Secure Connections
What are secure connections?
You should be using encryption when using Riseup services. Without using secure connections, your internet traffic is not encrypted. That means it can be listened to by anyone who wants to eavesdrop on your email and worse they can easily obtain your login and password, or impersonate our servers. Setting up a secure connection to Riseup ensures reasonable protection from eavesdroppers and impersonators.
How to use secure connections?
To get your mail client to use secure connections, you have to make some configuration changes. Don’t worry! We’ll walk you through it.
If you know that you are using Thunderbird, you can skip below to the thunderbird section to check your settings. If you are using a different mail client, then please read the general settings section. If you have no idea what a mail client is, read the next section and we’ll teach you.
What is a mail client?
What is a mail client? A mail client is a specialized program designed specifically for checking and composing email. This might be Thunderbird, Apple Mail, Outlook, Eudora, etc. Whichever one you use to read and write your email is your mail client.
General settings
In general terms, you need to navigate the configuration settings for your mail program and make sure that it is set to use SSL or TLS on all connections (that means for POP or IMAP and SMTP), and also make sure that you are using the correct port. If you don’t know what any of that means, don’t worry, we will walk you through it.
The specific procedure to do this is going to be a very different for each mail client, and sometimes is even quite different for different versions of the same software.
In general, we do not offer support for mail clients. However, we do have some general information about configuring mail clients. If your client is listed, the information there will help you make the required changes.
If you aren’t using Mozilla’s Thunderbird, we would like to take a second to urge you to consider switching to it. It is a reasonably secure, easy to use, free software project. There is no harm in giving it a try! Best is that our instructions for setting up Thunderbird are really good, its what we know best and can support you much easier if you use it.
If you don’t want to switch to Thunderbird, and are not familiar with how to make these changes yourself, and our help pages weren’t helpful, you will need to seek support from your local friendly tech person, or your software vendor/community for information about how to make the required configuration changes.
Thunderbird
To make the required changes in Thunderbird, follow these steps:
First, find out what version of Thunderbird you have by clicking the “Help” menu —> “About Thunderbird”
Once you have determined your version number, follow one of the below processes that matches your version. If you are running a version of Thunderbird that is version 2.x or older, you really need to upgrade! Unfortunately, we cannot cover how to do that here, but you can find significant information online if you search for ‘upgrading thunderbird’.
Thunderbird 3.x and newer
To make the changes needed to enable secure connections in Thunderbird version 3.x, please follow these steps:
- Choose “Account Settings” from the “Edit” menu,
- Select “Server Settings” for your riseup account after the account settings dialog box pops up
- In the center of the box you’ll see a heading that reads “Security Settings”
- Under that heading is a drop down labeled “Connection Security”
- That drop down should be set to read SSL/TLS
- In the upper-right corner of the dialog box there is a setting that reads “Port”
- This should automatically be set, but check it to be sure
- Port number should be 993 if you are using IMAP
- Port number should be 995 is you are using POP
- There is a “Server Type” line at the top of the “Server Settings” dialog box that tells you if you are using IMAP or POP
- Next click “Outgoing server (SMTP)” in the left-hand pane
- Click once on riseup’s SMTP server in the right-hand pane
- Click “Edit” on the far right of the dialog box
- Set “Connection Security” to SSL/TLS
- Make sure the “Port” setting is set to 465
- Click “OK”
- Click “OK” again
- At no point in time should you change the “Authentication Method” setting – it should always say “Normal Password”
- Your work here is done!!! Yay!
iOS
If you have an apple device like this, you can review our instructions for them to figure out how to change your settings to be secure.
FAQ
Q: What if I use webmail, is that secure?
A: When you use the web, you are making a connection from your computer, through various servers on the internet, to the webserver of the site you are trying to visit. You are making this connection using something called “HTTP”. This connection is done in plain text, and is not secure. Attackers can gain access to your website accounts, and any information that you send or receive during your web browsing. There is hope! There is a secure version of “HTTP” called “HTTPS” (notice the little ‘s’ for secure). HTTPS is designed to provide secure connections that can withstand attacks.
For further security, you should consider verifying that the website you are visiting is the one you intend to visit. When using HTTPS, you are receiving a certificate from the server which is supposed to authenticate that this is the correct server. To verify that the site is the one you intend to visit, you should verify that the certificate that is presented is the correct one.
There are some issues with certificates that you should be aware of (see limitations of secure connections below).
Look up at the URL bar, where the address is. If it starts with https://
(NOTE the ‘s’), then you have a secure connection, if its just http://
(NO ‘s’), then you are not using a secure connection. You can change that “http” to “https” by clicking on the URL bar and adding the ‘s’ and then hit the “Enter” button to load the page securely.
A third, and much less reliable way to tell is by looking for a little padlock icon. It will either appear in the URL location bar, or in the bottom corner of the window (the location is different depending on what browser you user), it should appear locked, if the lock doesn’t exist, or the lock picture looks like it is unlocked, you are not using a secure connection. You can hover your mouse over the padlock to get more information, and often clicking (or sometimes right-clicking) on the lock will bring up details about the SSL certificate used to secure the connection.
Q: What is POP/IMAP & SMTP?
A: POP and IMAP are common protocols that are used by software to retrieve mail from a remote mail server. Usually you will use one or the other of them, but not both at the same time. SMTP is another common mail transfer protocol, but this one is used to send mail from your computer to the mail server.
Q: If I’m configuring my mail software myself, what port numbers should I use?
A: For POP connections using TLS, use port number 995.
For IMAP connections using TLS use port number 993.
For SMTP connections using TLS use port number 465.
Q: What if I have more questions about using internet email securely?
A: If, after thoroughly reviewing the riseup help pages you still have further questions, we encourage you to submit a riseup help ticket. We are happy to help our users understand how to make their communications more secure and to help increase the privacy of all internet users.
Limitations of secure connections
Now that you are using secure connections, everything is completely secure, right? Sadly, no! Secure connections just secure the transport of the data itself, they do not guarantee the confidentiality of particular data. For example, when sending email using secure connections, your mail is encrypted when being sent to and from our mail servers, but there are still many more “hops” your mail makes over the internet when going from our servers to the final mail recipient. Those hops are rarely encrypted, so there are many opportunities for someone to access your mail, both while it is “in transit” over the internet and when it is “at rest” on a mail server somewhere, or on the final recipient’s machine. Switching to secure connections is really only about making sure that your username and password are secure when you are logging into our servers.
So what else can you do to better secure your email communications? If you want full end-to-end security for your email you need to adopt the use of strong encryption software such as OpenPGP and get the people you communicate with to begin using that software as well. There is a Thunderbird plugin called Enigmail that allows easy integration of strong encryption into Thunderbird.
Security on the web revolves around HTTPS, and that involves determining if a particular certificate for a server should be considered “valid” by a web browser. The way this works right now is that a list of “trusted” Certificate Authorities is distributed by your browser. This sucks, because this requires you as a user to defer to some kind of central authority to validate your secure connection, why would you want to defer to some self-appointed authorities in order to participate in secure communications? For more information about how this is bad, have a read of this article about how technical architecture shapes our social structures and how this centralized hierarchy of control is extremely problematic.