cancel
Showing results for 
Search instead for 
Did you mean: 

Email Security Gap: No SSL/TSL: Password in plain text between client and server.

FIXED
Neil6
Newbie
Posts: 3
Registered: 31-03-2017

Email Security Gap: No SSL/TSL: Password in plain text between client and server.

The question is....am I correct?

1) PlusNet does not support SSL or TLS for IMAP or POP.

2) Result: When I communicate from my laptop to the PN email server requesting my email it requests my username and password. With PlusNet email these are sent in PLAIN text between my laptop and the email server?

3) The main default email account has the same password as my actual PlusNet account.

4) Do Plusnet store these in plain text on their database.

I've just noted that BT, Virgin and others support and actively promote SSL/TLS which encrypts my communications between the laptop and email server.

I've also just noted serious concern raised regarding this security 'feature' in the community over nine years...

I just moved from BT because of the 'Yahoo' security breaches. Ironic.

I'm not concerned about Government agencies but to issue a password in plain text appears reckless.

So do I leave Plusnet? Seriously considering this. This is a deal breaker.

Do I get a separate email package....even most free ones encrypt.

Not very pleased....feel like going to main IT media reviewers and highlighting that this should be emphasized as a critical feature in their reviews in future...If points 1 to 3 are correct.

Your opinions welcome.

 

Tags (4)
7 REPLIES
Gel
Seasoned Pro
Posts: 1,559
Thanks: 160
Fixes: 13
Registered: 02-08-2007

Re: Email Security Gap: No SSL/TSL: Password in plain text between client and server.

SSL/TSL-

If you'd done some research before signing up, you'd have seen this is not something offered; you can find posts

on this forum, on it's absence. No point in you wasting time wailing to the media; just move if it's critical

and find & pay for the service you need.

Community Veteran
Posts: 26,695
Thanks: 918
Fixes: 10
Registered: 10-04-2007

Re: Email Security Gap: No SSL/TSL: Password in plain text between client and server.

Fix

You can get round the email password being the same as the account password issue.

Go to Manage My Mail in the Mailbox settings on the portal and on the mailboxes tab rename your default mailbox to something else. Then create a new mailbox with the same name as your old default mailbox - this will require you to set a password specifically to be used for the mailbox.

If you have the catch all turned on (i.e mail addressed to anything@username.plus.com reaches you, you will need to go to the Catch All tab and select the newly created mailbox.

Now when you go in to webmail and in your mail client the account name will be username+newmailbox (e.g. if your username is smith and the mailbox you create is fred the login name is "smith+fred").

If you were using IMAP you will probably need to move all the mail from your old mail box to the new mailbox.

jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
Neil6
Newbie
Posts: 3
Registered: 31-03-2017

Re: Email Security Gap: No SSL/TSL: Password in plain text between client and server.

Thanks Veteran...useful...will do... :-)

Neil6
Newbie
Posts: 3
Registered: 31-03-2017

Re: Email Security Gap: No SSL/TSL: Password in plain text between client and server.

Hi Pro  :-)

Thanks for the response :-)

 

Just to note that as a 'Joe Soap' I don't expect many in the general public should be expected to proactively check and understand/anticipate absence of an email industry standard SSL/TLS on their email client. ...a bit like Microsoft advising Joe Soap to manually change registry/bios settings... ;-)

I've not noted any reviews stating that with one company you don't get encryption of your password in this situation... its just plain text....apart from the 'Register' which noted another apparent issue.... ;-) and 'YEP' Veteran, I'll be taking ur advice re password protection.

 

The tech help desk were quick and v honest which I greatly appreciated....basically stated that PN doesn't really do a good email service ....I call it phantom ware.... ;-)  .....best try elsewhere....which I have... ie get your own email provider which includes the industry standard encryption...  ;-)

PN Broadband working well so far.... and like the helpdesk... :-)

 

 

 

 

Moderator
Moderator
Posts: 18,244
Thanks: 2,717
Fixes: 215
Registered: 06-04-2007

Re: Email Security Gap: No SSL/TSL: Password in plain text between client and server.

Moderator's note by Mike (Mav): I have changed the fix to @jelv as per message #3.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

milrob1
Newbie
Posts: 1
Registered: 28-05-2018

Re: Email Security Gap: No SSL/TSL: Password in plain text between client and server.

I use GMail to access both my Plusnet & GM email, which I use to conveniently separate different traffic.

Google has just reminded me that "Your personal information is vulnerable because you allow apps & devices to access your account in a less secure way."

It seems that PN refuses to implement encryption.

Please can someone advise whether I have jeopardised access to my whole Google account by allowing it to access PN's unencrypted email service, or just access to my PN email.

If so then presumably PN's policy is encourage its customers to stop using their email service, which does not seem to make sense.

Superuser
Superuser
Posts: 12,231
Thanks: 3,543
Fixes: 22
Registered: 22-08-2007

Re: Email Security Gap: No SSL/TSL: Password in plain text between client and server.

Hi,

A warm welcome to the forums.

Your question is not unambiguous - what have you done here?  Made Gmail your harvester of emails from Plusnet?  Are you then accessing your Gmail mailbox (which now contains both Gmail & Plusnet email) using IMAP / POP3?

IIRC correctly Gmail does squeal as described over IMAP / POP3 collection.

It might squeal over connecting to PN's mail systems without using SSL/TLS - I do not have direct experience of that, for I see no point / benefit in using Gmail (or any other similar) as an intermediary when any email box can be access directly.

You really need to ask yourself why does Gmail come free and why do they so forcefully push harvesting all your emails from other accounts … what are they doing with all that data?  They are after all a search engine, much of it focussed on promoting adverts.

If there is a realist (as opposed to potential) risk arising from connecting to a mail service without SSL/TLS then that arises when doing so over open public wifi which has no security (encryption) pass phrase.  Such connections are vulnerable to being intercepted (eavesdropped) on the local wifi link.  Connections over wires needs real determination to be hacked.