New: Who we support with donations

Created on 16. March 2016, 18:30 | Category: Blog

Dear Posteo users and interested parties,

In the name of transparency, we are now openly listing the organisations that we supported with donations last year (2015). We were asked to provide this information as remaining Posteo credit can be donated, if desired. Our new “Who we donate to” page can be found on our website in the “About us” section.

It is important to us to encourage social engagement and to take responsibility as a company. We therefore support selected charitable organisations in the areas of environment, internet politics and freedom of opinion, as well as refugee aid. #more#

During last year, Posteo donated a total of 24,350.00 EUR. Of this, 22,957.30 EUR constituted voluntary donations by Posteo.
The remaining 1,392.70 EUR came from users’ remaining credit.

In 2015, recipients of Posteo donations included Friends of the Earth Germany (BUND), Reporters Without Borders, The UN Refugee Agency (UNHCR) and Netzpolitik.org.

Best regards,

The Posteo team

Cryptoparty for women in the Posteo Lab on Feb 24

Created on 08. February 2016, 17:15 | Category: Blog

Dear Posteo users and interested parties,

On Wednesday 24th February there will be a cryptoparty for women in the Posteo Lab in Berlin (Kreuzberg). Hosting the event are the hacker girls from Heart of Code.

The hackers will be our guests from 7pm. The event begins with two short talks on the topic of encryption. After that, workshop participants will be shown how to communicate securely on the internet and how to be protected from spying by intelligence agencies and advertisers.

Background info:
The “Heart of Code” hackers want to facilitate women’s access to information technology, tools and content, to make the hacking community and tech landscape more diverse in the long term. We support this aim, as women are clearly underrepresented in the field of IT. For this reason we are happy to make the Posteo Lab available to the hackers for their event.

Best regards,

The Posteo team

Second extended certificate

Created on 22. December 2015, 18:30 | Category: Blog

Dear Posteo users,

From now on, we are also deploying a second extended security certificate.

Such authenticated, “green security certificates” are used first and foremost by organisations that deal with sensitive data, such as banks. It can be seen on the left of our web address (https://posteo.de) in your browser (usually a key symbol with green background). In this way you can always recognise that you are actually on the Posteo website – and not some sort of phishing site. If you use a local email program, it will additionally check the security certificate before establishing an encrypted connection with Posteo – confirming the validity of the encryption partner. Email providers use certification authorities for this, who confirm the validity of a security certificate before an encrypted connection is established. OCSP is an additional security measure: An OCSP server confirms that a certificate has not been revoked.

We therefore use a second certificate
The reason for additionally deploying a second certificate is that the OCSP servers of the certification authority StartCom were not reliably reachable over the past few days. In some individual cases, this led to restrictions in programs that additionally check OCSP, such as Thunderbird and Firefox. We know that for this reason some of our users experienced an error when opening our website or working in a local email program. At Posteo itself, there was no problem at any time, and the security of your connections was not affected at any time. Because it is completely unacceptable to us that a problem at a single certification authority repeatedly affects our customers, we are from now on using a certificate certified by the Bundesdruckerei, which we had recently already created as a second certificate. #more#

What a certification authority does
Email providers use certification authorities to confirm the validity of their certificates before an encrypted connection is established. A certifier in addition certifies the public key of a provider’s SSL certificate. It’s similar to a notary: After checking multiple documents, (including company registration, personal identity documents, telephone calls with us and our lawyers, etc) the certification authority confirms that the public key really does belong to the provider, in this case, therefore, to Posteo e.K. The certification authority does not create our certificate and/or key pair – we do this ourselves. They can therefore not manipulate or exchange the keys.

Our new certificate, certified by the Bundesdruckerei, conforms to current security standards and was signed using the SHA-256 algorithm.

If your browser, email program, smartphone or tablet happens to produce an error message due to an invalid certificate following our change, this is not due to an attack or an error. It merely means your program has the old certificate saved. In most cases, restarting the program or device should remedy this.

The “electronic fingerprints” for our new security certificate are:
SHA256: 6A:B1:9D:FB:FB:10:2E:D8:89:01:76:8C:B1:6B:61:13:A1:E3:B6:A5:47:D6:85:A3:FD:08:7F:11:DA:35:77:E7
SHA1: 8D:D7:97:B4:45:79:4D:EC:64:AE:D1:90:88:AC:B4:F4:5A:21:EA:6A
MD5: DA:CC:03:04:8C:E8:03:54:4F:6B:B2:2E:C2:ED:94:D8

You can also find the fingerprints for both certificates in our legal notice page. This information is only relevant for users who manually check our certificates.

If a program or system that you use does not have the Bundesdruckerei root certificate pre-installed and therefore does not trust the connection to Posteo, you can simply install it. It can be found for download from the Bundesdruckerei website. There, you can also find the fingerprint of the root certificate “D-TRUST Root Class 3 CA 2 EV 2009” on the downloads page, which we also publish here for comparison purposes:
SHA-256 EE:C5:49:6B:98:8C:E9:86:25:B9:34:09:2E:EC:29:08:BE:D0:B0:F3:16:C2:D4:73:0C:84:EA:F1:F3:D3:48:81
SHA-1 96:C9:1B:0B:95:B4:10:98:42:FA:D0:D8:22:79:FE:60:FA:B9:16:83

The Posteo domains that we use with the SSL certificate are in our possession. The entries of our name server in the DNS are also additionally secured with DNSSEC, to prevent manipulation. And using DANE anyone can check our key’s fingerprints without doubt.

Even if we did not have any influence over the disturbances caused by the error at the certification authority, we would still like to apologise if you were affected by this annoying problem.

Best regards,

The Posteo team

Transparency report: German authorities mess up

Created on 25. August 2015, 17:00 | Category: Blog

Dear Posteo users,

We would like you to know how often authorities request user information from Posteo. We have therefore today published our transparency report for the year 2014. In the report, we lay out how often German investigative authorities approached us in 2014 – and how often Posteo actually had to release data. The report covers all requests from authorities that Posteo received in the year 2014. Posteo operates more than 100,000 paid email accounts. In 2014, we received 22 requests from authorities. In Germany, there is no such thing as secret requests that are not allowed to be mentioned. You will also find out how often these requests were formally correct and how many of the requests were illegal. #more#

Because almost all requests from authorities that reached Posteo until now were illegal, we devote emphasis to the information process in our report this year. We critique the chaotic circumstances that rule, in particular in requests for user information under § 113 TKG (German telecommunications law). We reveal that grave deficiencies exist in practice, there are regularly breaches of the law and the deficiencies in controls of the situation are becoming even worse. Germany might be known for its exactness, but German authorities have failed miserably at abiding by the legal requirements. Posteo has not yet received any requests from foreign authorities.

To document our critique of the information and surveillance processes, we have today published numerous examples of illegal requests from authorities on our website. In addition, we present our exchanges of correspondence with public positions such as the state privacy officers, the privacy officers of the respective German federal states as well as the respective ministries of justice of the German federal states.

Thus you will obtain an insight into our privacy-oriented work that takes place at Posteo all year round. In addition, we occupy ourselves in the report with the control instrument of the judicial reservation, which is in our view no longer equitable in respect of its intended purpose: in practice, clearly all applications for surveillance in Germany were granted. Although statistics are not even kept to determine the effectiveness of the judicial reservation, we have found numbers that prove this.

The German government meanwhile remains idle, even though it has been informed of some of the grievances for many years and continues to be questioned, as we show in the first part of our report. We demonstrate this with a reply from the Federal Ministry of the Interior that was published last Wednesday (19th August), among other things.

The complete transparency report can now be found on the Posteo website.

We call on Justice Minister Heiko Maas to stop the draft law for the reintroduction of data retention. If the possibilities for surveillance in Germany continue to be enlarged while the deficiencies shown in our transparency report still exist and clearly every application for surveillance is approved, this would be a development that can not be beneficial to democracy.

Note: The German government’s draft law for the planned reintroduction of data retention (“Gesetz zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten”) currently stipulates that the entire area of email should be exempt from retention. This means that Posteo does not belong to the group of obligated parties. We assume, however, that the introduction of the law would further increase the number of illegal requests for user information made to us.

If you would like to support our work, we would be very pleased if you would circulate our transparency report and the information contained within it, as well as making enquiries with the parties responsible. Last May, Posteo became the first German telecommunications provider to publish a transparency report. With our move, we induced other German providers to in the meantime also publish transparency reports – including, among others, Deutsche Telekom. With our transparency report this year, we would like to contribute to making existing grievances and legal realities public and allowing them to be debated. We want change: the grievances must be eliminated and democratic control of state information processes in Germany must be strengthened.

Best regards,

The Posteo team

Posteo users safe from Logjam attack

Created on 22. May 2015, 16:00 | Category: Blog

Dear Posteo users,

For the last couple of days a so-called Logjam security flaw has been reported in the media. This was discovered by US scientists and can provide attackers with access to individual encrypted connections, which, for example, are used for secure access to websites, email traffic and online banking.

We wish to inform that as a user accessing Posteo, you are not affected by Logjam: our team observes developments in cryptography and security very intently and we always employ the newest encryption technologies. This means that when you access Posteo via your browser or a local email program, you are not vulnerable to Logjam as we do not offer the target over which this attack occurs. #more#

In your communications with other email providers, please be aware that for the moment, not all of them have secured their systems against Logjam.

Meantime, independent server test websites have extended their tests to include Logjam. You can confirm that Posteo is not affected by Logjam on these independent sites: on the Qualys test site we still obtain the best mark of A+ for web access, for example. Any vulnerability leads to a lower score.

Independent of Posteo, your browsers as well as local programs could still be vulnerable when using other services. In the coming days, please pay special attention as to whether updates are offered for your browser (e.g. Firefox, Safari or Chrome) or programs. You should install these important updates in order to increase the security of your online activities in this regard. In terms of security when accessing Posteo, no updates are necessary on your part.

Best regards,

The Posteo team