Security & Privacy at mailbox.org

The best protection of your privacy at mailbox.org

An overview of our security policies

mailbox.org protects your privacy whenever technically possible. Using a combination of different encryption mechanisms, we ensure the highest-possible security level for the protection of your data. In addition, we offer a number of choices on how you can encrypt your personal data.

 

Data protection at mailbox.org comprises:

  • Encrypted access to website and inbox
  • Encrypted transmission of e-mails
  • Individual e-mail storage & file encryption
  • data privacy

Innovations by mailbox.org:

  • The encrypted inbox, introduced in Feb 2014
  • @secure.mailbox.org – Guaranteed sending and receiving of e-mail via TLS-/DANE, introduced in Feb 2014
  • TLS check – Display of TLS-/DANE support for every recipient & guaranteed encrypted sending of e-mail, introduced in May 2015

Encrypted access to website and inbox

 

mailbox.org uses an extended (green) validation (EV) security certificate by the Swiss CA SwissSign. This helps ensure that encrypted connections from clients will actually be established with servers at mailbox.org and not any others.

Our services are accessible only via secure protocols that require encryption. Security mechanisms such as HSTS protect effectively against man-in-the-middle attacks by enforcing encrypted HTTP connections to be made by web browsers.

On our web servers (including CalDav, WebDav, and CardDav) we only use those encryption algorithms that are widely considered secure. Servers are configured to always prefer the most up-to-date TLS version 1.2.

Modern & secure algorithms such as (EC)DHE use Perfect Forward Secrecy (PFS) to prevent the decryption of intercepted data transmissions from web- and mail servers.

By the way: Your password will never be stored in plain text on our servers but as a hash with salt. This means even we as provider have no way of knowing your password.

In order to support anonymous use of the Internet and to protect our customers from data retention measures, we operate a dedicated Tor Exit Node in our data centre.

Access to mailbox.org is always encrypted:

  • Using the webmail client
  • Using local e-mail clients
  • From mobile devices

 

To facilitate this, we use recent security technologies:

  • TLS 1.2 with PFS
  • HTTP Strict Transport Security (HSTS)
  • DANE/TLSA and DNSSEC
  • Extended validation (EV) security certificate

Consistently best performance in SSL security tests

As long as many servers on the Internet use SSLv3 and unsecure crypto-mechanisms (Ciphers) like RC4, MD5, or 3DES, users should not bet on finding reliable SSL encryption everywhere. mailbox.org has been thoroughly tested by different independent websites and received only the highest praise.

  • The SSL testing site Qualys SSL Labs has awarded to mailbox.org the outstanding mark A+. Find the report here.
  • TLS encryption on our mail servers, and especially for secure.mailbox.org. Test for yourself with ssl-tools.net. Find the report here.
  • CryptCheck confirms the encryption strength of our security mechanisms and has awarded the best mark A+. Find the report here.

Qualys SSL Labs

SSL-Tools.net

CryptCheck

 
 

Secure login, everytime and everywhere.

Two-factor authentication, One-Time Passwords (OTP), Yubikey

Anyone who needs to log in to a public PC to read their e-mail would want to avoid using their normal password there. With a One-Time-Password (OTP), there is no risk of passing on sensitive password information via third-party machines because each OTP is unique and cannot be reused for future logins. We support many different mechanisms for One-Time-Passwords.

YubiKey: A small portable USB stick. Once plugged in, a simple button-press will generate an OTP and insert it into the password field on the login page. The login is made even securer through the combination of OTP with a PIN that users can choose individually.

OTP Token generators: In addition to normal passwords and Yubikeys, we support other One-Time-Password token generators such as Google-Authenticator or the iPhone’s OATH service, as well as all other token generators that are based on HOTP, TOTP or mOTP.

 

SSL-Transmission security for your e-mail

 

When an e-mail gets sent through the Internet, transmission should be encrypted, so as to protect the content from unauthorized access on the way. Our servers will always try to establish the most secure connection possible, encrypted with TLS and secured with PFS. We have been one of the first providers to fully support DANE/TLSA and to secure our domain with DNSSEC. Non-secure mechanisms such as SSLv3, or encryption ciphers that have been previously cracked (3DES, RC4, MD5) are not used at mailbox.org.

 

Secure or not?
The instant TLS check at mailbox.org

In 2015, we invented a mechanism to promote the TLS-encrypted sending of e-mail, which has now been adopted by many other providers. It allows any user to find out in an instant if their communication partner uses a provider that supports SSL/TLS encryption and if so, how strong the algorithms employed really are and if DANE is also used. All a mailbox.org user needs to do is enter the e-mail address of a recipient when composing an e-mail and our system does the check in the background. Once our servers know the other mail domain, it is guaranteed that the current security level cannot be undercut by manipulation.

Read more about the mailbox.org SSL/TLS check.

secure.mailbox.org –
when encrypted communication is a must

mailbox.org has also come up with a feature that guarantees the securely encrypted sending of e-mails. Anyone who would rather not rely on the technical environment of their recipient server now has a means of enforcing encrypted communication: our additional service secure.mailbox.org makes sure e-mails are only sent and received with SSL/TLS encryption. Guaranteed.

Learn more about secure.mailbox.org.

 

Individual e-mail and file encryption

 

Securing the paths is important but content needs to be encrypted too!

Secure transmission of data, secure servers, and secure algorithms – all these are important and we are striving to set new standards in these areas. However, comprehensive protection of e-mail communication also requires content encryption. For more than 20 years, PGP has been continuously further developed to be the most reliable mechanism for encrypting e-mails today. To use the words of its originator:

„PGP empowers people to take their privacy into their own hands.“ Philip R. Zimmermann, creator and developer of the encryption software PGP.

We explicitly recommend that all our customers make use of PGP and actively promote and support this use by offering tutorials and manuals on the subject.

 

Decide for yourself:
mailbox.org offers two basic mechanisms for e-mail encryption

  • mailbox.org Guard – server-side encryption
  • Mailvelope – browser plugin
 

mailbox.org Guard on the server

Our mailbox.org Guard facilitates the first PGP implementation that works with a webmail client while combining security and ease of use at the same time. It just works and there is no need to install plugins or store the sensitive private key on different devices (like a mobile phone).

The mailbox.org Guard is 100% compatible with OpenPGP and can also be used by local mail clients in combination with end-to-end encryption.

Did you know? The mailbox.org Guard can also encrypt your files as they are stored in our Drive area.

Learn more about the background and functionality of Guard, advantages and disadvantages, and how to set it up in our manuals about Guard. Additional background information can be found in our hints about Guard.

Advantages of mailbox.org Guard

  • PGP works with webmail client
  • No additional plugin required (server-side encryption)
  • The private key does not need to be copied to any third-party devices
  • Secure temporary mailbox for those who do not use PGP

 

Disadvantages

  • Your private key is stored on the servers of mailbox.org (Password-protected)
 

Mailvelope web browser plugin

The Mailvelope plugin presents an alternative to using Guard. Here, users need to install the Mailvelope software in their local web browser and can then send and read encrypted e-mail using the webmail client.

Read our FAQ about Mailvelope and how to use it with mailbox.org.

Advantages of Mailvelope

  • PGP works with webmail client
  • Management of PGP-keys on your local computer

 

Disadvantages

  • our private key is stored in the browser (e.g., Mozilla Firefox) – danger of security exploits
 

The encrypted inbox

A true innovation of 2014: mailbox.org was the first e-mail provider to develop a method for encrypting inbox contents using a user’s public PGP key. Given that most of our users keep their e-mails for many years, it gives them peace of mind to know that they are stored on our servers securely encrypted.

More information about the encrypted inbox can be found in our FAQ.

Explained by video

(A click on the picture leads to Vimeo. The privacy policy of Vimeo applies.)

 

The mailbox.org key server

The public PGP keys of mailbox.org Guard users will be retrieved automatically. For external users we offer a HKPS key server that delivers verified OpenPGP keys that belong to mailbox.org users.

Detailed information about the key server can be found in our FAQ „The mailbox.org HKPS key server

 

Our commitment to privacy and data protection

 

We at mailbox.org take very seriously all matters concerning privacy and data protection. As a provider, we are very transparent about the kind of data we keep about our customers. We will only elicit those data that we absolutely need in order to operate our services for our customers. Whenever there is an opportunity for us to reduce the amount of data we keep or handle, we will act. For instance, at mailbox.org IP address information is removed from all mail headers.

All our servers are physically located in Berlin/Germany and hence, subject to strong German data protection, privacy, and information security laws, and watched over by our certified information security officer. Find more details in our data privacy statement.

We protect your data

  • Anonymous registration
  • No ads and no passing on of user data to third parties
  • Payment via bank transfer, PayPal, Bitcoin, cash by mail (EUR only, no cheques), direct payment on account
  • Transparent data retention and deletion deadlines for log files and connection data
    Aliases and temporary e-mail addresses
    certified information security officer
 

Your new, ad-free, secure e-mail address

Make sure your data and privacy are protected.
Try mailbox.org now – free for 30 days.