It was about seventeen months ago that mailbox.org started out, offering a fully-encrypted e-mail inbox to its customers. The success of our service so far has shown that PGP can work well for everyday users and everyday use cases. It has also proven the feasibility of an underlying principle, where a provider can successfully operate their e-mail service without having or needing access to any of the emails stored in user inboxes.
Right from the beginning, it was clear to us that providing plain PGP encryption for e-mails can only be a first step. What was still lacking at the time was an easy-to-use mechanism that can be integrated into web-based mail clients to provide secure access to e-mail from anywhere. There have been some developments, like the well-known PGP plug-in Mailvelope for Mozilla Firefox, which also works with mailbox.org. However, solutions like this one appear to offer only limited encryption, may have problems with some basic e-mail functionality (like the handling of mail attachments in a cloud-based file storage setting), and are not really straightforward to use. We believe that simple PGP plug-ins present half-baked solutions, as they are not fully integrated in a Webmail client, and often rely on non-standard ways to decrypt e-mails (e.g., via cut & paste operations).
mailbox.org now has a solution at hand which demonstrates that encrypted communication can actually work in the web browser: Securely, conveniently, and for everybody.
Are PCs and mobile phones secure?
Security experts have repeatedly doubted the cryptographic capabilities of browser plug-ins like Mailvelope, which rely on JavaScript. Moreover, mobile devices that use systems based on Android or iOS are not considered secure environments in which one would want to keep a private PGP key. Given these realities, how could it ever be possible to access encrypted e-mail on the go, using untrusted internet terminals or mobile devices?
The situation described above has been a huge motivating factor for our own effort to develop comprehensive PGP support for Webmail over the past 1,5 years. Encryption, decryption, electronic signatures, and the management of public keys all represent essentials for using PGP securely and transparently in everyday communication.
It certainly took considerable brainpower to deliver the conceptual framework, plus a lot of patience and persuasion to sort out the technical details – yet a few weeks ago, we were able to start our countdown for launch:
We hereby proudly present the “mailbox.org Guard”, available for all mailbox.org users as of today, 2 July 2015.
Together with Open-Xchange, the manufacturer of our Office software suite, we have developed the first (as we know) comprehensive PGP implementation for Webmail, offering secure access to PGP-encrypted e-mail from everywhere, around the clock. By the way, the solution also allows encrypting all personal files on the mailbox.org Drive using PGP. Our aim is to ensure that only the rightful data owner can actually access that data.
Server-side PGP Key Management – Good, or good for nothing?
In our design of mailbox.org Guard, we made a deliberate decision to follow an implementation concept that requires the security-sensitive private part of the PGP key to be stored directly on our servers. There are different perspectives on this issue, as can be seen in our 2014 Stiftfilm videoclip on the topic. On the one hand, it can be looked at as a great security gain because the private key is no longer stored on devices that are potentially vulnerable to attack, and probably more so than any Internet provider infrastructure is. On the other hand, this could be considered a security problem, as the private key does in fact reside on another device over which the user has little control.
Anyone who is competent and in complete control over what is going on on their computers and mobile devices should probably refrain from handing over their PGP private key. This way of handling things means almost perfect security for many but does require 100% trust in the integrity and security of any devices used, as well as towards the operating systems and other software running on these devices. Ask yourself – are you really in control? Also, there is still a problem with accessing securely encrypted content from untrusted devices – for instance, when people are on holiday or travelling otherwise. More often than not, security gets compromised (and encryption quickly disabled) because of practical obstacles posed by the untrusted environment. If this then results in communications getting transmitted as plain text, this will do a great disservice to the security so closely guarded before.
Those who think the security of their computing environments cannot be trusted entirely might consider storing their PGP keys on mailbox.org servers, instead of having to trust Google/Android, Apple/iPhone, and other manufacturers and their software to do no evil. Even when the key file is put on our servers, it remains protected by an additional password that only the respective user will know and that will not be stored anywhere on our infrastructure. Every use of the key (e.g., to decrypt e-mails) must be authorised by the user by entering their password. Since we do not know the password, our staff at mailbox.org will be unable to decrypt any personal key files, and as a result, cannot be persuaded or coerced to do so by others.
The decision over where to store your private PGP key is yours entirely, and we cannot make this decision for you. Our approach is to deal with this sensitive issue openly and transparently and leave the final word to the users. Our FAQ has further information on the subject and may provide some guidance for those who are undecided. The mailbox.org Guard is an offering for users who would like to benefit from PGP encryption in a web-based and cloud-based environment. Anyone who employs PGP exclusively with their e-mail client on a laptop or a PC at home may of course, by all means, continue to use their local PGP setup.
This is the new mailbox.org Guard: Straightforward to use, and 100% compatible with PGP.
The mailbox.org Guard differs from other solutions because it does not require a closed user group to work. In fact, our service is fully compatible with PGP such that there are no restrictions towards e-mail communication with users who have their e-mail address registered elsewhere, with other providers.
Those users of mailbox.org who are not technically adept or do not want to get involved in the technical particulars can simply generate a PGP key with a mouse click and start exchanging encrypted messages with others in an instant. Those users who want to learn more about how our PGP encryption works can do so by watching our Stiftfilm video, which can be found here: https://mailbox.org/en/doodle-video-how-can-emails-be-encrypted-with-pgp/
Advanced users who already use PGP may import their existing keys to mailbox.org and so use encryption with our web-based service in addition to their local PGP setup. Doing this can be useful because it facilitates secure communication via our web interface, even on untrusted devices. Any public keys of other users can be imported as well, and will be held in a secure repository at mailbox.org, together with those added by other users. This way, customers with family- or business accounts, who have several e-mail addresses, benefit from shared key management.
Since encryption is handled entirely on the server-side, the security-sensitive private key will never leave our systems to be transmitted to a web browser, or any other potentially unsafe environment. During the transmission of messages, the key remains safely stored on the server and cannot be retrieved by a third party. Further security mechanisms built into our systems and an additional key phrase that is only known to the user ensure that no-one has the ability to access users’ private PGP keys or read their e-mails – including our own team of administrators and technicians.
When a user logs in to our Webmail client and authorises use of their PGP key, that key is still not transmitted to the client. What is exchanged is a temporary encryption key that expires with the current browser session, and generating this does not require mailbox.org to permanently store the user’s key password or the encryption key itself in plain text. Rest assured that our solution is open-source and promotes total transparency: The source code of the Guard module may be inspected and evaluated by any IT expert who wishes to do so.
Please note: mailbox.org will further encrypt your key and has no knowledge of your key password!
If you
- Forget your chosen key password or
- Delete your PGP key without having a backup someplace safe from which a copy may be retrieved
you CAN NO LONGER ACCESS the encrypted e-mails in your inbox, or any files encrypted with this key.
mailbox.org will be unable to help you restore access to your e-mails and files – the way the Guard system was designed makes this impossible for us (If it was possible somehow, then the system wouldn’t be as secure).
Secure communication, even if your recipients do not have PGP
The fact that many people do not use PGP yet has always been a problem for gaining widespread acceptance of e-mail encryption. mailbox.org makes it possible to communicate securely and privately via e-mail even if your recipient does not have PGP set up on their side. This is how it works: Our Guard will create a temporary mailbox for your recipient on our server and grant them access so that any e-mail or file exchange between you and your recipient proceeds fully secured via DANE and HTTPS. This presents a very convenient option for mailbox.org business customers who need to communicate securely, such as lawyers or tax advisers. By using this mechanism, they can make sure their communication with different clients is compliant with data protection law. More information about the mailbox.org Guard and the temporary mailbox can be found in our FAQ.
Where can I find the Guard and more information?
Functionality related to the mailbox.org Guard will appear in three places of your Office web interface. (1) Open the Settings menu to create and manage passwords and keys. (2) When composing an e-mail, encryption can be enabled by clicking on the padlock symbol in the upper-right corner of the window. (3) On the mailbox.org Drive, it is possible to encrypt files on our server, using your PGP key.
Our FAQ now has a dedicated section about mailbox.org Guard. Please consider reading the manuals and other available information provided there before contacting our support team with any queries.
Developed in collaboration with Open-Xchange
Our new mailbox.org Guard is based on OX Guard by Open Xchange. The CEO of Open-Xchange, Rafael Laguna, had the following to say about our launch of the new Guard service:
“mailbox.org has always been a pioneer in providing users with secure and encrypted email and has played a major role in helping us develop OX Guard,” adds Rafael Laguna, CEO of Open-Xchange. “We’re delighted that mailbox.org is now also the first OX partner to make the new PGP-enabled version of OX Guard available to customers. While PGP has been around for a long time, it has never achieved mass adoption. Finally, we meet the usability expectation of today’s users and deliver on the promise of high security without technical barriers.”
Open-Xchange has been a tremendously supportive partner in our effort to develop mailbox.org Guard. It was great how openly and positively they responded to our suggestions, and also admirable to see how they put up with our frequent nagging. We are extremely grateful for all the help and advice they have given to us and wish to use this opportunity to say “Thank You!”