Pages: 1
RSS
The Bat Voyager no longer compabile with industry standard security cyphers according to runbox.com., Voyager does not support standard security cyphers for secure email anymore.
 
I have a ticket that seems to have gone unnoticed.

For some reason the voyager client is no longer compatible with standard security cyphers for secure email, why is the cyphers not regularly updated? The latest voyager was updated at the end of august 2019 and still does not have support for the latest standard security cyphers, this is terrible and shouldn't give you the right to advertise voyager as a "portable secure email client" when it does not support standard security.

Please add these cyphers to voyager asap:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
 
Are any of those ciphers required by any providers, or mandated by an official standard?

The Bat does support TLS 1.2, which I thought is the current standard (and it did so just in time - see https://www.ritlabs.com/en/forums/forum4/topic13322/ for that little episode :)
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Quote
Daniel van Rooijen wrote:
Are any of those ciphers required by any providers, or mandated by an official standard?

The Bat does support TLS 1.2, which I thought is the current standard (and it did so just in time - see  https://www.ritlabs.com/en/forums/forum4/topic13322/  for that little episode
Yes, according to secure email provider runbox.com which the bat voyager no longer works with these cyphers are the new "industry standard" and i find it very odd that secure email client does not support it.

I would like to see a fix for this asap.
Edited: J E - 22 September 2019 13:04:46
 
Quote
J E wrote:
Yes, according to secure email provider runbox.com which the bat voyager no longer works with these cyphers are the new "industry standard" and i find it very odd that secure email client does not support it.

I don't know why you cannot get Voyager to run with Runbox.com. They both support these TLS 1.2 ciphers:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA    
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA    
TLS_RSA_WITH_AES_128_CBC_SHA          
TLS_RSA_WITH_AES_128_CBC_SHA256      
TLS_RSA_WITH_AES_256_CBC_SHA          
TLS_RSA_WITH_AES_256_CBC_SHA256      

When you test Runbox.com here: https://www.immuniweb.com/ssl/?id=7VDvGajy , it shows that they also still support TLS 1.1 and TLS 1.0. So again, I don't see why it won't work with The Bat.

What is your setting for Properties | Transport | Connection for your Runbox account?
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
I have "Secure to dedicated port (TLS" 993

My account worked fine with them until they updated their cypher suit, the admin of the site tells me The Bat does not support the latest cyphers which are standard for the industry, it worked fine until they changed something.

It tells me:  

23/09/2019, 00:23:29: IMAP  - Connecting to IMAP server mail.runbox.com on port 993
23/09/2019, 00:23:29: IMAP  - Initiating TLS handshake
!23/09/2019, 00:23:29: IMAP  - Server reports TLS error: Handshake failure.

He told me they only support these cyphers so whatever they have on the site may not yet be up to date with what they support:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384

They tell me these cyphers are standard for email security.

Please note that i am using Voyager and not The Bat client. I haven't tested with the bat, because i want a portable client.
Edited: J E - 23 September 2019 01:23:58
 
Voyager's latest built dates from last month, so I would assume (but I'm not sure..) that it supports the same ciphers as The Bat does.

Have you tried STARTTLS instead of "Secure to dedicated port (TLS)"?

If the ciphers that you list are really the only ciphers that Runbox supports, I'd expect them to get problems with more clients than just The Bat / Voyager.

I've made a comparison between ciphers supported by Runbox, by MS Office/Outlook and by The Bat.  These two ciphers are supported by RunBox and by MS Office/Outlook, but not yet by The Bat:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

So, it would seem like a good idea to add these two.

Additionally, Office/Outlook supports (and TB does not):

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384  
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    

So, if we (reluctantly) assume that MS represents the 'industry standard', adding these 5 might be a good idea as well.

J E, maybe you can add a pointer to this forum topic to your support ticket?
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
This is the response from Runbox regarding your tests of their security cyphers etc:
Quote
Thanks for your message.

Unfortunately the support guys at The Bat! are testing the website there and not our IMAP/POP servers and there are differences while we gradually migrate across to the new more secure cyphers. The cyphers we support for IMAP/POP are:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384

I would have imagined they knew the difference between the website and our IMAP/POP servers.

I hope that helps

Best regards,
Dave
Co-Owner
Runbox Solutions AS

Can we get this escalated so the bat gets support for standard email security please? I paid for this email program in year 2019 and it's already outdated and incompatable with secure email, yet the client is being advertised as secure. Please help!!!
Edited: J E - 24 September 2019 01:18:03
 
J E,

This is a user-to-user forum. If you want to talk to Ritlabs, you should e-mail them or wait for them to address your support ticket.

In your communication with Runbox, you should not have given them the impression that the test was done by Ritlabs.. each of my messages states quite clearly that I do NOT work for Ritlabs! They make a valid point of course - I thought Immuniweb had tested their mailserver, but apparently it had not.

Anyway, at this point in time, you are the only user in this forum to report that their email provider doesn't work with Voyager/The Bat. That's not necessarily Ritlabs' fault - it takes two to tango (i.e. to make a safe encrypted connection) and Runbox seems to be unusually restrictive in their offering of ciphers. In one of my messages above, I mention seven industry-standard TLS 1.2-compliant ciphers that they could offer and that Voyager/The Bat supports as well. Hopefully either Runbox or Ritlabs will put some additional ciphers into their products soon to help resolve your issue.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
Quote
Daniel van Rooijen wrote:
J E,

This is a user-to-user forum. If you want to talk to Ritlabs, you should e-mail them or wait for them to address your support ticket.

In your communication with Runbox, you should not have given them the impression that the test was done by Ritlabs.. each of my messages states quite clearly that I do  NOT  work for Ritlabs! They make a valid point of course - I thought Immuniweb had tested their mailserver, but apparently it had not.

Anyway, at this point in time, you are the only user in this forum to report that their email provider doesn't work with Voyager/The Bat. That's not necessarily Ritlabs' fault - it takes two to tango (i.e. to make a safe encrypted connection) and Runbox seems to be unusually restrictive in their offering of ciphers. In  one of my messages above , I mention seven industry-standard TLS 1.2-compliant ciphers that they could offer and that Voyager/The Bat supports as well. Hopefully either Runbox or Ritlabs will put some additional ciphers into their products soon to help resolve your issue.
Thanks for the reply, sorry for the harsh tone, i am just flustered not being able to do work as usual. I hope they get it sorted because the bat is the nicest client out there, all other ones are to bloated with modern ui features or just heavy on the system in general. I'll have to find an alternative client in the meantime.
Edited: J E - 24 September 2019 07:45:02
 
Hey J E,
If it makes you feel better I'm in the same boat with you. Got a response from Ritlabs that they're communicating with Runbox, but Runbox support told me they're not reversing the cipher change => no compatibility with The Bat in the near future. I switched to Fastmail in the meantime. Disappointed in both Ritlabs and Runbox in handling this issue :(
Quote
J E wrote:
Quote
Thanks for the reply, sorry for the harsh tone, i am just flustered not being able to do work as usual. I hope they get it sorted because the bat is the nicest client out there, all other ones are to bloated with modern ui features or just heavy on the system in general. I'll have to find an alternative client in the meantime.
 
Same here. I'm using TheBat! (not voyager).
Tried a couple of other clients in the last days. None of them had this problem. So I guess it's really a thing of ritlabs.
Maybe it's time to change the E-Mail Program.
Even if TheBat! was one of the best. And I've paid for the Update a couple of weeks ago  :(  
 
Ritlabs' developer Alexander explained to me that Runbox' AES-cipher suites are exclusively of the GCM and CHACHA20 types, which work very differently from the CBC-type AES-suites that The Bat supports. Adding GCM/Chacha20 support would require a development effort that's too big to fit into their schedule for the next few months ahead.

Unfortunately this means that they will not be able to remedy this situation on short notice. They have spoken to Runbox though, and requested that Runbox add at least one AES suite that works in CBC-mode. that would maintain compatibility with The Bat!/Voyager. At this point it is unknown whether Runbox will do so.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
@Daniel - thanx for sharing the info!
 
Quote
Nick H wrote:
Hey J E,
If it makes you feel better I'm in the same boat with you. Got a response from Ritlabs that they're communicating with Runbox, but Runbox support told me they're not reversing the cipher change => no compatibility with The Bat in the near future. I switched to Fastmail in the meantime. Disappointed in both Ritlabs and Runbox in handling this issue
Quote
J E wrote:
 
Quote
Thanks for the reply, sorry for the harsh tone, i am just flustered not being able to do work as usual. I hope they get it sorted because the bat is the nicest client out there, all other ones are to bloated with modern ui features or just heavy on the system in general. I'll have to find an alternative client in the meantime.
I agree, the change should have been far more advertised by runbox, they did do a lot of warnings and good annoucements ahead of time when they changed to TLS 1.2 and higher but this change came out of the blue, zero warnings. The warning was my bat client stopping to access their servers via imap.. I had no chance to adapt to the situation.

I also agree that ritlabs should be on top of security as their client's whole marketing scheme is "security" literally in the headline of the sales page of this client security is part of it and the fact that a client that advertise as secure does not have support for the latest security is ridiculous to me.

Either way, i am a loyal bat costumer, i own 4 licences and i use it everywhere, changing to a new client simply isn't going to happen. All i can do at this point is hoping they escalate the development to support the new chiper suits required to use secure email.

Thanks for the update @Daniel van Rooijen
 
I have just come across the same issue with tsohoast.com (formerly Vidahost). They have just  implemented an update to TLS1.2 and now only support GCM cyphers. Unfortunately The Bat! only supports CBC. Having used the Bat! for two decades & just paid for an upgrade for the next two versions I am not a happy bunny either.

Considering the Bat! was always promoting their security aspects it is extremely disappointing!

Neil
 
(cross-posting this in several topics)

Rejoice, Batmen! Version 9.1, just released, offers support for TLS AEAD AES-GCM ciphers.

See: https://www.ritlabs.com/en/news/7332/
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
Pages: 1