New security certificates

Created on 09. January 2018, 13:00 | Category: Info

Dear Posteo users,

In the coming days we will be updating our security certificates. Security certificates are only valid for a specified time period and need to be renewed from time to time. We will therefore be changing them by 22.01.2018. We continue to use certificates from Geotrust (Digicert) and the Bundesdruckerei (D-Trust).

In most cases you will not notice anything when the certificates are changed over. All programs such as Thunderbird or Outlook will find the new certificate automatically. You do not need to do anything. If your program displays a certificate error during the changeover process, please simply restart the program, which should overcome the error.

If you check the trustworthiness of certificates manually, you can find the fingerprints for the new certificates that we will shortly begin using, below. You can also find the fingerprints in our legal notice.

New fingerprints for TLS security certificates

Geotrust:
SHA256: FB:28:42:1E:23:AD:8A:23:8B:AB:C1:ED:FD:86:FD:F5:30:C6:D9:35:E0:E6:D8:91:CD:F3:77:66:05:C5:75:33
SHA1: AC:9D:4C:F6:36:78:FE:D6:EB:5C:CE:F9:DA:CB:69:CE:0A:93:F4:58
MD5: E9:B3:0A:C5:76:86:0C:FC:15:3D:43:D9:6E:CD:FC:CE

D-Trust:
SHA256: 09:63:1B:8C:35:CD:67:0E:AB:60:B3:63:1E:F3:42:DB:9F:43:5E:09:AD:09:A5:90:49:33:26:F2:FD:B4:D7:AA
SHA1: B6:B8:3C:59:23:22:33:07:88:9E:DD:B9:8D:2D:ED:6C:FA:32:E9:04
MD5: 5D:3F:4C:A3:72:7F:8B:3A:54:92:B4:C8:BC:D5:D9:B7

Best regards,

The Posteo team

New: Easy email encryption with Autocrypt and OpenPGP header

Created on 21. December 2017, 18:30 | Category: Info

Dear Posteo users,

Starting this week, we are now supporting the new encryption method Autocrypt, which will soon simplify real end-to-end encryption in email applications. Posteo customers will be able to use the technology as soon as email applications supporting Autocrypt are available.

The trendsetting method is being integrated into popular email applications such as Thunderbird with Enigmail and K-9 Mail for Android. New versions of these email applications (Enigmail 2.0 and K-9 Mail 5.3) will support Autocrypt.

When email senders and recipients are using email applications compatible with Autocrypt, they can use end-to-end encrypted communication with no additional effort: the email applications automatically encrypt emails with PGP prior to transmission while exchanging public keys automatically in the background. The manual exchange and management of keys – which users often perceive as complicated – is becoming superfluous: Prior to the first encrypted communication, a regular empty email (without content) is sent. With this, the key is transferred in the background. Henceforth, messages can be encrypted automatically.

Autocrypt is a free and open standard, works with all email providers and uses real end-to-end encryption with the private key always remaining with the user. That’s one of the reasons why we support the method.
#more#

Why we already support Autocrypt and protect keys additionally

A first version of Autocrypt is being integrated into popular email applications. The involvement of email providers in the key exchange has not been intended yet. The provider sided support generates benefits for the end user which we want to showcase with our early implementation.

It is very important to us that Posteo customers will be able to use Autocrypt from the very beginning – as comfortable and secure as possible.

Our contribution to comfort:
Thanks to Autocrypt, email applications can soon automatically exchange public keys within the email headers. Our provider sided support makes it possible for an Autocrypt compatible application to receive a public key even if the sender uses an email application without support for Autocrypt. If the sender’s public key is available to us, we will take over that task: Posteo adds the Autocrypt header prior to every email transmission. Your communication partner is able to reply encrypted – without a manual key exchange.

Your current public key is transmitted inside the Autocrypt header with every sent email. Therefore, there is always a copy of your current key available in the applications of your communication partner – without manual key management.

Our contribution to security:
We provide an additional layer of security with digital signatures (DKIM). For Autocrypt the use of DKIM has not been planned yet. Our provider sided DKIM-signature makes it impossible for a public key to be invisibly manipulated by a third party during transmission. An Autocrypt header attached by your local email application is signed with DKIM by Posteo. DKIM-signatures occur only when the sending address matches with the sending mailbox.

How Autocrypt is integrated into Posteo

Many Posteo customers have published their public PGP key in the Posteo key directory. If these customers send an email, we add the Autocrypt header into the email. This header contains your public key. If your email application adds an Autocrypt header by itself, this header will not be changed and no additional header will be added.

- Posteo customers who additonally activated the Posteo inbound encryption using their public PGP key want every incoming email to be encrypted. This information is added to the Autocrypt header as well. That way, email applications compatible with Autocrypt will know that a recipient at Posteo wants an encrypted reply.

- In addition to the new Autocrypt header we also add the so called OpenPGP header, which informs the receiving email client on where it can find the public key. With this, the URL for the download from the Posteo key directory will be transmitted. The OpenPGP-header will be signed with DKIM, too.

What can you do?

In day-to-day life, encrypted communication with Autocrypt will work without your involvement. The manual exchange and management of end-to-end encryption keys becomes superfluous. All you need is your personal PGP key pair.

- Install the upcoming major versions of Enigmail or K-9 Mail as soon as available.

- If you already own a personal PGP key pair for your Posteo email address, we recommend publishing your key in our Posteo public key directory. Then your public key will automatically be added to the header of every email you send. We explain how to publish your public PGP key at Posteo in this help article.

Security recommendations for implementing Autocrypt:
In our view, the automatic exchange of public keys in the background should always be accompanied by further security measures. We recommend other email providers to sign Autocrypt headers with DKIM. Application developers should consider further measures to secure the key and verify existing DKIM-signatures. Additionally, end users should be notified by their email applications if a public key is replaced with a new one or if a setting, that an email should be encrypted or not, is changed by an Autocrypt header. In this way, a possible manipulation by third parties can be detected.

Best regards,

The Posteo team

Security warning for Thunderbird users and Enigmail users: vulnerabilities threaten confidentiality of communication

Created on 21. December 2017, 15:40 | Category: Blog

Dear Posteo users,
dear Thunderbird users and interested parties,

We have a security notice for everyone who uses Thunderbird or the encryption add-on Enigmail.

It is our goal to make popular open-source solutions more secure. Hence, last autumn we entered into a cooperation with Mozilla’s SOS Fund to commission a security audit of Thunderbird with Enigmail. This was the first security audit for Enigmail ever.

The goal of the audit was to identify vulnerabilities in the tested software and to make the software safer consistently. The current audit showed multiple vulnerabilities. The developers of Enigmail have already fixed all the problems that were discovered. Some of the security issues have already been fixed in Thunderbird, as well – but most improvements will only be available with future versions of Thunderbird. In addition to these vulnerabilities, there is a problem within the architecture of the Thunderbird add-on system.

All Thunderbird users with all providers are affected, including Gmail, Outlook.com or Yahoo.

We are asking all Thunderbird and Enigmail users to carefully read our security recommendations in this article. If you follow our security recommendations, you will already communicate more securely.
#more#

24 days, 8 security researchers, 22 vulnerabilities

The thorough audit of Thunderbird and Enigmail in autumn 2017 was conducted by independent security researchers (Cure53). The audit was financed in equal parts by Posteo and the Mozilla SOS Fund. It took 24 days and a team of 8 researchers to carry out the project.
The test covered the fields “Incoming Emails with PGP Signature / PGP Encryption”, “Incoming html Emails”, “Key Generation & Crypto Setup”, “Calendar, RSS and other features with Rich-Text Usage” as well as “Default Settings”.

In total, 22 security relevant vulnerabilities have been discovered, of which 3 were classified as “critical” and 5 as “high”. The developers of Thunderbird and Enigmail were involved in the audit and were informed immediately after the security audit.

The security researchers summarize the conclusions in their report as follows:

“A detailed look at the implementations of both Thunderbird and Enigmail revealed a high prevalence of design flaws, security issues and bugs. (…) In short, secure communications may not be considered possible under the current design and setup of this compound.”

Among the critical issues regarding Enigmail was the fact that it was possible to fake signatures as well as identities. Furthermore, the encrypted communication of users can be intercepted by third parties and could be compromised further on under certain conditions.
The Enigmail developers have already fixed all identified vulnerabilities and provided a new Enigmail version (1.9.9). We would like to thank Enigmail for their work.
However, Enigmail relies on Thunderbird, which will receive many of the improvements only in future versions.

Thunderbird add-on architecture puts your data at risk

This spring, architectural vulnerabilities in Firefox were confirmed as part of a Posteo audit. We then presumed these architectural vulnerabilties could also be found in Thunderbird, which is confirmed by the current audit:

The add-on architecture of Thunderbird allows an attacker to obtain your email communication through compromised add-ons. The add-ons are insufficiently separated and have access to the user content in Thunderbird. This includes end-to-end encrypted communication: Even a user’s private PGP key can fall into the hands of an attacker. Here, even Enigmail cannot improve the situation. It is even possible for an attacker to use compromised Thunderbird add-ons to gain access to parts of your device and your sensitive data.

The report advises caution:

“Assuming that a vulnerable or rogue extension is installed, an attacker acquires multiple ways of getting access to private key material and other sensitive data. (…) Henceforth, users are asked to be aware that extensions in Thunderbird are as powerful as executables, which means that they should be treated with adequate caution and care.”

Firefox has rebuilt the architecture in the current version 57. For Thunderbird it is not foreseeable when the add-on architecture will be changed.

RSS feeds can act as spies

The audit discovered profound security problems in connection with RSS feeds, which are expected to be fixed entirely in Thunderbird version 59. Due to security reasons, the actual attack will not be described in this post. The use of RSS feeds in Thunderbird can endanger and reveal your entire communication and other sensitive data.

Please consider the following security recommendations:

For all Thunderbird users:

If you follow these security recommendations, your communication will be notedly more secure.

For Enigmail users:

If you follow these security recommendations, your communication is notedly more secure.

Audit report to be published after vulnerabilities have been fixed
Due to security considerations we will publish the report after all identified vulnerabilities have been fixed, since the report describes the researchers successful attacks in detail. However, the report was made available to the participating developers, Posteo and Mozilla.

Posteo supports open source software
Posteo supports open source software with transparent code for security reasons. We are convinced that transparent code is essential for the security and democratic control of the internet. At any time, independent experts can identify vulnerabilities and backdoors, making software more secure step-by-step. With intransparent code there is a need to trust each provider’s or developer’s security statements, which are not reviewable by the public. For us, this is not an option.

Open source projects need your support

- Donate to the Thunderbird project to support further development of Thunderbird: https://donate.mozilla.org/en/thunderbird/
- Donate to the Enigmail developers to support further development of Enigmail: https://www.enigmail.net/index.php/en/home/donations

After the audit: what the participants say

Enigmail developer Patrick Brunschwig extends his thanks:

“Enigmail is one of the most widely used tools for OpenPGP email encryption. Yet it took 16(!) years of development until the first security audit was performed. It was more than overdue, and I would like to thank Posteo for taking the initiative and co-financing an audit report together with the Mozilla Foundation. Not very surprising for such an old project, the audit report revealed a number of important issues that were addressed now.”

Mozilla regards the audit as a success:

“Mozilla’s Secure Open Source Fund, a MOSS program, provides code-read security audits for key pieces of open source software. We are very pleased to have been able to collaborate with Posteo to audit one of the main software combinations used for secure email, and are glad that users’ data is safer and more secure as a result.”

Dr. Mario Heiderich from Cure53 hopes for a reopening of the bug bounty program of Thunderbird:

“In closing, once all relevant issues reported here by Cure53 have been fixed, it should be strongly considered to re-establish a bug bounty program for Thunderbird. This approach would help keeping the security level at an acceptable level instead of allowing it to deteriorate and move towards a stale state of datedness.”

Patrik Löhr from Posteo asks for changes in the add-on architecture of Thunderbird:

“We want to make open source software and end-to-end encryption more secure: security audits are the best way to achieve this aim.
It is a success that all discovered vulnerabilities in Enigmail have already been resolved.
The add-on architecture in Thunderbird, on the other hand, requires more work to achieve an up-to-date secure setup. Thunderbird is an essential tool for many people who work with email and communicate with end-to-end encryption. Therefore, the effort pays off.”

Best regards,

The Posteo team

Transparency notice: Our donations for 2016

Created on 14. September 2017, 18:15 | Category: Blog

Dear Posteo users and interested parties,

In the name of transparency we have now updated our donation page, where we document the organisations that we financially supported during the previous year (2016).

It is important to us to encourage social engagement and to take responsibility as a company. We therefore support selected charitable organisations in the areas of environment and climate protection, internet politics and freedom of opinion, as well as refugee aid.

During last year, Posteo donated a total of 29.600,00 EUR. Of this, 28.002,00 EUR constituted voluntary donations by Posteo. The remaining 1.598,00 EUR came from users’ remaining credit. #more#

Compared to the year before we were able to increase our donations by 5,250.00 EUR for 2016.

As per the previous year, recipients of Posteo donations included Reporters Without Borders, UNO-Flüchtlingshilfe, Friends of the Earth Germany (BUND) and Netzpolitik.org.

A new addition is a German Red Cross project in the Amazon, where 1.3 million people are acutely threatened by the increase in extreme weather events due to climate change. The project sees houses set up on raised platforms with secure architecture. In addition, blankets and hygiene kits are distributed and a health service set up. The project sustainably contributes to ensuring the existence of people affected by climate change.

In addition, we support the European Centre for Constitutional and Human Rights (ECCHR) since 2016. The ECCHR lawyers’ aim is to hold state and non-state actors legally accountable for grave human rights abuses. Among others, the ECCHR was founded in 2007 by human rights lawyer Wolfgang Kaleck, who represented whistleblower Edward Snowden in Germany.

Posteo does business sustainably and is independent. Our service is financed by our customers’ account fees alone. There are no investors or advertising partners at Posteo.

You are therefore what makes our engagement possible – you make a difference, for which we thank you very much.

All recipients of Posteo donations can be found on our donations page.

Best regards,

The Posteo team

Help video: How to additionally secure your account with two-factor authentication

Created on 23. August 2017, 16:30 | Category: Blog

Dear Posteo users,

We are often asked whether Posteo accounts can be additionally secured without requiring specific knowledge of computers. One possibility is to use two-factor authentication, which we have offered for some time now.

Two-factor authentication is simple but effective additional protection against unauthorised access. When logging in to the webmail interface, a one-time password is required in addition to the personal password. Two-factor authentication prevents account theft: If criminals or intelligence services capture your access information (username and password), they then have no possibility to access your account settings, change your password and lock you out of your account. Third party access of your account and security settings is effectively prevented.

In our experience, people without special knowledge of IT often do not trust themselves to activate two-factor authentication. Optimal online security is important for all, however. For this reason we have today published a video in which our help section editor Tim Vüllers shows you step-by-step how to set up the additional protection. He also explains how the process fundamentally works as well as demonstrating how he uses it on an everyday basis. In addition, he reveals another security trick – if you do not use Posteo with external email programs (such as Outlook and Thunderbird), you can block access for such programs. Thus two factor authentication additionally protects your emails against unauthorised access.

In future, we will be making additional help videos available. Our videos can be accessibly viewed with subtitles. There are also versions of the video available in English and French.

With two-factor authentication, no additional costs are incurred and you can use it on many different devices (computer, smartphone, tablet, YubiKey).
By the way: Our customer support is happy to provide further personalised help if you have any questions or problems with two-factor authentication. Detailed step-by-step instructions for setup can alternatively also be found in the Posteo help section.

Best regards,

The Posteo team