PrivaSphere offers a solution to securely transmit information via the internet and to assure delivery to the trusted recipient. Keep your client infrastructure secure (i.e. computer hardware, operating system, browser..) Otherwise your security effort may not yield the desired results.
Even if you are i) sure that the machine is free of "malware", ii) close the browser entirely after retrieving private contents and iii) know how to ensure your private contents are not cached or otherwise stored on such a machine, we advise you NOT to use PrivaSphere services from public workstations!
If you have doubts whether your environment is contaminated with a key-logger or alike or if you do not 100% control your environment otherwise, to protect your PrivaSphere Password, use a 2+-factor login mechanism such as SwissID or client certificates.
Key Contact: Your hardware provider, operating system provider, browser provider, connectivity provider, and other relevant public sources must remain your primary/immediate choice when addressing client side security and privacy issues ...
List of possible dangers to your client (not exhaustive):
"Use of weak ciphers": The PrivaSphere Servers support a wide range of ciphers to be able to provide basic security to users from a wide range of technological equipment. Configure you browser such that it supports the most secure ciphers available within this choice - see:
http://www.quora.com/Internet-Security/Is-it-possible-to-force-browsers-like-Chrome-and-Firefox-to-prefer-a-stronger-cipher-for-SSL-first
see also: Good ciphers used by PrivaSphere Secure Messaging
- update your client software (browser, mail, pdf, etc.): Older versions of the clients might be incapable of supporting ciphers with forward secrecy or the TLS versions > 1.0 that are considered more resistant to the BEAST attack on TLS, see: https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-bhttps://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
see also:
Do not enter your PrivaSphere password into a fake site. PrivaSphere does not ask you for your password except on the (main or message) login screen.
If you are in doubt, check first:
The lock near the Link in your browser is closed. Communication with PrivaSphere Secure Messaging is always SSL protected (https):
If you click on the lock, you must see a root certificate of a well known certificate authority and the privasphere website certificate depending on it:
Most phishing attempts try to fool you into entering your account password or MUC in a wrong place.
Typically you receive an html-formatted mail pretending to bring you to a site to which it does not actually bring you.
The attackers try to deceive you about the site address. For example a capitalized "I" is put in place of a non-capitalized "L".
Also by phone, we never ask for your password ever, only for your security question. Do not tell your password to anybody. PrivaSphere support does not ever need to know your password and will only ask you for your personal security question you have chosen upon registration.
The fingerprints of PrivaSphere's site certificate www.privasphere.com (valid until 29.10.2015 are):
SHA1 Fingerprint=0C:3A:D7:A3:BD:80:F8:54:BD:B4:76:76:20:B0:86:2C:5E:77:EF:37
The fingerprints of PrivaSphere's mail server certificate smtp.privasphere.com (valid until 9. April 2017 are):
SHA1 Fingerprint=BE:76:89:66:11:BE:CD:D2:9D:D3:5A:B6:8B:71:96:C3:0A:85:F0:AD
and PrivaSphere's signing certificate securemessaging@privasphere.com (valid until Feb 28, 2015 are):
SHA1: 04 2e 8f 65 96 f1 b4 5e 14 fb 61 ec 42 18 bf f2 f2 74 f8 bd
If still in doubt whether you are on the legitimate PrivaSphere site, then contact a PrivaSphere representative for additional assistance.
See also:
PrivaSphere Secure Messaging aspires to offer state-of-the-art ciphers for SSL/TLS encryption of the web site and for POP/SMTP.
Unfortunately Microsoft Windows (with Internet Explorer and Outlook) does not take automatically the strongest offered encryption offered by the servers – it normally takes a medium encryption by default.
Windows Vista and higher does support 256-bit AES, but it publishes 128-bit first in the list and thus this is what is used by most applications in a Windows environment that rely on Windows’ built-in SSL libraries (i.e. Internet Explorer, Outlook, etc.).
You can remove ciphers that you do not want and change the order of their presentation by using the “group policy editor”. For example, to make 256-bit AES the default choice, rather than 128-bit AES or RC4, follow these instructions:
For Windows Vista or newer:
PrivaSphere tested successfully the following entries – it worked for Internet Explorer 10 and Outlook 2013 on Windows 8:
(paste this string into the editing field without returns nor blanks).
Probably you will not be able to use some web pages which offer only weak ciphers. But is it worth to visit them? If yes, you have either to enter the weak cypher here or to switch this setting off (temporarily).
Normally, MD5, DES, anything below 128 Bit key length and due to the BEAST attack often also RC4 are considered “deprecated”. Try to favor ciphers that offer “forward secrecy”.
Furthermore, also activating TLSv1.2 in the Internet Explorer is recommended:
for 'Forward secracy' see also (in German):
To test your browsers SSL settings use the following link: https://cc.dcsec.uni-hannover.de/
Unfortunately, some “Home” versions of Windows7, do not offer gpedit.msc . Even downloading it would not show the above “SSL Configuration Settings”
drudger.deviantart.com/art/Add-GPEDIT-msc-215792914 or www.askvg.com/how-to-enable-group-policy-editor-gpedit-msc-in-windows-7-home-premium-home-basic-and-starter-editions/
Any hints how to configure the ciphers in those windows versions is appreciated.
If a non-Microsoft client software sees warnings or is blocked, please contact us - if you know the solution and have some corresponding screenshots - please contact us too
See also: