SSL POP3 E-mail

Discussion in 'other security issues & news' started by AvianFlux, Oct 22, 2005.

Thread Status:
Not open for further replies.
  1. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    When applying SSL to e-mail traffic is that traffic secure from eavesdropping through all server hops between the e-mail client and SSL equiped POP3 mail server?
     
  2. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hello AvianFlux,

    Yes, it will be a secure encrypted connection between your mail client and the SSL POP3 server.
    Eavesdroppers would only get some minimal details of the SSL certificate exchange between your mail client and the POP3s server. They would also have your ip and the POP3s ip, as well as the port numbers involved, and the time, date, and duration of the communication. But the contents of the email, your username, and password would not be revealed.

    Only a much more sophisticated attacker would be able to mess with certificates (which should alert you), or they are able to break the 128bit encryption (unlikely).

    It is good you bring this up, because most people are unaware that every time they check their email, they send their username and password out over the internet in plaintext. Anyone eavesdropping can easily acquire the ability to check all your email in the future without your knowledge.

    Sending an email SMTP reveals even more info!
     
  3. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    Greetings Devinco,

    That's very unsettling to know. I was experimenting with Nerdshack's SSL enabled POP3 e-mail service which brought on the question. I monitored the SSL traffic with a packet sniffer, and it indeed does scramble both incoming and outgoing e-mail traffic.

    Is it true that most popular e-mail service providers, e.g., Hotmail and Yahoo, use SSL for login traffic to shield the username and password from sniffers, but do not secure the message portion of the e-mail?

    Thanks for your response.

    Avian
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    That is a good idea to test your email client with a packet sniffer to see just how much info you are revealing. Different clients/services/connections will reveal varying amounts of info.

    Yes it is true, the connection is encrypted but not the email itself. As long as the email is travelling through the SSL connection, eavesdroppers can not see the message contents. But once the mail passes from server to server(like between your outgoing mail server and the recipients incoming mail server), it is very likely the connection will not be SSL and the email will be plaintext.

    Also, does nerdshack offer SSL over SMTP (SMTPs)? POP3s only handles your incoming mail. Your outbound SMTP can also be SSL (SMTPs).
     
  5. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    Oh well, at least it's secure half of the way to the destination. :D

    Yes, Nerdshack does have SSL over SMTP. This from their website.

    Avian
     
  6. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    If the other person getting your mail also connects SSL then the mail will travel plaintext only one third of the way going from server to server.
    You could also encrypt the message itself with encryption software. Then the message contents would still be protected during the non-SSL connection.

    Make sure you thoroughly packet sniff a test email both sending and receiving with your email client. Test with both STARTTLS and SSL. I have found that at least with Thunderbird, STARTTLS on send reveals unecessary info about the email. Check all the packets for the plaintext info from your client, not just one or two. Thunderbird only supports SSL on inbound POP3s.
    You should see plaintext about the certificate and related urls, but nothing about the email like subject, recipient address, etc. In your test email, make an easy to spot subject line.
     
  7. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    I did that with SSL, and there was only the certificate and url info in plain text. I couldn't get the STARTTLS to function for whatever reason.

    I also sniffed Hotmail packets and discovered the username and message content are visible, however the password data is encrypted.

    As you've pointed out, encryption software appears to be the most secure method for transmitting data over the Internet. That can become an issue when the party at the other end doesn't understand how to operate the encryption software and/or finds it to be a tedious process. o_O

    Thanks for the feedback.

    Avian
     
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Interesting. What email client are you using for the Hotmail?

    Even if you do encrypt the message, it is still a good idea to encrypt the connection (SSL) so your password and user name are not exposed.
    If you both have accounts at the same email provider, than the plaintext message travel will only be between the same company's servers.
     
  9. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    I use Outlook Express. Free Hotmail accounts block POP3 access to all clients, other than Outlook/OE, I believe.

    Hey, there's a no-fuss solution most won't find bothersome. :) Thanks for the info.

    Avian
     
  10. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    I haven't used OE for years because of other weak security problems. It is kind of misleading for MS to connect via SSL but then send the email plaintext. How many people are going to packet sniff their own email to discover this truth?
    I can't think of a better reason to move your email to a new email client and email service. Thunderbird works well and can import from OE, but there are others. There was a thread about free web mail services here that was good.
    I know fastmail with Thunderbird allows a secure SSL IMAP (IMAPs) connection for downloading/managing email that is not plaintext between the client and server. If you want to send email securely though, you will have to use the web browser interface (HTTPS) or send out SMTP via another service (not secure).
    I know COTSE is a good service for this secure email purpose.
    Let us know how you like nerdshack after you have used it for a while.

    It is not a total solution (there never is), but it can reduce the exposure of plaintext emails somewhat and certainly protect your password.
    The weak points are at the email servers and how they connect to each other. If the servers are spread out (like one on each coast), then the email will travel plaintext between them.

    You are very welcome. Share what you learn and we all benefit. :)
     
    Last edited: Oct 23, 2005
  11. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    I don't know if Hotmail even makes the claim SSL is used with their free accounts. Paid accounts are another matter. What I do know is the message and username are in plain text, but the password is encrypted.

    What if there's only one e-mail server? I don't think Nerdshack has a network of servers spread out across the country.
     
  12. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Find out if the SMTP and POP3 servers are exactly the same like:
    POP3: mail.nerdshack.com
    SMTP: mail.nerdshack.com
    That would be ideal because then the mail would never leave the one server plaintext. The only weak point then would be the one server itself.
    But it is much more common that they use 2 servers:
    POP3: pop.nerdshack.com
    SMTP: smtp.nerdshack.com
    It makes sense that these 2 servers would be located near enough to each other for maintenance etc. So your plaintext exposure would be limited.
    Also note that one domain such as pop.nerdshack.com may be actually shared among several servers to handle large amounts of traffic (load balancing etc.) but these multiple servers will still probably be within one LAN.
     
  13. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    The servers listed above are the same e-mail servers Nerdshack uses - ideal. :D
     
Loading...
Thread Status:
Not open for further replies.