"Current notices about Posteo: News, developments, background information and media appearances."


New security technology and additional certificate

Created at 04.April 2016, 14:30 | Category: Info

Dear Posteo users and interested parties,

We would like to inform you about some new pieces of security technology at Posteo.

We have begun to support “Certificate Transparency” technology. In addition, we started using new technology known as “Certification Authority Authorization (CAA)” and “HTTP Public Key Pinning (HPKP)” a few weeks ago. These further increase the security of Posteo for you.

Nothing changes for you – and you do not need to do anything. In this blog article we merely wish to provide an insight into how we are protecting your data at Posteo using these features.

Certificate Transparency: No chance for certificate forgers

With Certificate Transparency, we can automatically monitor worldwide whether an unauthorised third party (criminal or intelligence service) attempts to represent itself as Posteo by falsifying certificates for our Posteo domains. Until now, it was very unlikely that a certifying authority would actually incorrectly authenticate an unauthorised party to be Posteo. The reason for this is that for many years we have used a so-called extended security certificate (EV certificate). These certificates are only issued following presentation of a range of documents. Criminals and intelligence services do, however, attempt to take on another identity using falsified certificates. They do this, for example, to lure customers of internet services to falsified phishing sites and capture their login details there, or to place themselves as the “Man-in-the-Middle” of a communications process.

With the new technology, we can evaluate 24 hours a day in close to real time whether someone attempts to manipulate our certificates and can therefore react immediately – ideally, before an attacker can make an attempt at fraud. You no longer need to trust the diligence of the certification authorities’ (CA) issuing of certificates: With the new technology, online services such as Posteo can check for themselves whether a certifying authority has incorrectly issued a certificate to an unauthorised party.

New certificate in the course of the changes

In order to be able to support the new pieces of security technology, we will in April begin implementing an additional certificate from Geotrust. This certifying authority already supports the new technology. Interested parties can find the fingerprints of all certificates (a series of characters with which a certificate can be verified as “real”) from now on the legal notice page of our website. All programs such as Thunderbird or Outlook will find the new certificate automatically. You do not need to do anything. If your program produces a certificate error during the transition process, please simply restart it, which should overcome the issue.

New security technology “Certification Authority Authorization” (CAA) in use for some weeks

For a few weeks we have been using an additional new piece of security technology in connection with certificates: Certification Authority Authorization (CAA). CAA is very new technology that is not yet widely circulated. With this new technology, we have lodged information in the DNS (the central request registry of the internet) as to which certifying authorities are authorised to issue certificates for our domains. This technology is still very new, which means that there is not yet any requirement for certifying authorities to observe it. We are nonetheless of the opinion that these entries are already very sensible: We want to show what is technically possible today and we hope that many telecommunications providers and certification authorities will soon use CAA. The technology can make internet access more secure overall, and further minimise the risk of falsified certificates.

German certifiers with Certificate Transparency are not yet practical

At the moment, it remains impossible for email services such as Posteo to implement certificates from German certification authorities as a main certificate in practice. Providers such as D-Trust (the Bundesdruckerei) do not (yet) know of some devices and programs that are widely in use. If an email service nonetheless uses a certificate from such an “unknown” certification authority, a large number of users receive constantly repeating error messages. The programs state that the certificates in place are not trusted. The situation does not look good in terms of the support of new technology, either: The Telekom Trust Center (TeleSec), for example, which is the certification authority for Deutsche Telekom AG, has indicated to us that it has no plans to support Certificate Transparency. These existing problems with German certifiers will only improve in the course of the coming years, if at all. A prerequisite for this, for example, is that German certifiers ensure that their so-called root certificates are recognised as trustworthy in all new-generation devices and programs.

Additional information for pros: Additional certificate security technology at Posteo

- For each secured domain, we always use at least two extended validation certificates on an equal basis. In case problems with a certification authority arise, we can immediately switch to the other certificate, without any disturbance to our users.
- We use HPKP (HTTP Public Key Pinning) to force browsers to accept our certificates only.
- We use DANE so that other email servers, browsers and programs can check our certificates with a falsification-proof DNS request.

Best regards,

The Posteo team