SSL on IMAP/POP3/SMTP

timmytoad · ‎18-08-2011

Quote from: Townman
@Tim,
It seems that Apple are being somewhat mischievous in creating a bit of a storm over what has been an accepted (even if not ideal) connection standard for decades. Unilaterally changing configured items without asking the user during an upgrade is extremely poor behaviour.
Users should have been asked if they wanted to make such changes and advised to check with their service providers to confirm that the enhanced facilities were supported.
Kevin

Thanks for that Kevin.

Tim

davec13 · ‎15-02-2014

It's now 5 months since the trial using SSL authentication on outgoing emails was started by Bob Pullen.
What is the current status of this trial and do we have a timescale for full implementation?
Progress on this issue is glacial at best - it was first raised years ago, and I do not think that Plusnet are taking email security seriously.
What do we have to do to get this fixed, complain to OFCOM, ICO, the newspapers, or what??! I'm beginning to think the only solution is to change ISP.

asdfghjkl · ‎12-09-2014

Quote from: matthews
Bear in mind that Google themselves only set encryption by default on their email service 12 months ago!

This is a rather disingenuous analogy. My main concern is not the security of email in transit (what is what Google improved, and what should be a reasonable expectation), but clear passwords being sent when I login to collect my email.
Google *always* required SSL to be enabled for anyone collecting mail via POP3.
Plusnet never did. Plusnet still does not.
Any Plusnet customer checking their email in a traditional client is vulnerable to password theft. Moreso if they are using their laptop or smartphone on an outside public network (library, university, internet café, etc.). That was *never* the case with Gmail.

matthews · ‎13-08-2014

Quote from: Den
Quote from: matthews
Bear in mind that Google themselves only set encryption by default on their email service 12 months ago!

This is a rather disingenuous analogy. My main concern is not the security of email in transit (what is what Google improved, and what should be a reasonable expectation), but clear passwords being sent when I login to collect my email.

A fair point, and I'll clarify that my comment was not meant to be a comparison for log-in details, but was as a response to the claim that Google were going to stop accepting emails over un-encrypted plain text links from alternative service providers in a short timeframe.

x47c · ‎14-08-2009

Quote from: davec13
Progress on this issue is glacial at best - it was first raised years ago, and I do not think that Plusnet are taking email security seriously.
What do we have to do to get this fixed, complain to OFCOM, ICO, the newspapers, or what??! I'm beginning to think the only solution is to change ISP.

Eh - change ISP's?
Why not just sign up for one of the many email providers either free like Hotmail or Gmail or a 'paid for' from one of the business grade suppliers and use that instead of your plusnet email if you are sufficiently concerned.
OFCOM do not regulate email - as there are so many alternatives to use and it's not a semi-monopoly situation.
ISP's regard it as a free-addon in the same way they used to supply webspace to subscribers but not longer do.
From what I've seen the new FTTP altnet ISP companies springing up do not offer any email services at all
I'm still surprised plus net continue to run one.

rockyhorror · ‎03-01-2008

Dearest group,
I fear this one is starting to slip away in the forum - I resurrect you!
Can we we have an update? Desperate for secure PN email.
Please - no PN apologists suggesting moving to a free email service, thank you.
Richard

bobpullen · ‎04-04-2007

Quote from: rockyhorror
Can we we have an update?

Config. for the inbound platform is complete and has recently passed testing. We've not forgotten about this but things are progressing much slower than I originally anticipated. Apologies for the false hope.
The config changes still need to be pushed out to the live platform and there are load balancer changes that need making before the functionality can be made accessible to the outside world. Even then, it will be in isolation so that further testing can take part.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Townman · ‎22-08-2007

Bob,
Ready when you are.
Kevin

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

asdfghjkl · ‎12-09-2014

Well, my Gmail has just been compromised despite having 2 step verification enabled, and this has turned out to be the ultimate factor in my decision to leave.
I'm actually not bothered about the price increase, but I need an ISP which can provide a secure POP3 email service. I don't think this is too much to ask in the year 2015. Being given so many days to leave without penalty due to some other issue has turned out to be a godsend.

Townman · ‎22-08-2007

Sorry, but what has the absence of SSL on PlusNet email servers got to do with the compromise of your Gmail?
Gmail have their own email servers which may or may not have SSL, which has absolutely nothing to do with PlusNet email servers.
What do you mean by compromised? If you mean it is now receiving spam email, it is unlikely that that the absence of SSL (with PlusNet or Gmail) is the cause / source of that. SSL does not protect against being spammed.
Setting aside those observations, I agree that in an ideal world, the PlusNet email servers ought to be supporting SSL so that the user name and password are encrypted between the PC and the server - which is all that SSL does.

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

bobpullen · ‎04-04-2007

Quote from: Den
Well, my Gmail has just been compromised despite having 2 step verification enabled, and this has turned out to be the ultimate factor in my decision to leave.

How is that anything to do with Plusnet's implementation of SSL/TLS? Surely if you have two step auth enabled, you'd be relying on texts sent over a cellular network, voice calls or a one time token generated by a smartphone app or security key?
Regardless, sorry to hear it's the deciding factor in your decision to leave

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

jelv · ‎10-04-2007

I read that as he was using gmail because PlusNet do not offer SSL. Now that gmail has proved to be vulnerable he's moving to an ISP that does offer SSL so he can use their email instead of gmail.

jelv (a.k.a Spoon Whittler)
Why I have left Plusnet (warning: long post!)
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)

Townman · ‎22-08-2007

Jelv,
You'd make a good (interesting) legal advocate. I can see how the conclusion might be derived...

Kevin

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

bobpullen · ‎04-04-2007

Quote from: jelv
I read that as he was using gmail because PlusNet do not offer SSL. Now that gmail has proved to be vulnerable he's moving to an ISP that does offer SSL so he can use their email instead of gmail.

Still makes no sense to me, given that GMail operates over SSL anyway; unless there's been some widespread breach I'm unaware of? Also struggling to understand how an account can be easily compromised if 2FA is enabled e.g. unless somebody has my wristwatch, my mobile phone or is sat next to my landline, then there's almost zero chance they're getting into my Google account - even with my password.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

kingchimp · ‎16-02-2010

Hi,
Just wanted to add my voice to those asking for TLS to be implemented for email. This is loooooooong overdue so please get it sorted as soon as possible!
Thanks