Dear Posteo users,

From now on, we are also deploying a second extended security certificate.

Such authenticated, “green security certificates” are used first and foremost by organisations that deal with sensitive data, such as banks. It can be seen on the left of our web address (https://posteo.de) in your browser (usually a key symbol with green background). In this way you can always recognise that you are actually on the Posteo website – and not some sort of phishing site. If you use a local email program, it will additionally check the security certificate before establishing an encrypted connection with Posteo – confirming the validity of the encryption partner. Email providers use certification authorities for this, who confirm the validity of a security certificate before an encrypted connection is established. OCSP is an additional security measure: An OCSP server confirms that a certificate has not been revoked.

We therefore use a second certificate
The reason for additionally deploying a second certificate is that the OCSP servers of the certification authority StartCom were not reliably reachable over the past few days. In some individual cases, this led to restrictions in programs that additionally check OCSP, such as Thunderbird and Firefox. We know that for this reason some of our users experienced an error when opening our website or working in a local email program. At Posteo itself, there was no problem at any time, and the security of your connections was not affected at any time. Because it is completely unacceptable to us that a problem at a single certification authority repeatedly affects our customers, we are from now on using a certificate certified by the Bundesdruckerei, which we had recently already created as a second certificate. #more#

What a certification authority does
Email providers use certification authorities to confirm the validity of their certificates before an encrypted connection is established. A certifier in addition certifies the public key of a provider’s SSL certificate. It’s similar to a notary: After checking multiple documents, (including company registration, personal identity documents, telephone calls with us and our lawyers, etc) the certification authority confirms that the public key really does belong to the provider, in this case, therefore, to Posteo e.K. The certification authority does not create our certificate and/or key pair – we do this ourselves. They can therefore not manipulate or exchange the keys.

Our new certificate, certified by the Bundesdruckerei, conforms to current security standards and was signed using the SHA-256 algorithm.

If your browser, email program, smartphone or tablet happens to produce an error message due to an invalid certificate following our change, this is not due to an attack or an error. It merely means your program has the old certificate saved. In most cases, restarting the program or device should remedy this.

The “electronic fingerprints” for our new security certificate are:
SHA256: 6A:B1:9D:FB:FB:10:2E:D8:89:01:76:8C:B1:6B:61:13:A1:E3:B6:A5:47:D6:85:A3:FD:08:7F:11:DA:35:77:E7
SHA1: 8D:D7:97:B4:45:79:4D:EC:64:AE:D1:90:88:AC:B4:F4:5A:21:EA:6A
MD5: DA:CC:03:04:8C:E8:03:54:4F:6B:B2:2E:C2:ED:94:D8

You can also find the fingerprints for both certificates in our legal notice page. This information is only relevant for users who manually check our certificates.

If a program or system that you use does not have the Bundesdruckerei root certificate pre-installed and therefore does not trust the connection to Posteo, you can simply install it. It can be found for download from the Bundesdruckerei website. There, you can also find the fingerprint of the root certificate “D-TRUST Root Class 3 CA 2 EV 2009” on the downloads page, which we also publish here for comparison purposes:
SHA-256 EE:C5:49:6B:98:8C:E9:86:25:B9:34:09:2E:EC:29:08:BE:D0:B0:F3:16:C2:D4:73:0C:84:EA:F1:F3:D3:48:81
SHA-1 96:C9:1B:0B:95:B4:10:98:42:FA:D0:D8:22:79:FE:60:FA:B9:16:83

The Posteo domains that we use with the SSL certificate are in our possession. The entries of our name server in the DNS are also additionally secured with DNSSEC, to prevent manipulation. And using DANE anyone can check our key’s fingerprints without doubt.

Even if we did not have any influence over the disturbances caused by the error at the certification authority, we would still like to apologise if you were affected by this annoying problem.

Best regards,

The Posteo team

Dear Posteo users,

We would like you to know how often authorities request user information from Posteo. We have therefore today published our transparency report for the year 2014. In the report, we lay out how often German investigative authorities approached us in 2014 – and how often Posteo actually had to release data. The report covers all requests from authorities that Posteo received in the year 2014. Posteo operates more than 100,000 paid email accounts. In 2014, we received 22 requests from authorities. In Germany, there is no such thing as secret requests that are not allowed to be mentioned. You will also find out how often these requests were formally correct and how many of the requests were illegal. #more#

Because almost all requests from authorities that reached Posteo until now were illegal, we devote emphasis to the information process in our report this year. We critique the chaotic circumstances that rule, in particular in requests for user information under § 113 TKG (German telecommunications law). We reveal that grave deficiencies exist in practice, there are regularly breaches of the law and the deficiencies in controls of the situation are becoming even worse. Germany might be known for its exactness, but German authorities have failed miserably at abiding by the legal requirements. Posteo has not yet received any requests from foreign authorities.

To document our critique of the information and surveillance processes, we have today published numerous examples of illegal requests from authorities on our website. In addition, we present our exchanges of correspondence with public positions such as the state privacy officers, the privacy officers of the respective German federal states as well as the respective ministries of justice of the German federal states.

Thus you will obtain an insight into our privacy-oriented work that takes place at Posteo all year round. In addition, we occupy ourselves in the report with the control instrument of the judicial reservation, which is in our view no longer equitable in respect of its intended purpose: in practice, clearly all applications for surveillance in Germany were granted. Although statistics are not even kept to determine the effectiveness of the judicial reservation, we have found numbers that prove this.

The German government meanwhile remains idle, even though it has been informed of some of the grievances for many years and continues to be questioned, as we show in the first part of our report. We demonstrate this with a reply from the Federal Ministry of the Interior that was published last Wednesday (19th August), among other things.

The complete transparency report can now be found on the Posteo website.

We call on Justice Minister Heiko Maas to stop the draft law for the reintroduction of data retention. If the possibilities for surveillance in Germany continue to be enlarged while the deficiencies shown in our transparency report still exist and clearly every application for surveillance is approved, this would be a development that can not be beneficial to democracy.

Note: The German government’s draft law for the planned reintroduction of data retention (“Gesetz zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten”) currently stipulates that the entire area of email should be exempt from retention. This means that Posteo does not belong to the group of obligated parties. We assume, however, that the introduction of the law would further increase the number of illegal requests for user information made to us.

If you would like to support our work, we would be very pleased if you would circulate our transparency report and the information contained within it, as well as making enquiries with the parties responsible. Last May, Posteo became the first German telecommunications provider to publish a transparency report. With our move, we induced other German providers to in the meantime also publish transparency reports – including, among others, Deutsche Telekom. With our transparency report this year, we would like to contribute to making existing grievances and legal realities public and allowing them to be debated. We want change: the grievances must be eliminated and democratic control of state information processes in Germany must be strengthened.

Best regards,

The Posteo team

Dear Posteo users,

For the last couple of days a so-called Logjam security flaw has been reported in the media. This was discovered by US scientists and can provide attackers with access to individual encrypted connections, which, for example, are used for secure access to websites, email traffic and online banking.

We wish to inform that as a user accessing Posteo, you are not affected by Logjam: our team observes developments in cryptography and security very intently and we always employ the newest encryption technologies. This means that when you access Posteo via your browser or a local email program, you are not vulnerable to Logjam as we do not offer the target over which this attack occurs. #more#

In your communications with other email providers, please be aware that for the moment, not all of them have secured their systems against Logjam.

Meantime, independent server test websites have extended their tests to include Logjam. You can confirm that Posteo is not affected by Logjam on these independent sites: on the Qualys test site we still obtain the best mark of A+ for web access, for example. Any vulnerability leads to a lower score.

Independent of Posteo, your browsers as well as local programs could still be vulnerable when using other services. In the coming days, please pay special attention as to whether updates are offered for your browser (e.g. Firefox, Safari or Chrome) or programs. You should install these important updates in order to increase the security of your online activities in this regard. In terms of security when accessing Posteo, no updates are necessary on your part.

Best regards,

The Posteo team

Dear Posteo users, 



As of today you can find a statement from Posteo on the topic of “Privacy in the digital world” at bundestag.de. Our vice president of communications, Dean Ceulic, was a guest expert on the committee for the German parliament’s digital agenda. The topic of the discussion was “Startups, small to medium-sized businesses and privacy in the digital world”. In addition, we were asked to provide written replies to a list of questions that the various fractions prepared prior to the discussion. Our statement is now available on the Bundestag website (in German). 
The discussion itself is available as a video at bundestag.de (in German).

An overview of the most important points for us

On German and European privacy standards:

We emphasised that strict German and European privacy regulations do not stand in the way of the economy. The opposite is true: European companies can use stricter privacy regulations to their advantage, protecting themselves (for example, from American competitors) using sophisticated privacy measures. Stricter privacy standards do not inhibit innovation; they actually constitute a competitive advantage for European companies. This view is shared by an overwhelming majority of the experts who took part in the discussion. #more#

We criticise the German government’s current plans to weaken the high German and European privacy standards:

“Germany’s high standards for privacy have become a relevant factor for a company’s location, and should not be given up lightly. The principles of data reduction and purposeful use strengthen consumers’ trust in German companies and help strengthen citizens’ fundamental right to informational self-determination.”

We therefore demanded that the law stipulates that personal information can only be processed if allowed by law and with the affected party’s consent.

On data preservation, we stated the following: 
“Sensitive metadata such as IP addresses, for example, are currently under special protection in Germany. Connection and traffic data (such as IP addresses) must also be under special protection on a European level, as their evaluation enables compilation of extensive personality profiles. In particular, the retention of data should be opposed, as this severely impairs citizens’ fundamental rights according to several of the highest law courts.” 

On data economy and purposeful use:

 The German government will in future consider the principles of data reduction and purposeful use when handling data.

We engaged ourselves with maintaining both of these fundamental privacy principles, stating:

“When handling data, the principles of data reduction and purposeful use strengthen not only the citizens’ fundamental right to informational determination. Both factors also give companies a clear course of action and minimise uncertainties as to how they collect and process data – in particular also amongst one another.”

On the relationship between fundamental rights and security interests:

We emphasised that there is no conflict between objectives in security interests and the effective protection of citizens’ privacy. In a constitutional state, both poles should be in a far more balanced relationship with each other:

“To further strengthen democracy in the digital world, it is essential to restore a more balanced relationship between both poles. International, comprehensive surveillance activities by intelligence agencies can only be countered with measures for encryption, data economy and anonymisation. This is in the interest of citizens – as well as in the interest of companies and authorities.” 



Best regards,

The Posteo team

Dear Posteo users,

A few days ago, a new version of the encryption add-on Mailvelope (available for Firefox and Chrome) was released. The new version is preconfigured to work with Posteo.
#more#
Using the add-on, it is now possible to easily encrypt the content of emails using OpenPGP within the Posteo webmail interface. You can also sign your emails, but attachments can not be encrypted using the add-on. Mailvelope is especially interesting for all who prefer to use the Posteo webmail interface and who would like to secure their emails with end-to-end encryption. Mailvelope is open source: The program code for the add-on is visible and based on open standards.

In the Posteo help section “Webmail”, you can find instructions on how to install the add-on in Firefox or Chrome and how encryption using Mailvelope works. Other browsers such as Safari or Internet Explorer do not yet support Mailvelope. If you encounter problems using Mailvelope or have questions about the add-on, please contact Mailvelope support.

Best regards,

The Posteo team