, which will soon simplify real end-to-end encryption in email applications. Posteo customers will be able to use the technology as soon as email applications supporting Autocrypt are available.

The trendsetting method is being integrated into popular email applications such as Thunderbird with Enigmail and K-9 Mail for Android. New versions of these email applications (Enigmail 2.0 and K-9 Mail 5.3) will support Autocrypt.

When email senders and recipients are using email applications compatible with Autocrypt, they can use end-to-end encrypted communication with no additional effort: the email applications automatically encrypt emails with PGP prior to transmission while exchanging public keys automatically in the background. The manual exchange and management of keys – which users often perceive as complicated – is becoming superfluous: Prior to the first encrypted communication, a regular empty email (without content) is sent. With this, the key is transferred in the background. Henceforth, messages can be encrypted automatically.

Autocrypt is a free and open standard, works with all email providers and uses real end-to-end encryption with the private key always remaining with the user. That’s one of the reasons why we support the method.
#more#

Why we already support Autocrypt and protect keys additionally

A first version of Autocrypt is being integrated into popular email applications. The involvement of email providers in the key exchange has not been intended yet. The provider sided support generates benefits for the end user which we want to showcase with our early implementation.

It is very important to us that Posteo customers will be able to use Autocrypt from the very beginning – as comfortable and secure as possible.

Our contribution to comfort:
Thanks to Autocrypt, email applications can soon automatically exchange public keys within the email headers. Our provider sided support makes it possible for an Autocrypt compatible application to receive a public key even if the sender uses an email application without support for Autocrypt. If the sender’s public key is available to us, we will take over that task: Posteo adds the Autocrypt header prior to every email transmission. Your communication partner is able to reply encrypted – without a manual key exchange.

Your current public key is transmitted inside the Autocrypt header with every sent email. Therefore, there is always a copy of your current key available in the applications of your communication partner – without manual key management.

Our contribution to security:
We provide an additional layer of security with digital signatures (DKIM). For Autocrypt the use of DKIM has not been planned yet. Our provider sided DKIM-signature makes it impossible for a public key to be invisibly manipulated by a third party during transmission. An Autocrypt header attached by your local email application is signed with DKIM by Posteo. DKIM-signatures occur only when the sending address matches with the sending mailbox.

How Autocrypt is integrated into Posteo

Many Posteo customers have published their public PGP key in the Posteo key directory. If these customers send an email, we add the Autocrypt header into the email. This header contains your public key. If your email application adds an Autocrypt header by itself, this header will not be changed and no additional header will be added.

- Posteo customers who additonally activated the Posteo inbound encryption using their public PGP key want every incoming email to be encrypted. This information is added to the Autocrypt header as well. That way, email applications compatible with Autocrypt will know that a recipient at Posteo wants an encrypted reply.

- In addition to the new Autocrypt header we also add the so called OpenPGP header, which informs the receiving email client on where it can find the public key. With this, the URL for the download from the Posteo key directory will be transmitted. The OpenPGP-header will be signed with DKIM, too.

What can you do?

In day-to-day life, encrypted communication with Autocrypt will work without your involvement. The manual exchange and management of end-to-end encryption keys becomes superfluous. All you need is your personal PGP key pair.

- Install the upcoming major versions of Enigmail or K-9 Mail as soon as available.

- If you already own a personal PGP key pair for your Posteo email address, we recommend publishing your key in our Posteo public key directory. Then your public key will automatically be added to the header of every email you send. We explain how to publish your public PGP key at Posteo in this help article.

Security recommendations for implementing Autocrypt:
In our view, the automatic exchange of public keys in the background should always be accompanied by further security measures. We recommend other email providers to sign Autocrypt headers with DKIM. Application developers should consider further measures to secure the key and verify existing DKIM-signatures. Additionally, end users should be notified by their email applications if a public key is replaced with a new one or if a setting, that an email should be encrypted or not, is changed by an Autocrypt header. In this way, a possible manipulation by third parties can be detected.

Best regards,

The Posteo team