Dear Posteo users,

We are often asked whether Posteo accounts can be additionally secured without requiring specific knowledge of computers. One possibility is to use two-factor authentication, which we have offered for some time now.

Two-factor authentication is simple but effective additional protection against unauthorised access. When logging in to the webmail interface, a one-time password is required in addition to the personal password. Two-factor authentication prevents account theft: If criminals or intelligence services capture your access information (username and password), they then have no possibility to access your account settings, change your password and lock you out of your account. Third party access of your account and security settings is effectively prevented.

In our experience, people without special knowledge of IT often do not trust themselves to activate two-factor authentication. Optimal online security is important for all, however. For this reason we have today published a video in which our help section editor Tim Vüllers shows you step-by-step how to set up the additional protection. He also explains how the process fundamentally works as well as demonstrating how he uses it on an everyday basis. In addition, he reveals another security trick – if you do not use Posteo with external email programs (such as Outlook and Thunderbird), you can block access for such programs. Thus two factor authentication additionally protects your emails against unauthorised access.

In future, we will be making additional help videos available. Our videos can be accessibly viewed with subtitles. There are also versions of the video available in English and French.

With two-factor authentication, no additional costs are incurred and you can use it on many different devices (computer, smartphone, tablet, YubiKey).
By the way: Our customer support is happy to provide further personalised help if you have any questions or problems with two-factor authentication. Detailed step-by-step instructions for setup can alternatively also be found in the Posteo help section.

Best regards,

The Posteo team

Update: July 3, 2017, 12:45:

Leading security firms now consider that Petya (also known as “PetrWrap” and “NotPetya”) was aimed at destroying data. Petya apparently disguised itself as ransomware but its aim was not to extort money. Analyses by IT security companies Kaspersky and Comae Technologies show that the malware did not encrypt data on the affected systems but instead deleted it. It appears that Petya overwrites data irreversibly, rendering restoration impossible. For the parties concerned, paying the ransom or contacting the attackers would have been useless.

The Posteo address specified in connection with the attack was immediately blocked by Posteo on Tuesday at midday, before the attack spread. The attackers did not replace the blocked address with another one.

June 27, 2017, 18:15:

Info on the PetrWrap/Petya ransomware: Email account in question already blocked since midday

Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away. There was no press coverage at that time. We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases.

During the afternoon it emerged that the “PetrWrap/Petya” malware is currently spreading quickly in many places, including Ukraine.

Here are the facts that we can contribute to “PetrWrap/Petya”:
– Since midday it is no longer possible for the blackmailers to access the email account or send emails.
– Sending emails to the account is no longer possible either.

We are in contact with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik).

What is ransomware?
“Ransomware” denotes malicious software, which becomes installed on a device, for example, by clicking a bad link or attachment. This primarily occurs when the device is poorly protected – when software installed there has not been updated for an extended time, for example. The malicious software prevents access to data and systems – and the user affected is requested to pay a ransom for the release of their data. Payment often does not lead to the data being released, however.

Best regards,

The Posteo team

Dear Mailvelope users,

We have a security notice for anyone who uses the encryption add-on Mailvelope with Firefox.

We have had a current security audit of Mailvelope undertaken, in which a critical vulnerability was found in the interaction between Mailvelope and Firefox. Under certain circumstances, Firefox’s security architecture allows attackers to access users’ private keys via compromised add-ons. We therefore ask all users of Mailvelope in Firefox to carefully read our security recommendations found in this article, below.

This also affects Mailvelope users with all other providers such as Gmail, Outlook.com, Yahoo!Mail, etc.

Firefox’s architecture does not sufficiently compartmentalise add-ons from each other – this has been known for years. The fact that a Mailvelope user’s private keys could be compromised via targeted attacks in Firefox was not proven until now, however. The security engineers that we engaged from Cure53 have now proved this. In the past, Cure53 had already audited Mailvelope for Chrome – on our assignment the engineers have now also investigated the plug-in’s interaction with Firefox. In their investigative report, they conclude that Firefox does not currently constitute a suitable environment for Mailvelope. They write,

“At the end of the day, the Cure53 testing team cannot in good conscience recommend the use of Mailvelope on Firefox.”

Weakness expected to last until November 2017

We informed Thomas Oberndörfer, the developer of Mailvelope, after the security audit. He is unable to fix the weakness, however, as it has to do with Firefox’s architecture. New architecture is already being developed at Firefox. Mozilla is planning to conclude this work with the release of Firefox 57 in November 2017. Oberndörfer is also working on a version of Mailvelope for the new and improved Firefox architecture. We would like to thank him for his development work.

Until Mozilla has updated the architecture, the following security recommendations apply:

Option 1.) In the interim, switch to different software. Either use Mailvelope in a different browser, or use PGP with a local email program. You can find various instructions for these options in the Posteo help section.

Option 2.) Alternatively, using an independent Firefox profile for Mailvelope minimises the risk in the interim. In the Posteo help section, we have published step-by-step instructions for the creation of Firefox profiles on Mac and on Windows. Mailvelope users with other providers can also follow these instructions. Please be sure to note the following security recommendations in order to effectively minimise the risk of a fruitful attack:

• Do not install any further add-ons in the newly-created browser profile
• Use the Firefox profile exclusively for your encrypted Mailvelope communication. Only access your provider’s webmail interface and never visit other websites using this profile.
• In addition, use a password for your PGP key that is as secure as possible
• Be careful not to accidentally install any add-ons via phishing, through which you could be attacked

Due to the problems with the Firefox architecture, we additionally recommend:

• Restrict the use of add-ons in the Firefox browser to a minimum, until Mozilla has updated the architecture
• You can further protect yourself from potential attackers by setting up an additional user on your operating system for end-to-end encrypted communication

Here are the recommendations from the Cure53 report once again, for transparency reasons:

“Two paths can be recommended for the users who rely on Mailvelope for encryption and decryption of highly sensitive data. First, they could use Mailvelope on a browser profile that hosts only and exclusively Mailvelope with no other extensions. Secondly, they would need to rely on a different software solution, for instance Thunderbird with Enigmail.”

“At present, any users working with Mailvelope on Firefox are encouraged to export their settings, delete the extension and migrate their setup to a Mailvelope installation running on Google Chrome. Alternatively, a separate browser profile running Mailvelope only could be used, with the caveat that one must not have any other extensions installed in order to minimize the risk of key material leakage.”

Security engineers engaged by Posteo found the weakness

In their daily activities, our customers use various devices, browsers and add-ons in their local environments. Our users’ communication security is very important to us – we therefore also continually have external standard components checked for weaknesses. Among others, we work together to this end with independent IT security experts at Cure53. They have now made a find with Mailvelope in Firefox.

Dr Mario Heiderich from Cure53 explains,

“the problem is currently located in the architecture. There is therefore no easy fix. Mozilla knows this, but also has to keep a difficult balance between radical changes and ones that are prudent but are often decisions that are slow to take effect. Things are going in the right direction, however, which is definitely something positive for more complex software.”

Thomas Oberndörfer of Mailvelope states,

“Mailvelope is naturally dependent on the security of the underlying browser. Weaknesses in Firefox’s add-on system have been known of for some time, so Mozilla’s improvement should be welcomed. Security audits such as the one undertaken by Posteo are important indicators for us to see how we can further improve Mailvelope.”

Report to be published after weakness is overcome

The weakness outlined above is expected to be overcome by Mozilla in November 2017. Out of consideration for security, we will therefore first publish the report at a later point. In it, the method of attack will be described in detail. The report is already available to Mailvelope and the BSI (German Federal Office for Information Security).

The security audit has also yielded some positive results for Mailvelope, which we would like to outline here: There was a check made as to whether email providers for which Mailvelope is used could access a Mailvelope user’s private keys saved in the browser – this was not possible. All other attempts made by the security engineers to access private keys saved in Mailvelope, such as operating third party websites or man-in-the-middle attacks, were also unsuccessful.

Weakness shows that open source increases security

For security reasons, we exclusively support open source components with transparent code – such as the encryption plug-in Mailvelope. In our view, transparent code is essential for the security and democratic control of the internet: Independent experts can at any time identify weaknesses or backdoors via code analysis, as happened here. A provider or developer’s security claims do not need to be trusted. With the security audits that we commission, we want to contribute to further increasing the security of established open source components and genuine end-to-end encryption.

Best regards,

The Posteo team

Dear Posteo users,

In the last few days we have received a lot of positive feedback on our new TLS-sending guarantee, for which we would like to say thank you. We’re very pleased about how well the new security feature is being adopted. Within just a few days more than 20% of our users have activated the new feature. With the TLS-sending guarantee activated, your emails are only sent if they can be transferred to the recipient over an encrypted transport route. Because we are currently receiving a lot of queries, we will here look at some insecure email servers and show what options are available when sending is stopped.

First, here is an example, which we are receiving many enquiries about: Amazon “@kindle.com”.

The email servers for the commonly-used domain “@kindle.com” are in fact not secure. Even three years after the NSA scandal, the domain still does not support TLS encryption when receiving emails. Our tests confirm this. We have received numerous queries about the security of “@kindle.com” from users with the TLS-sending guarantee activated. In our view, the lacking TLS support presents a large problem, because customers use “@kindle.com” addresses to send their own documents to their Kindles. Amazon describes this feature as follows: “Kindle customers can send documents to their registered Kindle devices, free Kindle reading applications, and their Kindle Library in the Amazon Cloud by e-mailing them to their Send-to-Kindle e-mail address name@kindle.com.”

It appears that Amazon domains are not generally affected.

#more#

The current configuration of “@kindle.com” is insecure and presents a security risk. Whether you wish to continue sending sensitive data to “@kindle.com” addresses is your own personal decision. If desired, you could temporarily disable the TLS-sending guarantee in order to send. Please note, however, that due to the lacking security of @kindle.com, these communications can be read by unauthorised third parties such as criminals and intelligence services. For privacy reasons, you should not send other people’s data to kindle.com addresses – the others should be able to decide this for themselves.
We have no influence over Amazon’s IT. You could contact Amazon directly. It is generally not especially difficult for administrators of email services to activate TLS encryption on their servers. We assume that the domain will soon be secured if complaints arrive, as the lacking security constitutes a grave security risk. You would then once again be able to send emails to kindle.com addresses with the TLS-sending guarantee activated.

No encryption for GOP (Republican National Committee), the University of Oxford or Ryanair either

We are asking all users who have contacted us regarding email servers that are not capable of TLS encryption such as @gop.com, @kodakpulse.com, @communication.microsoft.com, @ox.ac.uk, @ryanair.com, @unog.ch, @melia.com and other domains (listed below) to decide in each individual case whether they wish to send an email to the insecure email system. For all servers that are not capable of TLS, communicating with these outdated email systems is insecure.

When sending is stopped, you have the following options:
- You can inform the recipient (if desired, using an alternative contact method) that securely sending an email to their address is not possible and ask them to provide an alternative email address.
- You can temporarily deactivate the Posteo TLS-sending guarantee and send the email securely, by furnishing it with end-to-end encryption.
- You can temporarily deactivate the TLS-sending guarantee and send the email unencrypted/insecurely, as an exception.

Ask the domain holders for better security

If you would like to, you could contact the holder of a domain to ask them to activate TLS encryption on their servers. By doing this, you contribute to achieving an improved overall security of email traffic.
Overall, it can be said that these days, mainly only outdated and poorly-maintained email servers do not support TLS. If you activate the TLS-sending guarantee, it will generally only rarely occur that one of your emails is not sent for security reasons.

Last of all, we have collated a list of examples of commonly-used email domains that astonishingly do not yet support TLS, about which we have received queries during the last few days:

- Amazon Kindle: @kindle.com
- Microsoft: @communication.microsoft.com
- United Nations Office at Geneva: @unog.ch
- University of Oxford: @ox.ac.uk
- Yahoo! Japan: @yahoo.co.jp
- Melia Hotels: @melia.com
- Kodak Pulse “Email pictures to the display”: @kodakpulse.com
- Germanwings: @germanwings.com
- eBay: @members.ebay.com
- German American Chamber of Commerce: @gaccny.com
- Pacific National Bank: @pnb.com
- Ryanair: @ryanair.com
- Voyages SNCF: @voyages-sncf.com
- Republican National Committee: @gop.com

Best regards,

The Posteo team

Dear Posteo users and interested parties,

The new chief privacy officer for Berlin, Maja Smoltczyk, has presented Posteo in her yearly report for 2015 as a positive example of innovative privacy concepts. We are very pleased to receive this mention of praise from such a senior figure. We therefore present a translation for you to read:

“Posteo (posteo.de) is a webmail service with all the necessary features. As opposed to other webmail services, the user pays. For this fee, many things are avoided including any data identifying the user, analysis of user behaviour or even the content of messages. This begins with the user creating their account under a pseudonym: Apart from the desired email address and a password, no data is mandatorily collected. Even the prepaid payment can occur completely anonymously in cash. If the user chooses a payment process which involves their personal information, the connection to the email account made via a payment code is immediately deleted after the payment is processed. As well as the implementation of possibilities for transport route encryption when sending and receiving emails and when accessing the webmail interface, optional end-to-end encryption with PGP and S/MIME is also supported. One special characteristic is the feature to encrypt account content and address book: This allows for unencrypted emails to be saved with encryption in a simple manner. As opposed to encryption with PGP and S/MIME, traffic data is also encrypted in the email header. The encryption occurs in the background at the moment that the relevant email is opened. When using this feature, choosing a secure and long password is particularly important.” (p51)

“Data protection is a completely successful selling point, as the example of Posteo shows.” (p53)


The complete report by the Berlin chief privacy officer can be found (in German) at datenschutz-berlin.de.


Best regards,


The Posteo team