miss some privacy settings

Runbox Chat
#1

Hello,

I find Runbox very interesting. In particular, I like the price-performance ratio very much. From the description and various blog articles it is clear that Runbox does a lot for the security of its users. Therefore, I have dealt with Runbox more intensively in the last few days. Here I noticed some points where I wonder why Runbox has not (yet) implemented them. Maybe it is also a suggestion for Runbox, because some points are very easy to implement.

A test at webbkoll shows the following:

  1. no referrer policy: since this is not set up, referrer information is passed on when clicking a link from the mail.

  2. HTTP Strict Transport Security: has been set up without subdomains.

  3. content security policy: it’s a pity to choose third party providers and allow unsafe inline connections.
    Source: https://webbkoll.dataskydd.net/en/results?url=http://runbox.com

  4. an MTA-STS test shows that MTA-STS is set up correctly but not enabled? Why is it not enabled?
    Source: https://aykevl.nl/apps/mta-sts/

  5. IMAPS and POP3S are encrypted with good TLSv1.2. However, the certificate is only encrypted with 2048 bits. Why don’t they use a 4096 bit key?
    Sources:
    https://tls.imirhil.fr/tls/mail.runbox.com:993
    https://tls.imirhil.fr/tls/mail.runbox.com:995

  6. SMTPS / SMTP: For IMAPS and POP3S Runbox uses a good (easy to improve) encryption. However, SMTPS encryption is critically rated with C, because of the DES3 value. This seems inconsistent to me.
    Source: https://tls.imirhil.fr/tls/mail.runbox.com:465

  7. HSTS preload: if point 2 would be HTTP Strict Transport Security with subdomains, the HSTS preload status would also be possible.

  8. Mozilla Observatory: would the Content Security Policy not have ‘unsafe-inline’ etc, Runbox would also guess A here.
    https://observatory.mozilla.org/analyze/runbox.com

  9. DMARC: although the DMARC policy is set up, the default value has been set to ‘0’, which effectively disables the policy.
    https://www.hardenize.com/report/runbox.com/1623441981#email_dmarc

  10. HTTPS encryption in the browser: Again, I wonder why only a 2048 bit key is used and not already set to 4096 bit?
    Source: https://tls.imirhil.fr/https/runbox.com

On a superficial view, one or the other may not seem all that important. Against the background that one advertises with security and privacy and since many decades one deals with secure mail, the implementation seems to me with detailed consideration unfortunately inconsistent or no longer up-to-date.

Furthermore I have the following questions:
11. will mail filtering via Sieve filters be enabled?
12. is it planned to encrypt the mailbox / the mails on the server at Runbox?

I would be very pleased about a feedback.

With kind regards

Tommy