[ale] how secure is ssl email login

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Fri Apr 26 14:27:36 EDT 2013 


"Michael B. Trausch" <mbt at naunetcorp.com> wrote:

>On 04/26/2013 12:50 PM, Ron Frazier (ALE) wrote:
>> So, the question is this.  I'm in a coffee shop.  I engage the wifi. 
>Immediately, before I bring up my vpn, the email will poll its server
>for mail.  I know that the email will be encrypted once it's logged in.
>But, I'm wondering if my login credentials are sent in the clear or
>not.  Is there a possibility that someone in the room could hijack my
>credentials.
>Only if "SSL always" means "SSL only after you've authenticated".  Of
>course, such a mechanism would be patently useless.  :)
>
>More seriously, the answer is no---barring the normal methods one would
>require to break the encryption, such as having the private key, it is
>not going to be snooped.
>
>As a side note, you could have confirmed this through an experiment,
>which would have also had the effect of discovery of the information
>you
>sought aiding in your retention of it.  Login to email with a packet
>sniffer running and see what you see when you follow the resulting TCP
>stream.  Does it look like random noise?  Can you find any of your
>information or your information's patterns in the stream?  Probably
>not,
>since SSL encryption is known to work.  :)
>
>Or, you could have hit Google and found that secure POP3 on port 995 is
>always encrypted, while POP3 on standard port 110 is in the clear until
>encryption parameters are negotiated, which occurs before user-level
>authentication.
>
>    --- Mike
>
>

Hi Mike T,

Thanks for the info.  I had no easy way to execute a sniffer in the environment I was in since I had only the tablet with me.  I have wireshark on my Windows machine at home, but at home, I'm always on wpa2.  I've never figured out how to have one machine snoop on another in that scenario.

What was bugging me is that the email client has two parameter settings.  There is the security option, which is set to SSL always.  Then there is the authentication option.

For the pop server on port 995, the authentication options are:

- plain (this is selected)
- cram-md5

For the smtp server on port 465, the authentication options are:

- automatic
- login (this is selected)
- plain
- cram-md5

On Eudora, the options are somewhat different.  Security is set to ssl/tls.  Then, there is a checkbox that simply says use secure authentication.  That check box is off for both pop and smtp.  Port numbers are the same as above.

So, the way the menus are presented made me wonder if the login sequence is not secure.  I've tried turning the secure authentication checkbox on in Eudora, but the email fails to work then.  I haven't tried all the other options on the k9 program.  I have also tried googling around some in the past to figure out what all this means and how and why it should be set a certain way, but haven't had success.

So, if the email is, in fact, fully secure at all times, whether I'm running a vpn or not, then that's good to know.

Sincerely,

Ron



--

Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
Please excuse my potential brevity if I'm typing on the touch screen.

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com
Litecoin: LZzAJu9rZEWzALxDhAHnWLRvybVAVgwTh3
Bitcoin: 15s3aLVsxm8EuQvT8gUDw3RWqvuY9hPGUU

More information about the Ale mailing list