Chief privacy officer praises Posteo in yearly report

Created on 30. March 2016, 16:30 | Category: Blog

Dear Posteo users and interested parties,

The new chief privacy officer for Berlin, Maja Smoltczyk, has presented Posteo in her yearly report for 2015 as a positive example of innovative privacy concepts. We are very pleased to receive this mention of praise from such a senior figure. We therefore present a translation for you to read:

“Posteo (posteo.de) is a webmail service with all the necessary features. As opposed to other webmail services, the user pays. For this fee, many things are avoided including any data identifying the user, analysis of user behaviour or even the content of messages. This begins with the user creating their account under a pseudonym: Apart from the desired email address and a password, no data is mandatorily collected. Even the prepaid payment can occur completely anonymously in cash. If the user chooses a payment process which involves their personal information, the connection to the email account made via a payment code is immediately deleted after the payment is processed. As well as the implementation of possibilities for transport route encryption when sending and receiving emails and when accessing the webmail interface, optional end-to-end encryption with PGP and S/MIME is also supported. One special characteristic is the feature to encrypt account content and address book: This allows for unencrypted emails to be saved with encryption in a simple manner. As opposed to encryption with PGP and S/MIME, traffic data is also encrypted in the email header. The encryption occurs in the background at the moment that the relevant email is opened. When using this feature, choosing a secure and long password is particularly important.” (p51)

“Data protection is a completely successful selling point, as the example of Posteo shows.” (p53)


The complete report by the Berlin chief privacy officer can be found (in German) at datenschutz-berlin.de.


Best regards,


The Posteo team

New: Who we support with donations

Created on 16. March 2016, 18:30 | Category: Blog

Dear Posteo users and interested parties,

In the name of transparency, we are now openly listing the organisations that we supported with donations last year (2015). We were asked to provide this information as remaining Posteo credit can be donated, if desired. Our new “Who we donate to” page can be found on our website in the “About us” section.

It is important to us to encourage social engagement and to take responsibility as a company. We therefore support selected charitable organisations in the areas of environment, internet politics and freedom of opinion, as well as refugee aid. #more#

During last year, Posteo donated a total of 24,350.00 EUR. Of this, 22,957.30 EUR constituted voluntary donations by Posteo.
The remaining 1,392.70 EUR came from users’ remaining credit.

In 2015, recipients of Posteo donations included Friends of the Earth Germany (BUND), Reporters Without Borders, The UN Refugee Agency (UNHCR) and Netzpolitik.org.

Best regards,

The Posteo team

Cryptoparty for women in the Posteo Lab on Feb 24

Created on 08. February 2016, 17:15 | Category: Blog

Dear Posteo users and interested parties,

On Wednesday 24th February there will be a cryptoparty for women in the Posteo Lab in Berlin (Kreuzberg). Hosting the event are the hacker girls from Heart of Code.

The hackers will be our guests from 7pm. The event begins with two short talks on the topic of encryption. After that, workshop participants will be shown how to communicate securely on the internet and how to be protected from spying by intelligence agencies and advertisers.

Background info:
The “Heart of Code” hackers want to facilitate women’s access to information technology, tools and content, to make the hacking community and tech landscape more diverse in the long term. We support this aim, as women are clearly underrepresented in the field of IT. For this reason we are happy to make the Posteo Lab available to the hackers for their event.

Best regards,

The Posteo team

Second extended certificate

Created on 22. December 2015, 18:30 | Category: Blog

Dear Posteo users,

From now on, we are also deploying a second extended security certificate.

Such authenticated, “green security certificates” are used first and foremost by organisations that deal with sensitive data, such as banks. It can be seen on the left of our web address (https://posteo.de) in your browser (usually a key symbol with green background). In this way you can always recognise that you are actually on the Posteo website – and not some sort of phishing site. If you use a local email program, it will additionally check the security certificate before establishing an encrypted connection with Posteo – confirming the validity of the encryption partner. Email providers use certification authorities for this, who confirm the validity of a security certificate before an encrypted connection is established. OCSP is an additional security measure: An OCSP server confirms that a certificate has not been revoked.

We therefore use a second certificate
The reason for additionally deploying a second certificate is that the OCSP servers of the certification authority StartCom were not reliably reachable over the past few days. In some individual cases, this led to restrictions in programs that additionally check OCSP, such as Thunderbird and Firefox. We know that for this reason some of our users experienced an error when opening our website or working in a local email program. At Posteo itself, there was no problem at any time, and the security of your connections was not affected at any time. Because it is completely unacceptable to us that a problem at a single certification authority repeatedly affects our customers, we are from now on using a certificate certified by the Bundesdruckerei, which we had recently already created as a second certificate. #more#

What a certification authority does
Email providers use certification authorities to confirm the validity of their certificates before an encrypted connection is established. A certifier in addition certifies the public key of a provider’s SSL certificate. It’s similar to a notary: After checking multiple documents, (including company registration, personal identity documents, telephone calls with us and our lawyers, etc) the certification authority confirms that the public key really does belong to the provider, in this case, therefore, to Posteo e.K. The certification authority does not create our certificate and/or key pair – we do this ourselves. They can therefore not manipulate or exchange the keys.

Our new certificate, certified by the Bundesdruckerei, conforms to current security standards and was signed using the SHA-256 algorithm.

If your browser, email program, smartphone or tablet happens to produce an error message due to an invalid certificate following our change, this is not due to an attack or an error. It merely means your program has the old certificate saved. In most cases, restarting the program or device should remedy this.

The “electronic fingerprints” for our new security certificate are:
SHA256: 6A:B1:9D:FB:FB:10:2E:D8:89:01:76:8C:B1:6B:61:13:A1:E3:B6:A5:47:D6:85:A3:FD:08:7F:11:DA:35:77:E7
SHA1: 8D:D7:97:B4:45:79:4D:EC:64:AE:D1:90:88:AC:B4:F4:5A:21:EA:6A
MD5: DA:CC:03:04:8C:E8:03:54:4F:6B:B2:2E:C2:ED:94:D8

You can also find the fingerprints for both certificates in our legal notice page. This information is only relevant for users who manually check our certificates.

If a program or system that you use does not have the Bundesdruckerei root certificate pre-installed and therefore does not trust the connection to Posteo, you can simply install it. It can be found for download from the Bundesdruckerei website. There, you can also find the fingerprint of the root certificate “D-TRUST Root Class 3 CA 2 EV 2009” on the downloads page, which we also publish here for comparison purposes:
SHA-256 EE:C5:49:6B:98:8C:E9:86:25:B9:34:09:2E:EC:29:08:BE:D0:B0:F3:16:C2:D4:73:0C:84:EA:F1:F3:D3:48:81
SHA-1 96:C9:1B:0B:95:B4:10:98:42:FA:D0:D8:22:79:FE:60:FA:B9:16:83

The Posteo domains that we use with the SSL certificate are in our possession. The entries of our name server in the DNS are also additionally secured with DNSSEC, to prevent manipulation. And using DANE anyone can check our key’s fingerprints without doubt.

Even if we did not have any influence over the disturbances caused by the error at the certification authority, we would still like to apologise if you were affected by this annoying problem.

Best regards,

The Posteo team

New: Posteo webmail interface can find public keys

Created on 22. December 2015, 14:00 | Category: Info

Dear Posteo users,

We have now made end-to-end encryption in the Posteo webmail interface even easier.
Attachments can now also be conveniently encrypted (with PGP/MIME) in the webmail interface.

At the same time we have made the first application for our new Posteo key directory available:

If you use end-to-end encryption with Posteo in the browser, Posteo finds the public keys for your contacts – in many cases, automatically. This is made possible by the Posteo key directory and Posteo key search: Our key search automatically searches worldwide for corresponding public keys for your contacts and displays them to you before you send an email.

In many cases, therefore, you no longer need to ask a contact for their public key before being able to send them an encrypted email.
#more#
It occurs in the background:
When you enter a recipient for your email, our innovative key search peforms a search for corresponding keys for the email address. It searches not only the worldwide PGP key servers, but also the DNS – the so-called “internet telephone book”, as well as additional sources of the Posteo key directory. If the key search finds a key for your contact’s email address, this will be displayed. Thus end-to-end encryption becomes convenient and modern, and without losing security: The encryption in the webmail interface occurs with the open source plug-in Mailvelope, which is installed locally. This ensures genuine end-to-end encryption in which your private key always remains locally on your devices. It is not saved on our servers at any point, as this would reduce the principle of end-to-end encryption (between the sender and recipient of an email) to an absurdity. The encryption and key search also work with all email providers that adhere to internationally agreed-upon standards for the field of email. This is no stand-alone or proprietary solution for which both communication partners would need to use the same provider in order to communicate with one another using encryption.

For security reasons, our philosophy is to exclusively use genuine end-to-end solutions, open-source technologies and free standards. In our view, only thus can maximum security, transparency, comfort and compatibility be obtained. The Mailvelope plug-in is open source and has undergone a security audit (by Cure53).

Instructions:
Step-by-step instructions for the setup and use of end-to-end encryption in the Posteo webmail interface can be found in our help section.

Customers who already use end-to-end encryption in the Posteo webmail interface can also find instructions in the Posteo help section on activating the new Posteo key search and encrypting attachments in a few easy steps.

For developers:
We have developed an open source plug-in for the Roundcube email client, which is published under the AGPL licence and can be found on Github.

Best regards and happy holidays,

The Posteo team