[ale] how secure is ssl email login
Michael B. Trausch
mbt at naunetcorp.com
Fri Apr 26 13:00:42 EDT 2013
On 04/26/2013 12:50 PM, Ron Frazier (ALE) wrote:
> So, the question is this. I'm in a coffee shop. I engage the wifi. Immediately, before I bring up my vpn, the email will poll its server for mail. I know that the email will be encrypted once it's logged in. But, I'm wondering if my login credentials are sent in the clear or not. Is there a possibility that someone in the room could hijack my credentials.
Only if "SSL always" means "SSL only after you've authenticated". Of
course, such a mechanism would be patently useless. :)
More seriously, the answer is no---barring the normal methods one would
require to break the encryption, such as having the private key, it is
not going to be snooped.
As a side note, you could have confirmed this through an experiment,
which would have also had the effect of discovery of the information you
sought aiding in your retention of it. Login to email with a packet
sniffer running and see what you see when you follow the resulting TCP
stream. Does it look like random noise? Can you find any of your
information or your information's patterns in the stream? Probably not,
since SSL encryption is known to work. :)
Or, you could have hit Google and found that secure POP3 on port 995 is
always encrypted, while POP3 on standard port 110 is in the clear until
encryption parameters are negotiated, which occurs before user-level
authentication.
--- Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130426/f0675f10/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mail.ale.org/pipermail/ale/attachments/20130426/f0675f10/attachment-0001.sig>
More information about the Ale
mailing list