New security certificates

Created on 09. January 2018, 13:00 | Category: Info

Dear Posteo users,

In the coming days we will be updating our security certificates. Security certificates are only valid for a specified time period and need to be renewed from time to time. We will therefore be changing them by 22.01.2018. We continue to use certificates from Geotrust (Digicert) and the Bundesdruckerei (D-Trust).

In most cases you will not notice anything when the certificates are changed over. All programs such as Thunderbird or Outlook will find the new certificate automatically. You do not need to do anything. If your program displays a certificate error during the changeover process, please simply restart the program, which should overcome the error.

If you check the trustworthiness of certificates manually, you can find the fingerprints for the new certificates that we will shortly begin using, below. You can also find the fingerprints in our legal notice.

New fingerprints for TLS security certificates

Geotrust:
SHA256: FB:28:42:1E:23:AD:8A:23:8B:AB:C1:ED:FD:86:FD:F5:30:C6:D9:35:E0:E6:D8:91:CD:F3:77:66:05:C5:75:33
SHA1: AC:9D:4C:F6:36:78:FE:D6:EB:5C:CE:F9:DA:CB:69:CE:0A:93:F4:58
MD5: E9:B3:0A:C5:76:86:0C:FC:15:3D:43:D9:6E:CD:FC:CE

D-Trust:
SHA256: 09:63:1B:8C:35:CD:67:0E:AB:60:B3:63:1E:F3:42:DB:9F:43:5E:09:AD:09:A5:90:49:33:26:F2:FD:B4:D7:AA
SHA1: B6:B8:3C:59:23:22:33:07:88:9E:DD:B9:8D:2D:ED:6C:FA:32:E9:04
MD5: 5D:3F:4C:A3:72:7F:8B:3A:54:92:B4:C8:BC:D5:D9:B7

Best regards,

The Posteo team

New: Easy email encryption with Autocrypt and OpenPGP header

Created on 21. December 2017, 18:30 | Category: Info

Dear Posteo users,

Starting this week, we are now supporting the new encryption method Autocrypt, which will soon simplify real end-to-end encryption in email applications. Posteo customers will be able to use the technology as soon as email applications supporting Autocrypt are available.

The trendsetting method is being integrated into popular email applications such as Thunderbird with Enigmail and K-9 Mail for Android. New versions of these email applications (Enigmail 2.0 and K-9 Mail 5.3) will support Autocrypt.

When email senders and recipients are using email applications compatible with Autocrypt, they can use end-to-end encrypted communication with no additional effort: the email applications automatically encrypt emails with PGP prior to transmission while exchanging public keys automatically in the background. The manual exchange and management of keys – which users often perceive as complicated – is becoming superfluous: Prior to the first encrypted communication, a regular empty email (without content) is sent. With this, the key is transferred in the background. Henceforth, messages can be encrypted automatically.

Autocrypt is a free and open standard, works with all email providers and uses real end-to-end encryption with the private key always remaining with the user. That’s one of the reasons why we support the method.
#more#

Why we already support Autocrypt and protect keys additionally

A first version of Autocrypt is being integrated into popular email applications. The involvement of email providers in the key exchange has not been intended yet. The provider sided support generates benefits for the end user which we want to showcase with our early implementation.

It is very important to us that Posteo customers will be able to use Autocrypt from the very beginning – as comfortable and secure as possible.

Our contribution to comfort:
Thanks to Autocrypt, email applications can soon automatically exchange public keys within the email headers. Our provider sided support makes it possible for an Autocrypt compatible application to receive a public key even if the sender uses an email application without support for Autocrypt. If the sender’s public key is available to us, we will take over that task: Posteo adds the Autocrypt header prior to every email transmission. Your communication partner is able to reply encrypted – without a manual key exchange.

Your current public key is transmitted inside the Autocrypt header with every sent email. Therefore, there is always a copy of your current key available in the applications of your communication partner – without manual key management.

Our contribution to security:
We provide an additional layer of security with digital signatures (DKIM). For Autocrypt the use of DKIM has not been planned yet. Our provider sided DKIM-signature makes it impossible for a public key to be invisibly manipulated by a third party during transmission. An Autocrypt header attached by your local email application is signed with DKIM by Posteo. DKIM-signatures occur only when the sending address matches with the sending mailbox.

How Autocrypt is integrated into Posteo

Many Posteo customers have published their public PGP key in the Posteo key directory. If these customers send an email, we add the Autocrypt header into the email. This header contains your public key. If your email application adds an Autocrypt header by itself, this header will not be changed and no additional header will be added.

- Posteo customers who additonally activated the Posteo inbound encryption using their public PGP key want every incoming email to be encrypted. This information is added to the Autocrypt header as well. That way, email applications compatible with Autocrypt will know that a recipient at Posteo wants an encrypted reply.

- In addition to the new Autocrypt header we also add the so called OpenPGP header, which informs the receiving email client on where it can find the public key. With this, the URL for the download from the Posteo key directory will be transmitted. The OpenPGP-header will be signed with DKIM, too.

What can you do?

In day-to-day life, encrypted communication with Autocrypt will work without your involvement. The manual exchange and management of end-to-end encryption keys becomes superfluous. All you need is your personal PGP key pair.

- Install the upcoming major versions of Enigmail or K-9 Mail as soon as available.

- If you already own a personal PGP key pair for your Posteo email address, we recommend publishing your key in our Posteo public key directory. Then your public key will automatically be added to the header of every email you send. We explain how to publish your public PGP key at Posteo in this help article.

Security recommendations for implementing Autocrypt:
In our view, the automatic exchange of public keys in the background should always be accompanied by further security measures. We recommend other email providers to sign Autocrypt headers with DKIM. Application developers should consider further measures to secure the key and verify existing DKIM-signatures. Additionally, end users should be notified by their email applications if a public key is replaced with a new one or if a setting, that an email should be encrypted or not, is changed by an Autocrypt header. In this way, a possible manipulation by third parties can be detected.

Best regards,

The Posteo team

New: Posteo migration service now for calendars too

Created on 12. June 2017, 18:00 | Category: Info

Dear Posteo users,

We have extended the Posteo migration service. From now on, you can transfer not only your existing email accounts and address books to Posteo, but also your calendars.

The extended migration service allows calendar transfer from providers such as gmx, web.de, Gmail, Aol or iCloud.

Here’s how it works: You can find the new, extended migration service in the settings of your Posteo account under “My account”. When you undertake a new migration service there, not only the email folders and address book will now be shown to you, but also the calendars from your previous account. With a click of the mouse you can conveniently select which items you wish to transfer to Posteo. You can decide yourself whether to delete the data from your previous provider after the transfer.

Special characteristics of the Posteo migration service:
It is free of charge, you do not require any special technical knowledge for the transfer – and you retain control of your data. We do not use transfer service providers. For this reason, your sensitive emails, address book and calendar data are never transferred over a third-party service at any point. We developed our migration service ourselves, so that it conforms to our high requirements in terms of security and data economy: Your data is collected by us directly from your previous provider and transferred to your Posteo account over encrypted connections.

For reasons of data economy, we also do not save the email addresses from which you have transferred data to your Posteo account, for example.

If you have any questions on transferring your calendar data or the Posteo migration service in general, please feel free to contact Posteo support.

Best regards,

The Posteo team

Transparency report: Requests from authorities to Posteo have markedly decreased

Created on 03. February 2017, 16:30 | Category: Info

Dear Posteo users,

We would like you to know how often authorities request user information from us. We have therefore released our transparency report for the year 2016. In the report, we detail how often investigative authorities reached out to us in the year 2016 – and how often we actually had to release data. The report contains all requests from authorities that we received in the year 2016. In addition, we also list the number of illegal requests in our statistics, because in practice, grievances exist, which we have for a while now been documenting with blacked-out examples.

Number of requests from authorities to Posteo markedly decreased

The number of email accounts operated by Posteo increased during 2016 by about 40%, while the number of requests from authorities markedly decreased. Altogether we received 35 requests from authorities in 2016 – in 2015 there were 48.

For content data, the number of requests decreased by 50%. In 2015, authorities requested content data from us on eight occasions, while in 2016 only four requests reached us. The number of accounts affected by releases also decreased from five to three.

For traffic data, the number of requests decreased even more. There were six such requests in 2015 and two in 2016.

Only the number of requests for user information increased slightly, from 27 in 2015 to 28 in 2016. As we do not collect any user or traffic information for email accounts for reasons of data economy, this data does not exist at Posteo – and therefore can not be released. We always quickly inform the authorities making these requests of this fact. All requests that arrived came from German authorities. Among them – as was the case last year – there was one request from an intelligence service.

Number of illegal requests unchanged

Unfortunately, numerous requests continue to arrive with us that are not formally correct. In 2016, this was the case for half of all requests for user information. The proportion of illegal requests for user information has therefore remained practically the same in comparison to last year. In all these cases we made complaints to the respective privacy offers responsible.



A new format for our transparency report in 2017

Until now, we always published our transparency reports in the summer. The reason that the publication date occurred later in the year was that we added emphases to the content of the reports, which often involved intensive research. Many of you desired publication of the numbers at the beginning of the year. For this reason, our transparency report for 2017 takes a different form. We now want to always publish numbers on the requests from authorities at the beginning of the year.

A second change is that we will in future publish thematic emphases spread between our transparency report site and this blog, during the year. These could, for example, be legal opinions that we have obtained, grievances that we identify in practice, or successes that we would like to report.

We have decided on this new, more flexible format for transparency because it fits better with our practical work. In addition, we are more often experiencing that the particularly privacy-oriented nature of our service is new to some authorities and leads to discussion about content or decisions that set a precedent. We would like to inform you about this outside of pre-specified times.

Transparency reports should become more comparable

Posteo was in 2014 the first German telecommunications provider to publish a transparency report. In the meantime, numerous other providers also publish similar reports.

We believe that transparency reports strengthen the informational self-determination of users. We are therefore pleased about this development. We would like to note that for users, these reports only have real value if they take a form that is as comparable as possible – and when the numbers provided are complete.

We therefore insist that two pieces of information are provided in reports on all requests from authorities for different types of data. First, how many requests there were for specific data, e.g. user information or traffic data. And second, how often the data was released in response to the request. In our view, transparency will only be obtained by providing both of these.

You can find our transparency report here.

Best regards,

The Posteo team

New security certificates

Created on 17. January 2017, 10:00 | Category: Info

Dear Posteo users,

In the coming days we will be updating our security certificates. Security certificates are only valid for a specified time period and need to be renewed from time to time. We will therefore be changing them by 22.01.2017. We continue to use certificates from Geotrust and the Bundesdruckerei (D-Trust).

In most cases you will not notice anything when the certificates are changed over. All programs such as Thunderbird or Outlook will find the new certificate automatically. You do not need to do anything. If your program displays a certificate error during the changeover process, please simply restart the program, which should overcome the error.

If you check the trustworthiness of certificates manually, you can find the fingerprints for the new certificates that we will shortly begin using, below. You can also find the fingerprints in our legal notice.

New fingerprints for TLS security certificates

Geotrust:
SHA256: 30:2A:06:B8:CF:A8:5B:93:66:5A:44:66:E2:BB:84:05:FE:80:95:3F:5A:FE:D1:08:DB:3B:B0:0D:7C:42:B4:39
SHA1: BD:16:71:84:B0:B1:40:D9:0A:65:99:8C:E6:7B:01:D6:AA:5B:8B:67
MD5: 55:F5:81:51:91:CD:88:64:14:D5:AA:E2:D5:2E:2C:AB

D-Trust:
SHA256: 06:48:D6:E4:D3:79:42:79:81:77:0F:49:88:43:D7:65:EE:A8:6F:1F:12:6F:72:11:8F:A9:4C:A9:66:34:FE:B5
SHA1: 79:DB:A0:A9:57:D9:30:FA:EF:5F:72:69:FB:1B:EA:06:90:27:9F:4D
MD5: DA:59:74:62:7C:D1:12:4E:15:41:25:37:9B:56:D0:58

Best regards,

The Posteo team