SSL on IMAP/POP3/SMTP

chrcoluk · ‎11-12-2013

Bob I updated ciphers on about 8 email servers today.
I would love to work for plusnet, getting months to update one email server

just tried to test ssl on relay.plus.net No ssl/tls at all O_o

avatastic · ‎30-07-2007

Quote from: chrcoluk
Bob I updated ciphers on about 8 email servers today.

Perhaps we should change the thread to TLS on IMAP/POP3/SMTP.
Although SSLv2 and SSLv3 may not have been vulnerable when this thread was started, we'd hate for those to be the implemented offerings when they finally do come round!

F9 member since 4 Sep 1999
F9 ADSL customer since 27 Aug 2004
DLM manages your line the same way DRM manages your rights.
Look at all the pretty graphs! (now with uptime logging!)

chrcoluk · ‎11-12-2013

by the time they implement TLS it will be obsoleted by something else

rockyhorror · ‎03-01-2008

This is getting very frustrating.
What is the hold up? Is it technical? Is it financial?
Giving the forum some kind of meaningful update would be nice.

japiewie · ‎07-09-2007

Pending this, Do NOT USE Public and OPEN WIFI. Cellular data packages are now in abbundance and 2G/3G is quite secure. Note that the technology that 3G uses was developed for the US Army for security reasons. That it was amzingly effective for high bandwidth was a brucy bonus

Unless there is a sophisticated attack you should be ok....

rockyhorror · ‎03-01-2008

Dearest Group,
I have some news regarding this issue, but firstly let me give some background about my concerns.
. My father can be described as a 'silver surfer'; this is the sort of person who would not ordinarily look for an alternative (read: secure) email service. He uses his iPad via WiFi in various locations and I feel it is fair that he should have a modicum of security whilst retrieving emails.
. An ISP based email service has a degree of permanency about it - call me old fashioned, but I would rather use Plusnet email for 'serious' matters rather than some free alternative.
. BT and other ISPs provide SSL.
. Is it fair I should have to use an alternative secure email provider based on the point above?
As this has been going on for some time, I composed a letter to the CEO of Plusnet.
I promptly received a very nice letter from customer support, but in short:
. It is being worked on but 'is not something we are fully focused on'.
. PN email is 'a basic email service and free to customers'.
. (PN) 'Primarily we are an ISP'
. 'We do suggest customers to look at a dedicated email provider'.
Therefore my only option is for Outlook.com to retrieve Plusnet emails and I will use Outlook.com SSL in my email clients. As for my father, I am going to have to think about it.
Unfortunately unless there is a big sea change with Plusnet, this thread is dead. Plusnet have not done me proud!

Happy surfing!
Richard

glocal · ‎11-09-2007

This upgrade has been imminent for a number of years. I remember I asked a question around here a long time ago and PN's responses where practically identical to the current ones (we are working on it, watch this space, we'll start trialling with a small group first etc). Frankly, not resolving the issue and not informing the users about the risks is extremely disappointing and inconsistent with the honest image PN is trying to project. I remember the time PN was advertising their offering as the complete package, which even included webspace as part of the basic subscription. Apparently, now they see themselves as offering connectivity only. After 13 years I will have to start looking elsewhere for internet and telephony, but in the meanwhile I will let people know about the risks associated with using unencrypted passwords and PN's attitude, starting with my email signature.
EDIT: I now realise I first raised this in 2008 and several times after that! PN's reassurances sound very familiar.
http://community.plus.net/forum/index.php/topic,80423.msg654997.html#msg654997
http://community.plus.net/forum/index.php/topic,74714.msg627827.html#msg627827
http://community.plus.net/forum/index.php/topic,1993.msg559738.html#msg559738
http://community.plus.net/forum/index.php/topic,65729.msg527407.html#msg527407

Townman · ‎22-08-2007

Five and a half years ago Bob - the project guys really have not fulfilled your reasonable expectations....

Quote from: Bob
Quote from: glocal
Over the last two years I asked this question here but never received a satisfactory answer: why doesn't PN offer SSL protection to its POP3/IMAP/SMTP by default?

It's something that we would like to do and certainly isn't outside of the realms of possibility. It's not on our development roadmap at present but as soon as the opportunity arises we can certainly look at offering a secure means of accessing your mail using IMAP/POP3.
Regarding the Watchdog program you can catch it on iPlayer if you missed it (just watched it myself).
They were targeting Gmail accounts and whilst they didn't tell you how they were doing this, I got the impression that they were scanning for new DHCP clients on the hotspot and then hijacking their web sessions by stealing their cookie/session data.

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

ClassicLaddie · ‎30-12-2015

I asked 'why doesn't PN offer SSL protection to its POP3/IMAP/SMTP' around 2007 when I first setup a plusnet account for my elderly parents. Now in their 80's and still plusnet customers I am beginning to think they might never see secure plusnet mail! Sending my plusnet account credentials in the 'clear' over the big bad internet is a bit scary to be honest. I suppose at least webmail.plus.net is protected by an ssl certificate but even then it is a wildcard which has inherent security risks. I wonder what the parent company BT Group think of the use of an unsecured customer mail service and the use of wildcard certificates? I'm sure it would raise a few eyebrows not least the potential for a brand impacting security incident on a similar scale to the great plusnet email debacle of 2006!
I suspect secure mail isn't a priority as there probably isn't a long term future for a free plusnet ISP mail service. It's not core ISP business these days. I'd love Plusnet to say otherwise as I am also now a PN customer and would prefer to use a secure Plusnet mail service.

MJN · ‎26-08-2010

Quote from: ClassicLaddie
I suppose at least webmail.plus.net is protected by an ssl certificate but even then it is a wildcard which has inherent security risks.

At the risk of drifting off-topic, what is your concern with PN's use of wildcard certificates?

chrcoluk · ‎11-12-2013

certificates are only there for trust reasons, they dont actually affect the encryption strength.

Madeleyite · ‎19-03-2016

From all the posts in this thread it is clear that PN never intend to offer POP server security for people wanting to download their email using an email client. I refer you to rockyhorror’s post (reply #155) dated 16/02/2016. So the solution is to only use PNs webmail portal which uses https security. Do not use an email client for PN email. Simple! If you have other email accounts using SSL/TLS security, like BT or Gmail, then use those instead. If you haven't any other email accounts then create them.
I speak as someone who loves to download my email using Thunderbird because I have three email addresses (in addition to PNs) which I can access via one interface at the click of a button. I have decided to not use my PN email account except to view, maybe once a month, via webmail portal in case PN send me any emails.
I agree with rockyhorror. This thread is dead. The solution is in your hands, not PNs.

glocal · ‎11-09-2007

It's not 'simple' at all. Webmail is not good enough, PN's webmail is very basic on any platform and inconvenient to use on mobiles, and free webmail providers are not trustworthy. We shouldn't have to buy a separate POP3/IMAP service elsewhere.
More importantly, PN (the 'honest' provider) has been lying to its customers about its plans for years, and has been exposing users to snooping by keeping quiet about the implications of its setup.
The 'simple' solution is to move to another ISP/telephony provider and let people know about the vulnerability PN refused to address.

Eserim · ‎01-08-2007

This is getting silly now - certain apps like Android Outlook don't even have the option anymore from none-secure IMAP.

PLEASE can we have a status upgrade on this? Surely there must be some plans.

Sprytron · ‎08-09-2016

Well - the lack of SSL has reared it's ugly head!

Due to the attitude of PN not willing to do anything about this, I use a third party to retrieve PN emails. I use a secure client with this third party.

However, I had not set my wife's phone in such a manner, so whilst on holiday our COMSEC lapsed whilst using unsecured hotel WiFi and a phone email client.

Imagine my surprise when I see strange login attempts on my server in the UK using my wife's PN email username originating from the city abroad we had been a week previously!

So PN:

. You still insist in providing insecure email.

. I use a third party DNS as yours give me trouble.

Is this the consequence of an ISP on the cheap?

I am surprised that Bob Pullen was allowed to make encouraging noises regarding this issue when the company line is a firm no.

SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Re: SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP

Re: SSL on IMAP/POP3/SMTP