Send and Receive

Retrieve a secure message sent to you. When accessing the message online, automatically a secure connection (SSL) is established between your computer and the PrivaSphere secure messaging server.

Read your Private Message

1. Access your PrivaSphere Secure Messages by either:

  • Secure Login into your PrivaSphere account
  • A message notification eMail to your standard eMail Inbox with an embedded secure link
  • In the Inbox of your standard eMail program

Hint: PrivaSphere messages expire after 30 days. If you want to keep a copy, download the message and attachment to your computer (use MS-Word or notepad/Editor - wordpad.exe might have problems displaying umlauts or non-western characters correctly).

If you cannot receive a message, then contact a PrivaSphere representative for additional assistance.

 

See also:

The .txt format presents the email message in a simple text file excluding attachments. You can view the message with your favorite text editor. The file will not be encrypted before download. 
If you choose this option, you will see a button in your inbox and your sent items offering the possibility to download the emails in the desired format.

Portable Document Format (PDF) is a popular cross-platform file format for printable documents originally developed by Adobe Systems. For reading you need an Adobe Reader which can be downloaded at the Adobe website at no charge. PDF frequently is used for document archiving.

PrivaSphere signs the PDF files digitally before download. The signature can be validated with the Adobe Acrobat Reader. Please download a short manual of Quo Vadis how to validate signatures in Acrobat Reader 8 (in German).

If you choose this option, you will see a button in your inbox and your sent items to download the emails as signed pdf files.

The e-mail extension format .eml is understood by many email programs (Mozilla Thunderbird, Windows MailMicrosoft Outlook Express). If you download messages in the .eml format, you can easily import them into your email program. If you download the .eml file, it will be delivered digitally signed. 

If you use this option you will see a button in your inbox and your sent items offering the possibility to download the emails in the desired format.

Reply to your PrivaSphere Secure Messages, if you already use PrivaSphere secure SMTP service:

  • Press the 'reply' button to create your reply message which has a one-time sending identity.
  • Adjust the outgoing eMail server to the 'PrivaSphere Secure Messaging' account (if not default).
  • Uncheck security options to not encrypt or sign. The reply message will reach the sender SSL-encrypted directly out of your eMail client.

Use the webMail interface to reply to the message:

  • Login to your account on https://www.privasphere.com.
  • Use the buttons 'reply' or 'reply to all' in your list inbox screen or in your inbox message.

See also:

A MUC is a one-time access code and protects a message sent to a new communication partner from being seen by eavesdroppers or erroneous recipients and is used to initiate trust.

Prepare to send:

1. If you send a message to a new recipient, then the system generates a random MUC. Remember the MUC and send the message.

2. Communicate this MUC code not by eMail - use another communication channel, e. g. personally or by telephone, SMS, Fax or letter - to the recipient.

 

Send the MUC to a mobile device via SMS or Fax to your receipient: 

3. The recipient clicks on the link in the notification message he received from PrivaSphere. This opens a page on the PrivaSphere site which requests the MUC code to be entered. Providing the credentials will give access to the secure message.

4. If the recipient clicks on the quick register button, he can obtain a password, trust with the sender is established and a MUC is not any longer needed when communicating between these two parties. To register only and receive secure messages is free. See a set of screenshots (pdf ) illustrating the steps your recipient is going through

Hint:

If you use your eMail client for PrivaSphere Secure Messaging, just add the following tags to your subject to send the Message Unlock Code MUC directly to the recipient:

  • <sms:xxx xxx xx xx> for SMS
  • <fax:xxx xxx xx xx> for Fax

 

see also:

PrivaSphere Secure Messaging Service - von der informellen Kommunikation via eMail zur geschäftsrelevanten, vertraulichen und verbindlichen elektronischen Korrespondenz

PrivaSphere-Technologie zeichnet sich nebst der Inhaltsvertraulichkeit auch durch maximale Beziehungsvertraulichkeit der sicheren Mails aus. Weder das Paar „Sender/Empfänger“, noch der Betreff sind bei Meldungen mit den Standard-Einstellungen einsehbar. Ein zweiter, wichtiger Sicherheitsfaktor ist die Empfängeridentität. Nichts Schlimmeres als wenn vertraulicher Inhalt den falschen Empfänger erreicht. …und Hand aufs Herz, wie schnell ist ein Mail an den falschen Empfänger versandt.

 

1) Patentierter Fehlleitungsschutz – Empfängeridentität und Vertrauensbeziehung

Angefangen von der Empfängeridentität und deren Beziehung zum Absender sowie vom Vertrauensaufbau über die einfache Nutzung bis zum Entzug und der Re-Initialisierung - PrivaSphere verwaltet Ihre Online-Vertrauensbeziehungen.

* Erst-Authentisierung bei neuen Empfängern
   Fehlleitungsschutz bei registrierten Benutzern
   oder bei streng vertraulichen Inhalten

 

MUC - Messaging Unlock Code – Fehlleitungsschutz bei Bedarf

 

 

2) Was ist der Message Unlock Code (MUC)?

Ein MUC ist ein Mitteilungs-einmal-Passwort und schützt Ihre Meldung, die an einen neuen Kommunikationspartner gesandt wird, vor Einsicht durch unberechtigte Personen oder vor einer Fehlleitung. Mittels MUC wird die Identität des Empfängers auf einem 2. Kanal überprüft und die Vertrauensbeziehung initialisiert.

Vertrauensmanagement

Der zweite wichtige Sicherheitsfaktor nebst Inhaltsvertraulichkeit während des Transports (‚Verschlüsselung‘) ist die überprüfte Empfängeridentität und deren Beziehung zum Absender. Angefangen vom Vertrauensaufbau über die einfache Nutzung bis zum Entzug und der Re-Initialisierung - PrivaSphere verwaltet Ihre Online-Vertrauensbeziehungen.

Der MUC (Message Unlock Code) dient:

  • der Erstauthentisierung des Empfängers
  • dem Fehlleitungsschutz

und dient somit der Vertraulichkeit ihrer schützenswerten elektronischen Kommunikation.


3) Verschlüsselt Mailen ohne Fehlleitungsschutz

MUC unterdrücken

Ist der Empfänger bereits registriert und Sie sind sicher, dass Sie sich nicht in der Mailadresse getäuscht haben, so können Sie das Systemverhalten übersteuern, den MUC-Versand unterdrücken und den Empfänger per Mausklick zu Ihren vertrauten Kommunikationspartner hinzufügen. Der Fehlleitungsschutz wird dadurch aufgehoben.

Es ist zudem nachträglich möglich, bei auf der Plattform bereits registriertem, aber noch nie angeschriebenem Empfänger den MUC auch nach dem Versandzeitpunkt noch zu entfernen.

Insbesondere falls der Empfänger über mit seiner Domäne angebunden ist oder einen Smime/PGP Verschlüsselungs-Public-Key in sein Konto aufgenommen hat, lohnt es sich nach der MUC-Entfernung „Erneut avisieren/ausliefern“ zu wählen, da die Meldung dann sofort ausgeliefert wird und sich der Empfänger den Plattform-Besuch via Browser sparen kann.

Mail ohne MUC

Sie haben die Möglichkeit über das AddIn oder als Steuerzeichen im „Betreff“ mit dem Befehl „nomuc“ (als Steuerzeichen in <> Klammer) eine Meldung an Mail-Empfänger (unregistrierte Empfänger oder Systemteilnehmer) zu versenden. Diese Funktion bedarf aber einer erhöhten Aufmerksamkeit, da ohne Erstauthentisierung / Fehlleitungsschutz gearbeitet wird und nur noch Vertraulichkeit bei passivem, nicht aber aktivem [1] Abhören gewährleistet ist.

Daher müssen Sie sich diese Funktion beim PrivaSphere Support zuerst freischalten lassen.

Mail ohne MUC an registrierten Benutzer – Fehlleitungsschutz für übrige Empfänger

Mit dem Steuerbefehl <unSafeRoute> werden Mails an registrierte Benutzer ohne Fehlleitungsschutz (MUC-Authentisierung) ausgeliefert, alle übrigen Empfänger benötigen einen MUC.

 

4) Die verschiedenen Arten von MUC

‚Standard‘

Grundsätzlich wird der MUC vom System generiert (5-stelliger alphanumerischer Code) und kann automatisiert per Fax oder SMS direkt dem Empfänger übermittelt werden

‚Vor-definiert‘

Der MUC kann vom Absender pro Empfänger mittels Outlook/Notes AddIn/Template oder Script oder in einer Applikation vordefiniert werden.
Diese Funktion setzt vertiefte Security- und Plattform-Kenntnisse voraus – falls Sie diese Möglichkeit auch in der Web-Schnittstelle wünschen, kontaktieren Sie zur Aktivierung bitte  unseren Help-Desk unter 043 500-MAIL (043 500 6245).

‚Fix‘ pro Empfänger

Der MUC kann pro Empfänger fix im ‚Kontakt‘ im sicheren WebMail hinterlegt werden und gilt dann solange bis er geändert wird, oder der Empfänger sich beim Secure Messaging Service von PrivaSphere voll registriert hat (kostenlos). Siehe auch: Festlegen eines vordefinierten MUC.

Gruppenfunktion

Sie haben die Möglichkeit als Gruppenadministrator eine geschlossene Benutzergruppe aufzubauen, die untereinander vertraut ist ohne Erstauthentisierung untereinander. (siehe separate Anleitung für die Gruppenfunktion)

Weitere Steuerbefehle

Höchster Fehlleitungsschutz und Sicherheit vor Fremdeinsicht
Mit dem Befehl <safeRoute> stellen Sie sicher, dass für die Einsichtnahme der Empfänger über einen MUC verfügen muss, sonst bleibt ihm der Inhalt verborgen.

 

5) Policy-Enforcement und Routing Service

Wie aus obigen Möglichkeiten leicht ersichtlich ist, lassen sich komplexe Geschäftsvorfälle effizient schützen. Um eine Vielzahl solcher Szenarien fein-abstimmen und automatisieren zu können empfehlen wir Vielnutzern den Einsatz dieser Dienstleistung.

  • Policy Enforcement Support: Damit kann Ihren ausgehenden Mailservern die Triage der Meldungen (verschlüsseln oder nicht?) abgenommen werden und es steht Ihnen ein zeitgemässes Regelwerk zur weiteren Optimierung Ihrer Mailkommunikation zur Verfügung; u.a. sind folgende Regeln möglich:
    • Zwingende Vertraulichkeit für einzelne Empfänger/Domänen über Secure Messaging (Vertraulichkeit)
    • Zwingende Vertraulichkeit für einzelne Sender über Secure Messaging (Vertraulichkeit)
    • Zwingende Identifikation der Empfänger mittels MUC für einzelne Empfänger / Domänen (erhöhter Fehlleitungsschutz)
    • Inhalts-basiertes Routing von Mails (Rückweisung / Vertraulichkeit)
      Erweiterte Routing-Funktionen im Zusammenhang mit Secure Messaging und dem GroupWise Template/Outlook AddIn.

 

Hinweis: Ermuntern Sie Nichtteilnehmer sich auf der Plattform zu registrieren. Wenn der Empfänger bei Meldungsempfang die ‘Schnellanmeldung‘ Funktion wählt, kann er ein Passwort wählen und Sie müssen keinen MUC mehr austauschen. Das Empfangen von Standard-Meldungen und die Registrierung sind kostenlos.

 

 


[1] Der Angreifer schreibt den beobachteten Meldungsverkehr nicht nur für z.T. sehr viel spätere Analyse mit, sondern folgt z.B. darin vorgefunden Links aktiv. Da viele (kryptographische) Links im Security-Umfeld nur für beschränkte Zeit auf die Nutzinformationen führen, bewirkt dieser Ansatz viel bessere Ausbeute für den Angreifer.

 

6) MUC: Einsatz im Behördenverkehr (eGov)

Innerhalb der PrivaSphere Secure Messaging Plattform:

Sind sowohl der Sender wie auch die empfangende Behörde auf der PrivaSphere Secure Messaging Plattform registriert, so wird der MUC standardmässig 'unterdrückt'.

Beim Senden via Web Interface wird er angezeigt, standardmässig aber unterdrückt.

Beim Versand aus dem Mail Programm (via SMTP oder Domänen-Anbindung) wird der MUC für Behörden standardmässig unterdrückt. Die Funktion kann unter 'Mein Konto" - "eGov/Einschreiben" ein-/ausgeschaltet werden (Standardeinstellung: MUC wird unterdrückt).

 

MUC im interoperablen eGov Verkehr:

Wird die eGov Eingabe an einen Teilnehmer des Behördenverkehrs an eine andere Plattform ("Interoperabilität") übergeben, so wirkt der Zugriffs-Schutz mittels MUC nicht.

Die anderen zugelassenen Plattformen kennen diesen Schutz (authentisierter Zugriff, Fehlleitungsschutz) nicht - sie liefern sichere eMail einfach direkt an den mit der entsprechenden eMail Adresse registrierten Benutzer aus.

7) Fehlender MUC

Wenn Sie eine Abholeinladung mit Aufforderung zur MUC Eingabe erhalten haben, aber den MUC auch nach Stunden bis Tagen nicht erhalten haben, so erinnern Sie den Empfänger (siehe Beschrieb II in Send Message Unlock Code (MUC) via SMS).

 

siehe auch:

Sometimes you want to know whether your sms or fax has arrived?

For that, you need to login into your account via the PrivaSphere secure web-interface.

Under "Sent" and the specific Message details, the current message status is show - color coded.

With mouse-over, you can also see more details such as the sms ID of the specific SMS the PrivaSphere customer service would need to escalate to the SMS service provider - e.g. "141128191912".

Before you contact our customer service, please ensure the following:

a) the destination number can receive SMS or FAX

b) the receiving devices at the destination are operating (not out of paper e.g. for a fax)

Typical error situations that do not justify contacting customer support.

1) Message for 00417xxxxx, with identification 141128191912 could not be delivered, because VP exceeded (code 65283)

This happens typically with reciever's cell phones that are turned off.

Server-based SMS services normally only try for 24 hours. If you need more lasting attempts, either send the SMS from your personal cell phone or use fax, threema.

2) No translation for this specific address (code 1025).

This happens for example with destination numbers on the fixnet when you try to send to them via SMS.

Also, if everything fails your recipient always has the possibility to confidentially remind you of the missing MUC by clicking on the link in the pickup notification and then on

and then provide an alternative delivery number.

The receiver will then be informed and can simply click on a link containing the alternative sms number

PrivaSphere Secure Messaging also supports threema for sending a MUC besides SMS or fax.

With SMS and fax the MUC is transmitted through the large international telephone companies. Therefore you must trust on their confidentiality.

With threema, the Message Unlock Code (MUC, one-time password) will be directly sent End2End encrypted to the smartphone of the recipient.

Threema is Switzerland operated short messaging app with a particular focus on security and confidentiality of the transmission. It is independent from the big carriers. In addition, the company is exclusively subject to the Swiss law and the owners are Swiss citizens. Threema is available for iPhone and Android.

Function:

After pressing "Prepare to Send" you will see the button "SEND MUC" with which you can display fields for SMS mobile phone numbers, fax numbers or threema receiver IDs.

With the recipient's email address the threema ID will be automatically checked and, if so filled in.

If no ID was found and you know the mobile number, you can fill in and press the "Update calculation" button. PrivaSphere performs a threema lookup due to the mobile number and displays the ID if found.

Sending with Threema is safer and cheaper than SMS or fax.

If both mobile number and threema ID are present, we send the MUC via threema.

To a transmission of the MUC-message to the recipient's side – no reply to the threema message is possible.

Resetting your Password with Threema

Under "My Account" fill in your Threema-ID and next time you forget your password, you can a one-time reset password sent to your Threema account.

A test Threema Message will be sent your number to ensure there is not typo in your number.

After this login please proceed with the new password as usual.

If you lose the (mobile) device on which you receive SMS/Threema, immediately log into the Platform and remove the number/ID.

On request PrivaSphere can deliver secure messages via Threema app.

If you are interrested please contact PrivaSphere.

 

see also:

You have not yet exchanged any message with this recipient on the PrivaSphere system. At your own risk, you may override the MUC mechanism. This option may be used, if you have validated the recipient's identity and authenticity beforehand otherwise. Verify that it was really the desired recipient who has received the message. No typos in e-mail address.
When replying via the Web, users normally were sufficiently able to authenticate the sender - e.g. via the content. Therefore, no MUCs are asked for in this case. If you want to be more strict, set default in "Edit Profile".

Write an eMail online at http://www.privasphere.com. Upon login a secure connection (SSL) is established between the sender and the secure messaging system which reliably protects data from eavesdropping.

Compose a Private Message


1. Open your online eMail form by clicking on the 'New Mail' button located on the left top of your main toolbar.

2. Add recipients manually or by choosing from your contacts with the button 'add recipients'.

3. Write your eMail, including subject line and body.

4. If applicable, upload an attachment. If you wish to attach several files, compress them in a zipped folder.

Hint: If you want to upload a large attachment, depending on your communication connection, this may last up to several minutes.

5. Click the button 'Prepare to send'. The following page shows you the message costs and trust status of your recipients. If you send to non-validated recipients, you will need to retain the related MUC. Encourage your recipients to get a password, such that you will not need a MUC afterwards.

6. If you want to sponsor a postage-free return message to your recipient(s), tick the box below the recipient list.

7. When all sending parameters are set (MUC sending via SMS, Threema, etc; Relationship Privacy; delivery confirmation; Dispatch Mode; …), press the SEND button.

Hint: Make sure to save your draft message, if editing for more than 30 minutes (connection time out for security reasons).

If you need more information, then contact a PrivaSphere representative for additional assistance.

See also:

PrivaSphere Secure Messaging allows a message size of

  • 15 MB per mail - respectively via Web (https) up to 0.5 GB («Large»).

Please be aware, that digitally signed messages (SMIME or PGP) have bigger size than the original mail.

To minimize the size of your attachments, we recommend the usage of a file compression tool (eg. *.zip, for Details see Wikipedia).

If you receive your secure emails encrypted with your deposited SMIME or PGP public key, PrivaSphere sends this mails up to a size of 8 MB encrypted. For larger files, PrivaSphere sends you a notification and delivers this mails via web download. This mechanism works for domain delivery too.

If you wish to send larger messages, contact a PrivaSphere representative.

 

If your internal network architecture allows smaller message sizes with secure push delivery methodes (TLS-to-Domain, Asym-TLS, S/Mime, PGP, encrypted Pdf) as your mail gateway publishes or for other a smaller maximum size is required, please contact us.

 

Hints to avoid large transmissions

  • do not scan documents in high resolutions
  • scan documents b/w - colour only if neccessary
  • do only convert PDF files to PDF/A while signing with the eGov Local Signer if neccessary - it will convert to large bitmap images
  • In word processing programs (such as MS-Word), a much more efficient PDF/A is offered under "Save As" - "Pdf" - "Options" - checkbox "Pdf/A" than a pure BitMap conversion.

 PDF/A saving in MS Word

 

Interoperability in eGov transmission

Some recipients on other platforms in interoperable eGov transmission have problem receiving eMails even smaller than the 15 MB payload (regulator's interoperable size).

see also:

 

see also:

 

With PrivaSphere Secure Messaging it is easily possible to send an email as encrypted PDF attachment to one or several recipients.

This helps e.g. for recipient with limited access to the PrivaSphere Secure Messaging Web interface due to firewalls rules or other regulations.

The PDF is encrypted with at least 128-Bit RC4 encryption (symmetric) and can be opened with a password.

The encryption password is either an automatically generated or a user pre-defined PDF-MUC (Message Unlock Code).

Such a password is similarly handled as a Message Unlock Code (MUC) – it can be sent via SMS or fax.

Using the function in the PrivaSphere web interface

Sending the eMail

Write the eMail, press ‘prepare to send’. Choose ‘More Options’:


Choose “Pdf: encrypted – MUC”
either use the pre-defined password or enter an own one.


Even more than with the passwords to access the PrivaSphere Web-Site, it is important to choose strong passwords because an attacker could try many more passwords against the pdf than the limited number of tries against the secure web-login.


 Choose ‘SEND MUC’ for direct delivery of the password via SMS or fax

press ‘send confidential’ to send the secure email as attached pfd file.


Alternative:

If the email is already sent and the sender wants to deliver it via encrypted email, go to the ‘sent’ folder and use the function “pdf: encrypted – MUC”

either use the preset key or use an own and press “update delivery”

Go to the sent message:

Choose PDF encrypted and update

The message will be sent as an attached encrypted eMail to the recipient


Using the function with your mail client

  • Subject tag “<cPdf>” -  use this tag in the subject of the message
  • “<muc:xxxxx>”  to set the PDF password (works only with one recipient)


Reading the encrypted PDF sent via PrivaSphere Secure Messaging

Opening the PDF asks for the password.

With clicking on the lock sign in the PDF it shows the encryption details.

 

Scenarios for the usage of encrypted PDF

The delivery of encrypted PDF files is useful if

  • the recipients web access is restricted (for example to slow)
  • the recipients web access is blocked by firewall settings
  • the recipients web access is restricted by internal regulations
  • the recipient must be achieved personally and encrypted with no delivery to a company server

As an alternative to the last point is the possibility to use the subject tag <onlyWeb> - the secure email will be exclusively presented in the receivers Web browser - it is not delivered via POP, SMIME or to a domain.

Hint:

  • There will be no delivery of encrypted PDF files to the recipient if the recipient uses the option 'suppress notification' in its options.  This option is normally used by users getting the secure eMails via POP protocol.

 

see also:

This option allows you to sponsor a prepaid return message to your recipient(s). You can choose this option in the preferences section of edit profile or on a message-by-message basis when composing a new message. Message charges will be applied to your account, if they reply via web-mail.

 

See also:

Protect yourself and add a verifiable proof to your important information exchanges. PrivaSphere Registered Secure eMail™ provides evidence to support non-repudiation of electronic transactions through the use of auditable time stamps and qualified digital signatures. 

 

Characteristics:

  • Sending time and content digitally signed on platform with legal time according to Swiss Law (ZertES)
  • Digitally signed delivery receipt
  • Secure exchange of electronic data (encryption)
  • Detect tampering of electronic data
  • Notification of sender in case of non-delivery
  • Flexible strength of authentication (password, certificate, biometric)
  • No installation
  • Award winning Swiss Technology (Swiss Technology Award 2005)

 

see also:

Protect yourself and add a verifiable proof to your important information exchanges. PrivaSphere Registered secure eMail provides evidence to support non-repudiation of electronic transactions through the use of auditable time stamps and digital signatures of its Swiss federally recognized platform. 

PrivaSphere Registered Secure eMail™ with return receipt needs a personal identification of the recipient with a client certificate issued by a Swiss CA according to Swiss law (ZertES) or strong authentication after prior identification . PrivaSphere proofs the certificate respectively the strong authentication, enables the access and generates a return receipt which protocols the transaction.

Characteristics:

  • Proof of sending and content: digitally signed by PrivaSphere with certified secure time source.
  • Digitally signed delivery receipt
  • Secure exchange of electronic data (encryption)
  • Detect tampering of electronic data
  • Notification of sender in case of non-delivery
  • Authentication with certificates or strong authentication according to Swiss law
  • No installation
  • Award winning Swiss Technology (Swiss Technology Award 2005)

 

Compatibility:

  • Works with recent browsers (Explorer, Firefox, Safari, etc.)
  • Works with mostly all mail servers (Microsoft Exchange, Lotus Domino, Novell Groupwise, Sendmail, Postfix etc.)
  • Works with all mail clients (Microsoft Outlook, Outlook Express, Mozilla Thunderbird, Lotus Notes, GroupWise, etc.)

 

See also:

To send your registered secure eMails as qualified signed PDFs with a legal timestamp, choose 'More Options' - 'PDF Format' after pressing 'Prepare to send' - or set the default in 'My Account'.
Alternatively, you can use subject line prefix 'eLs!Pdf: ' in your mail program.

If your default is already PDF, but you want to send a qualified eMail Message (MIME), you can override this on a per message basis with the subject line prefix "eLs!MiMe: ".

 

See also:

Validation of a signed pdf document

It is possible to send a PrivaSphere eGov Registered eMail in PDF format.

There are thre possibilities:

 

Setting per message:

In 'prepare to send' use the option "eGov Registered in PDF (with RFC3161 timestamp)"


Default settings:

It is possible to set the PDF eGov registered eMail as default.

Go to 'My Account' - 'eGov/Registered' - 'Convert message to PDF'

Use the following subject Tag in your mail programm:

<PSPeGov3161/>  eGov registered mail in PDF format including a timestamp (RFC3161)

Weitere Themen zum elektronischen Rechtsverkehr

eGov Service: Sorgfalts- und Mitwirkungspflichten des Kunden

PrivaSphere Secure Messaging: Kurzbeschrieb der Plattform

siehe auch:

 

see also:

For enhanced security PrivaSphere™ Secure Messaging offers the option “noStore” while sending secure messages. With this option, except for some header information, no content of the message is stored on the PrivaSphere™ Secure Messaging platform.

 

PrivaSphere™ delivers the eMail directly as encrypted PDF file (including attachments) to the recipient – the (long) password is sent via PrivaSphere™ Secure Messaging.

 

As a sender you will find the ‘noStore’ option in the web interface while writing a new email. Go to ‘more options’ and choose ‘no store’.

If you send via your mail client (e.g. Outlook, Thunderbirs or others) with smtp or domain delivery, just use the subject tag ‘<noStore>’.

The recipient decrypts and reads the attached pdf file in a pdf viewer.

In case of receiving large emails - PrivaSphere™ checks the smtp size of your receiving email server and sends the ‘oversize’ email split in several emails containing encrypted pdf files.

If a single attachment is ‘oversize’ for your receiving email server, it will be split in several emails containing encrypted ZIP shares.

Split zip files must be copied into one directory to unzip with a zip program which supports the handling of encrypted, split zip files.

With the function 'NoStore' no eMail content is stored in PrivaSphere Secure messaging servers.

Sending a “no store” secure email:

Click ‘more options’


Activate ‘noStore’


Sending from your mail client use the subject tag ‘<noStore>’

For enhanced security PrivaSphere™ Secure Messaging offers the option “noStore” while sending secure messages. With this option, except for some header information, no content of the message is stored on the PrivaSphere™ Secure Messaging platform.

 

PrivaSphere™ delivers the eMail directly as encrypted PDF file (including attachments) to the recipient – the (long) password is sent via PrivaSphere™ Secure Messaging.

Receiving a “no store” secure email:

The recipient will receive an email which encloses the encrypted content in a PDF file


Following the link the recipient will find the long password to open the PDF file.

Login with password or Message Unlock Code (MUC)


The pdf key is available in the email


Open the PDF file and enter the key


The content is stored as PDF file – including attachments.

Optimizing the handling of inbound “NoStore” Messages for receivers:

The easiest way to get the “NoStore” eMails is to activate TLS delivery to the receiver’s domain. Unless you need to get a second copy from the platform in case you lost the first message or other service related to the platform, you will not notice a difference from "stored" (normal) secure messages.

The second best way is to upload an encryption certificate (SMIME or PGP) to your account to get the message delivered.

As a third option, choose a standard password for the PDF/ZIP delivery and get the messages password encrypted.

Caveat:

Since standard password encrypted files (PDF, ZIP and others) are susceptible to "offline password guessing", it is recommended to use a “long” password and change it regularly (e.g. every couple of weeks or every 30 messages that were protected with it). The longer the password, the less frequently you need to change it.

Smart Phones/mobile devices


If you receive your confidential messages on an android device, users have reported to be able to be able access the contents with the following free or moderately priced (marked with “*”) apps:

If you know other apps suited for the purpose, please let us know.

If you want to join the beta-test please contact us.

 

See also:

To send your registered secure eMails as qualified signed PDFs with a legal timestamp, choose 'More Options' - 'PDF Format' after pressing 'Prepare to send' - or set the default in 'My Account'.
Alternatively, you can use subject line prefix 'eLs!Pdf: ' in your mail program.

If your default is already PDF, but you want to send a qualified eMail Message (MIME), you can override this on a per message basis with the subject line prefix "eLs!MiMe: ".

Qualified signatures in PDFs are new. Therefore, the signature validation modules of common PDF viewers only master this technology with different degrees of convenience.

  • Acrobat Reader has a very small own trust store for root certificates. Approved Swiss CAs such as QuoVadis are not part of it. You need to configure it in the advanced security digital signature preferences to use the windows Trust Store. It dislikes that the qualifying "qc statement" as per the standard (ETSI) is "critical" in the signing certificates and the thus the overall verdict remained "?" and not a green check mark.

    Hint for Adobe Acrobat X users: to validate an 'Non SuisseID' signature please follow the instruction here.
  • CABAReT Stage is a portable viewer and in its paying version, it can also be used to create qualified signed PDFs as per the Swiss Law (OR 14). The partial "?" in the signature icon is expected to disappear in the upcoming version 3 and we hope the "signature info" tab will provide details about the liability sums as per the qc statement then.
  • OPENLiMiT SignCubes gives QuoVadis qualified signatures the green check mark, but due to restrictive BSI rules, it does not automatically perform OCSP checks and if done so manually, complains about Swiss approved Responses. Due to the same restrictive approach, advanced PDF signatures with Thawte Freemail Signature Certificates or TrustCenter.de also do not pass immediately. In its paying version, it can be used to create qualified signed PDF documents as per the Swiss Law (OR 14).
  • In the internet, the Swiss Federal Office of Justice (FOJ) runs a Validator Service for validating electronically signed documents.
    You can use the validators available here to check electronically signed documents.

Operning attachments in PDF files

PDF files possibly contain attachments which can be opened in a PDF viewer.

If you have problems opening an attachment in a PDF file (e.g. .eml, (Standard Mail (SMIME) Format)) you will find more help in the following document of Adobe, chapter 7:


With the free PDF viewer as CutePDF (http://www.cutepdf.com/), BullZip (http://www.bullzip.com/) or FoxitReader http://www.foxitsoftware.com/Secure_PDF_Reader/ it is quite easy to extract attachments.


Help Page: Adobe Reader

 

See also:

A digital signature is a cryptographic process in which a "message" (e.g. email) can be protected.

With this digital signature the origin (sender), the content and the date can be verified by anyone.

http://en.wikipedia.org/wiki/Digital_signature

A digital signature of an email can be checked e.g. with Microsoft Outlook by right clicking on the signature icon.



In particular since Acrobat X ,Adobe has started to add security features to its reader that are not required by most jurisdictions (e.g. not by the Swiss law) .

Long-Term Validation (LTV)

Long-Term Validation (LTV): All revocation information and timestamps necessary to validate a signature are already included in the PDF even though they normally can be obtained during signature validation. So even if the certificate issuer were to cease to exist, it is still possible years later to know that at the third-party confirmed point in time of signing, the signing certificate chain was good.

All pdf’s signed by the PrivaSphere Secure Messaging Platform are LTV enabled since fall 2015.

If a signature is already created without revocation information and rfc3161 timestamp, the signature may well still be valid. PrivaSphere has offered to sponsor the development of an open-source feature to ex-post amend a pdf with the LTV necessary information: https://issues.apache.org/jira/browse/PDFBOX-3047

(the time-stamp will in that case not reflect the signing time, but the “amend/validate” time)

Adobe Approved Trust List (AATL)

Adobe Approved Trust List (AATL): A new class of certificates has been created by Adobe.

All signatures by issuers not enrolled in this program are rejected.

A one-time operation in the pdf-validating person’s reader fixes this:

see: https://p4u.ch/aatl  - Thereafter, the signature looks o.k.

If the certificate was issued with AATL, there can be an additional green or blue dot.

Authorities and other larger PrivaSphere customer institutions may want the PDF Signatures to be additionally AATL compliant. This can be at some extra cost through an integrated PrivaSphere Partner-Service – it may well be worthwhile in this case to even obtain an institution-specific AATL-compliant certificate – if interested, please contact us.

 

see also:

Send an encrypted e-mail without recipient authentication (Message Unlock Code (MUC) or password). The recipient can read this message without entering a PIN or password. An accidentally misrouted message (wrong recipient address) can be read by who ever having access to this e-mail address. The security of this type of message is reduced.  

This function is only available to administrators and requires preliminary activation.

Domains with a secured internal LAN and tight legal relation with their memers (e.g. employees) can opt to send messages to the secure PrivaSphere smtp not from the sender's mail program, but from their gateway MTA.

They indemnify PrivaSphere for any reduced security due to choosing this option. Recipients are alerted to this with this notice.

Similarly, such a domain can opt to receive messages on their secure MTA instead of PrivaSphere securing the delivery up the the recipients mail program/desktop

 

see also:

PrivaSphere Secure Messaging allows you to transfer large files securely and in an authenticated way.

For this, the option "Extra Large" can be selected while sending in the browser.

The large files can then be uploaded:

  • Via Browser Upload / Download
  • Via WebDav Client (davs: or https: link)

 

Selection while sending a new message

  • (1) normal upload via browser
  • (2) selection for upload / WebDAV

 

The WebDav protocol (davs: or https: link) has the advantage that it allows the upload / download to be resumed after an aborted transfer without retransmitting (potentially hundres) already correctly received MBs by the PrivaSphere servers1).

In particular, if you have potentially unstable networking, PrivaSphere recommends to use a secure transfer program, such as Cyberduck (open source DAVS client - https://cyberduck.io) or WinSCP (https://winscp.net)

PrivaSphere provides the service immediately:

  • Maximum mail size: 500 MB (on request up to 5 GB)
  • 5 large transfers per month included in the annual subscription
  • Limits of 100 downloads per message
  • 10 days of storage
  • The large files are not checked for viruses / trojans, etc. on the PrivaSphere server. The standard anti-virus programs on Linux do not allow this.

The large file transfer is not yet optimized for SOAP interfaces. However, this can be easily implemented within the framework of a first joint customer project

PrivaSphere reserves the right to modify the cost structure and transfer parameters after termination of the BETA phase.

If you need larger transaction sizes or other adjustments, please contact us.

 

1) In particular with mobile transmission, this can be relevant for not wasting your monthly transmission credits.

 

Price:

Basispreis:

up to 1 MB

CHF 0.75

 

 

additional per MB:

 

2-20 MB

CHF 0.10 per MB

21-200 MB

CHF 0.02 per MB

201-500 MB

CHF 0.007 per MB

501- ... MB

CHF 0.003 per MB

 

Receiving

If a large eMail is received that can not be transmitted directly (for example, limit of incoming mail to 'small'), a text file is attached to the mail containing the information for download (via browser or WebDAV).

This allows the easy download of the large attachments.

  • (1) text attachment with download information
  • (2) link for the download via browser
  • (3) link for the download via WebDAV protocol

 

End-to-end encryption:

If the recipient has deposited an encryption certificate on the platform, the large file is encrypted with this certificate before sending.
It can be opened with normal mail clients that are configured for decryption with this certificate key pair. (With Thunderbird good experiences were made).

End-to-end encryption on the device of the sender is in preparation with CyberDuck.

 

see also:

Send and receive secure eMails with your eMail program through restricting firewalls using SMIME gateway functionalities.

PrivaSphere Secure Messaging supports sending secure eMails to recipients using SMIME encryption to recipients over the PrivaSphere Secure Messaging Platform. The recipient does not need to be a registered PrivaSphere user.

This can be useful if the sender is behind a corporate firewall and is not allowed to use the SMTP protocol and/or he can not configure a second eMail account in his eMail client.

Be aware that this breaks the relationship privacy! This means that it is visible from outside who sends eMails to whom. The content is still encrypted and safe.

 

Prerequisites

To use the PrivaSphere Gateway CA, the following prerequisites are necessary:

1. Registered PrivaSphere User: As sender it is necessary to be a fully registered PrivaSphere Secure Messaging user with an eMail address and a valid password.

2. The sender needs a valid SMIME key pair (private and public key). It can be a commercial one or a self signed. The public key must be uploaded in the PrivaSphere Secure Messaging profile.

3. Need of an eMail client which is able to encrypt and decrypt eMails using SMIME. This can be Microsoft Outlook, Mozilla Thunderbird or others.

 

Principle

1. The sender requests a certificate for the recipient on the PrivaSphere Secure Messaging Platform.

2. The PrivaSphere Secure Messaging Platform generates and delivers a SMIME public key for the recipient.

3. The sender sends a SMIME encrypted and signed eMail to the PrivaSphere Secure Messaging Platform for delivery to the recipient.

4. The recipient gets the secure eMail depending of his personal settings:

    • New recipient: browser based with notification mail and Message Unlock Code (MUC)
    • Existing recipient using web interface: browser based with password (and ev. MUC)
    • Via secure POP to the mail client
    • Encrypted with his deposited public key (SMIME)
      or delivered via domain (if applicable).

see also:

It can happen.

An online session on PrivaSphere Secure Messaging will be closed after 30 minutes without user activity or latest after 3 hours.

Please copy the text not yet stored on the server before you reload the form or close the browser (also the tab).

1.    Save the content locally for security (for example, with your browser).

Example 1: Compose a new mail:

 

 

Example 2: form (secure contact form)

 

 

2.    Log-in again or re-open the contact form

3.    Open the local file and copy all values (yellow in the example above) and texts over into the new message



See also:  «Compose a new Message»

Background:

We witness that more and more customers come to appreciate the comfort of electronic communication with authorities.

It is with pleasure that we see authorities such as Office of the Attorney General of Switzerland (OAG) and the Public Prosecutors of the Canton of Zurich offer a content encryption certificate for this very purpose.

Attachments larger than 15 MB are encrypted automatically via PrivaSphere Secure Messaging right after receipt and therefore guarantee for elevated cryptographic protection and a higher standard of confidentiality.

An even better option is to encrypt large files per end-to-end prior to the upload onto the PrivaSphere platform.

Our solution:

PrivaSphere offers the possibility to encrypt files directly per end-to-end during the upload. This ensures a higher level of security.

Authorities accepting such filings are to be identified and selected via the green symbol in our authority register of the Swiss Federal Office.

 

When clicking the green symbol, an input form opens up. There, you need to insert your message and the relevant contact details. Afterwards upload your attachment.

Alternatively, the option is shown to you when creating a new message in the PrivaSphere Webmail, provided that end-to-end encryption is a possible option prior to uploading the document to the platform:

 

 

 

Therefore, large attachments can be uploaded securely and confidentially onto our platform and are ready to be downloaded by the receiving party.

The encryption tool of the Genevan nonprofit foundation my-d.org keeps the files up until the termination of the encryption which is conducted locally in the browser. You can download the open-source tool as an HTML-file onto your desktop as well and use it independently from PrivaSphere according to the license agreement of the foundation.

Large-File-Decryption

We discovered however that e-mail programs, due to their algorithms, are not capable of decryptions on a GB-scale. It is often the case that files exceeding 200 MB cause out-of-memory-errors that are unacceptably time-consuming. For this case, my-d.org, too, has developed an open-source tool as a solution.

Recommendations by PrivaSphere:

  1. Kindly remind receivers of highly confidential information to acquire best practice-encryption certificates, as to ensure that your messages sent are content-encryptable “end-to-end”.
  2. Acquire a certificate for yourself as well, so that you are able to read encrypted messages and are able to receive highly sensitive responses encrypted end-to-end.

 

Please consider: