Skip to main content
BusinessPrivate
LoginRegister now

Answers for companies

The business Knowledge Base is currently being revised. Soon you will find updated content and expanded information here, giving you an even better overview of our products and services. We thank you for your patience and understanding.

Please note: The Knowledge Base has changed slightly. Categories have been adjusted and any URLs stored in the old Knowledge Base are no longer valid.

TLS encryption

TLS encryption at mailbox

Security is a process that must be continuously reviewed and questioned. We ensure that users of mailbox always receive the best possible security according to current standards and that the security of our servers is continuously improved.

In 2016, during the week before Christmas, we made changes to the encryption technologies used in the background on our servers. Since then, the security of our users has significantly improved.
This was necessary, among other things, because in January 2017 the requirements for certification as a “Secure Mail Provider” under the BSI guideline TR-03108-1 of the Federal Office for Information Security (BSI) were tightened.

Under the new requirements, TLS protocols 1.0 and 1.1 may no longer be used – instead, TLS 1.2 must be applied across all systems. This version is supported by all current implementations; however, we still see around 2–3% of older TLS versions, which result from customers using outdated software on their operating systems.It is expected that other platforms on the Internet or in online shopping will experience similar compatibility issues. An update to the latest software versions is therefore always recommended.

At a glance: What do these changes mean?

Older software is no longer compatible with the new technologies.
With the following outdated web browsers, you will soon no longer be able to use mailbox Office (or other parts of the Internet):

  • Internet Explorer 10 and older
  • Firefox 24 and older
  • Google Chrome 29 and older
  • Safari 8 and older
  • Opera 16 and older

Likewise, with the following outdated smartphone operating systems, you will no longer be able to synchronize your mails, contacts, and calendars with mailbox Office (and other services):

  • Android 4.3 and older
  • Windows 8.1 without update and older
  • iOS 8.4 and older

Users of our Jabber service who use the Jitsi client for Windows are also affected (as of 10/2017). Please switch to another client if necessary.

Keeping your software up to date also improves your security in other areas.
We therefore strongly encourage you to regularly update your software.

At present, we cannot yet determine when all new recommendations will be fully implemented. We are currently analyzing the nature of the impact and the number of affected users.
In the long run, TLS 1.0 and TLS 1.1 will disappear entirely from the Internet — it is necessary to make this transition.

SHA-1 hash algorithm deprecated

According to BSI TR-02102-2, the transition period for the use of the SHA-1 hash algorithm in TLS encryption ended at the end of 2016.Starting in January 2017, this hash algorithm may no longer be used for the authentication of TLS-encrypted messages and certificates. Instead, the stronger hash algorithms SHA256 and SHA384 must be used.

TLS 1.0 and TLS 1.1 must no longer be used

The TLS protocols TLSv1.0 and TLSv1.1 may also no longer be used for TLS encryption according to BSI TR-02102-2, as these protocols only define cipher suites using the SHA-1 hash algorithm. We completed the transition for this in early January.

Brainpool instead of NIST curves for ECDHE key exchange

When your browser or mail client connects to our servers, a temporary session key is negotiated for transport encryption (TLS) of the transmitted data. Once the connection is terminated, this session key is discarded.
This concept is known as Forward Secrecy and ensures that data cannot be decrypted later.

Two methods are available for negotiating this temporary session key:
the classical Diffie-Hellman key exchange and the variant based on elliptic curves.
In the latter case, different curves can be used. Typically, the curves defined by NIST (“National Institute of Standards and Technology,” a U.S. federal agency) — secp256r1 and secp384r1 — are employed.

The BSI guideline TR-03116-4 requires secure mail providers to use elliptic curves from the Brainpool consortium, such as brainpoolP256r1 (or stronger), and to prefer them over NIST curves. NIST curves should only be used if your (outdated) browser or mail client does not support the Brainpool curves.

The transition was successful

We completed the necessary adjustments to our mail servers and the transition of our web servers at the turn of the year 2016/2017.

As a user, you should not have noticed any disruptions, as the previous options remain available as fallback solutions.

  • LinkedIn icon
  • Mastodon icon
  • Bluesky icon
  • RSS icon

Heinlein Gruppe