logo

POP3 + SSL = Secure Email ?

Since starting to use my mobile to check my mail (via POP3) I found myself paranoid about the fact I'm sending my login details in plain text for all the world to see (be it on 3G networks or mine or other wireless networks).

So I decided to do something about it and asked Prominic.NET to open port 995 and I then I told the mail app on my Android phone to use SSL. All was well and I feel much better about checking mail while out and about.

Then I decided to do the same for Thunderbird. Here I was able to enable SSL, but then had the option to use "secure authentication".

ScreenShot004

Seeming like a no-brainer I ticked it, only to be told it wasn't supported the next time I tried to check my mail. Leaving it unticked (as shown) works.

So, the question is, am I secured or not?

It's the authentication part of the process I want to be secured. It's my password I want encrypted, not so much the email content.

Comments

  1. Man-in-the-middle attacks are very few and far between.

    Thats not to say that they don't exist. Obviously I advocate the use of SSL at all times. Not just for email, but for everything. The Client is particularly good at this as you can set it to encrypt all traffic.

    But if you use another application, you really ought to use SSL. In this case, the answer is 'I don't know'. The only way you can get the information is to use something like WireShark to trace the packets and see if you can see your ID and/or password buried in there.

    My talk at UKLUG in October is all about hacking Domino servers.

    • avatar
    • Jake Howlett
    • Wed 16 Sep 2009 04:41 AM

    Good point Dragon. Didn't think of looking with Wireshark. Just did and all I can see is garble text. Nothing "plain" in there. Should I rest easy?

  2. Depends. If the packets were directed to clients.rockalldesign.com then yes I say you're good to go. If the packets were directed at your IP address then that could well have been the initial handshake and setup. Your ID wouldn't have been sent at that point since it was still negiotiating the level of SSL, shared keys etc.

    If the packets weren't aimed at port 995 then it could well look "garbled" due to compression. In which case you *should* be worried. Decompress and Mr Black Hat is having a field day. :)

    Either way, man-in-the-middle attacks are very few and far between. The highest level of incidence of these I see are at internet cafe's and public hotspots. I serioulsy doubt your local provider is going to be worried enough to go about snooping your packets.

    Unless the Government thinks you have something to hide. O_o

  3. It should be. One way to tell for sure is to block port 110 (nonSSL POP) at the firewall and see if everything still works - it should and it should route everything over the POP3S port (995).

    My understanding was the "use secure authentication" was designed to secure (sic) nonSSL POP3 login credentials.

    If you note, a number of sites that require secure communications do NOT require that to be checked, as there are bugs in it in various POP3 clients.

    refs:

    http://sharkysoft.com/tutorials/linuxtips/pop3s/

    http://www.nacs.uci.edu/email/secure-pop.html

    • avatar
    • Jake Howlett
    • Wed 16 Sep 2009 12:57 PM

    You might be on to something there Craig. Thinking about it - the "use secure authentication" doesn't require SSL be enabled in the option above it. Although if enabling SSL disabled the checkbox below it then it would make a bit more sense.

  4. Well once SSL is on, it means your secure. Still that settings show that option. Quite confusing. But as a user we prefer to tick it anyways. @Craig Wiseman: If we block that nonSSL port, what would be the situation if some application of the phone designed by myself needs to use that port? What if I want that when Im not using that application I want security on and off else? I cant sell a product which need user to change its settings everytime they use that application.

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Wed 16 Sep 2009

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content