Plain text password login for email

Hi,

I have just purchased the DiamondCS Action Pack plus Process Guard.
GREAT SOFTWARE!

I just tried out Socket Spy and plugged in process IDs of my Browser (Firefox), Email client (Thunderbird) and email filter Benign. Then I used them and observed what was going on. Really Really interesting!

The discovery I made was to do with email logins. I just hadn't realised that the passwords were forwarded as plain text! But there I saw them! And if I could see them then so could quite a few?

I have just been onto my ISP and they tell me that they don't support secure logins as yet but encouraged me to make a written comment on their site. I'm going to do that!!

What ISP's do support secure logins for email?

Is there any way that pressure can be brought on them to do so?? I thought perhaps a "chain mail", but that would definitely be classed as Spam? On the other hand if someone did do that then it would definitely be "ethical spam"!

I know that options for more secure email has been there in the software for some years now so why isn't it being used yet?

 

Dont suppose you want to post your IP Address.... no, OK.

 

JO M


NEVER NEVER NEVER>>>NEVER post your IP address..NEVER!!!!!


No one should need to ever request your address be posted publically.


*********************************************************

 

JO M SAID:


"On the other hand if someone did do that then it would definitely be "ethical spam"!"""""

******************



Maybe the spamers that are on trial can use that as a defense.

 

I'm not sure I'm understanding correctly what JoM's experiencing, could we back up a step or two?

Does Jo mean the password appears onscreen while being entered as plain text rather than the more or less "standard" asterisks? Or that they're encrypted only onscreen but plain-text in all other respects?

I use Eudora off my local ISP, and set it to "remember password" the first time I logged in, so I never see it (it's remembered by Eudora, rather than in the usual Win files) and haven't a clue how it's sent to the server.

 

Hi MikeBCda,

if you had Port Explorer you could get it to listen in to Eudora as it logs you into your ISP's email server. From the sound of what you say you would find that there is NO SECURITY over the passwords at all. Anybody with a packet sniffer has the capability to read and log your email passwords without even having to crack a code!

I have known for some time that my Email Client Thunderbird (and even the former Outlook Express!) have a secure connection SSL setting or secure authentication setting or both. Since I can't use them I don't know which one it is!

But I hadn't quite realised that the passwords were transmitted in PLAIN TEXT for all to see and that IT IS SO EASY TO SNIFF THE PACKETS.

So yes, the illusion of safety when you see the ***'s is just an illusion. They are TRANSMITTED as "mydogbill" or whatever! I think it might be more honest of the email clients to skip the ****'s to make it clear that there is no encryption going on.

Well the only benefit of the ***'s is to stop the wife seeing your email password as you type it in and reading all your emails from your Girl Friend! Just kidding!

Regards Jo M

 

Hi Ronjor,

thanks for the info. Which of those protocols corresponds to my email clients settings of
"Secure connection (SSL)" or "Secure Authentication"?

Do any ISP's use them yet?

 

Hi Jimbob and Snowman,

I can't SEE where I have posted my IP address

If you can see it somehow then please tell me how and I'll definitely do something about it! I did copy and paste the post from elswhere on the Forum as requested by a moderator. I wondered if that had done something funny?? (The Icons certainly didn't copy) Well you're right it wouldn't be funny!!

Regards Jo M

PS. Perhaps when I said I put in the various "PROCESS ID's" you thought I meant my IP? No you got that wrong! Process ID refers to the number ID which your local operating system gives to the various programs and windows services that are running on your local computer.

PPS. Or is it that you Jimbob are an opportunistic Hacker

 

JO M


No, you did not post your IP address........an I just wanted to warn you not to do so.

***************

 

JIMBOB said:


**Dont suppose you want to post your IP Address.... no, OK.**



******************************************



JO M


the above post may have been nothing more than the poster mis-understanding.............of you posting this:


_____________________________
***Is there any way that pressure can be brought on them to do so?? I thought perhaps a "chain mail", but that would definitely be classed as Spam? On the other hand >if someone did do that then it would definitely be "ethical spam"!<****

____________________________


such mis-understanding do happen.......usually meaningless. In this case no harm done...since you did not post your IP address......

 

Thanks Ron. The site is interesting.

Jo M

 

TheSnowman,

to clear up the missunderstanding what I was suggesting was for people to start a chain of emails as follows. Each person taking the trouble to email 5 or 10 of their friends or colleagues with info about the lack of proper security in the currently used email protocols and urging their friends to do what I am going to do which is to contact my ISP directly and complain/urge them to implement more secure methods for our email. Then to contact 5 more friends or colleagues and do the same. Actually not technically Spam? Just "Chain Mail" or "Pyramid Mail" (but with no profit motive!) Some people might not welcome it? More fool them?

Regards Jo M

 

JO M


My last post was made BEFORE seeing this:


https://www.wilderssecurity.com/showthread.php?t=53901




so maybe I owe you an apology......you questioned wisely.

* I understood the meaning of your post but thought perhaps "someone" else may have not.............not so sure now. But whatever the case.....no harm done.*

also, my apology for all the off-topic posts......glad you found an answer with the help of Mike and Ron..........

 

Thanks The Snowman,

that link was very interesting!

Jo M

 

Hi Jo M!
Quote :
what I was suggesting was for people to start a chain of emails as follows. ...
End quote.

Just because you have just discovered the obvious does not mean you should add pain to injury by starting a mail chain of sorts !!!

I would suggest you read and sudy and experiment with (Telnet your POP server!) and meditate over the relevant RFC (request for comments - the internet "standards", which you can find easily by Googlin for RFC) rather than trying to start that nonsense ;-)

Sorry if it seems too harsh, I really mean what I just wrote.
Plus, if I may add a hint, the solution to your perceived problem is well known : ask your internet provider if they offer /secured/ POP or IMAP access, and if they don't, change providers (or suffer ... silently).

Cheers

--
Czerno

 

Hi Czerno,

I have asked my ISP already. They don't. THEY suggested making it more official with a written request on their web site, which I HAVE DONE.

For my own reasons I don't wish to change ISP right now. So I may have to do the suffering in silence that you suggest? Well no! I may be English. The English may normally "suffer in silence" a lot but I don't see why I shouldn't complain!!

My suggestion amounted to the assumption that one person will not be heard but IF other people also want more secure email then if a lot of requests/complaints could be made to the ISP's concerned then this would have more impact!!

Nobody has yet given any names of ISP's that do encryption for the password for login. I am in the UK. Are there any?

Could I humbly suggest that if you can't answer that last question with some simple names then you should be the one suffering my complaints/requests in silence!

Regards Jo M

 

Hi Czerno,

I would like to add that I have just looked up some of the RFC's on Secure email.

Sorry your'e suggestion doesn't help me, an end user, in the slightest!!!
It just seems aimed at saying you know more than me (which you may)
and for me to shut up (which you are not entitled to!)

Regards Jo M

 

Jimbob1989,

I have removed your post as it is against our TOS. Please review our TOS and become familiar with it. We do not allow any derogatory personal remarks or attacks on this forum.

Thank you for your cooperation.

Edit: I have also removed your last post as it is off topic and has nothing to do with this thread. If you wish to start a thread concerning that topic, please post it in the appropriate forum.

 

encrypted web mail

Hi Ronjor I was just reflecting on what you had said earlier (after several interuptions to this thread!) and I realised that what you said made a lot of sense. I havn't used a web based email service now for some time but I think I might just find out more:- whether the encryption they offer is a)just text, b) does the headers as well, c) does the password as well

As far as I can see the password would be covered by the Browsers Security and the login page would show a padlock? Perhaps they don't have headers in quite the same way? I'll try to find out!

Regards Jo M

 

Ronjor is Brilliant!

Hi Ronjor,

You're totally brilliant! A Star!

Thanks for various info and that link Jo M