[ale] how secure is ssl email login

Fri Apr 26 15:40:53 EDT 2013

On Fri, Apr 26, 2013 at 11:27 AM, Ron Frazier (ALE) <
atllinuxenthinfo at techstarship.com> wrote:

>
>
> "Michael B. Trausch" <mbt at naunetcorp.com> wrote:
>
> >On 04/26/2013 12:50 PM, Ron Frazier (ALE) wrote:
> >> So, the question is this.  I'm in a coffee shop.  I engage the wifi.
> >Immediately, before I bring up my vpn, the email will poll its server
> >for mail.  I know that the email will be encrypted once it's logged in.
> >But, I'm wondering if my login credentials are sent in the clear or
> >not.  Is there a possibility that someone in the room could hijack my
> >credentials.
> >Only if "SSL always" means "SSL only after you've authenticated".  Of
> >course, such a mechanism would be patently useless.  :)
> >
> >More seriously, the answer is no---barring the normal methods one would
> >require to break the encryption, such as having the private key, it is
> >not going to be snooped.
> >
> >As a side note, you could have confirmed this through an experiment,
> >which would have also had the effect of discovery of the information
> >you
> >sought aiding in your retention of it.  Login to email with a packet
> >sniffer running and see what you see when you follow the resulting TCP
> >stream.  Does it look like random noise?  Can you find any of your
> >information or your information's patterns in the stream?  Probably
> >not,
> >since SSL encryption is known to work.  :)
> >
> >Or, you could have hit Google and found that secure POP3 on port 995 is
> >always encrypted, while POP3 on standard port 110 is in the clear until
> >encryption parameters are negotiated, which occurs before user-level
> >authentication.
> >
> >    --- Mike
> >
> >
>
> Hi Mike T,
>
> Thanks for the info.  I had no easy way to execute a sniffer in the
> environment I was in since I had only the tablet with me.  I have wireshark
> on my Windows machine at home, but at home, I'm always on wpa2.  I've never
> figured out how to have one machine snoop on another in that scenario.
>
> What was bugging me is that the email client has two parameter settings.
>  There is the security option, which is set to SSL always.  Then there is
> the authentication option.
>
> For the pop server on port 995, the authentication options are:
>
> - plain (this is selected)
> - cram-md5
>
> For the smtp server on port 465, the authentication options are:
>
> - automatic
> - login (this is selected)
> - plain
> - cram-md5
>
> On Eudora, the options are somewhat different.  Security is set to
> ssl/tls.  Then, there is a checkbox that simply says use secure
> authentication.  That check box is off for both pop and smtp.  Port numbers
> are the same as above.
>
> So, the way the menus are presented made me wonder if the login sequence
> is not secure.  I've tried turning the secure authentication checkbox on in
> Eudora, but the email fails to work then.  I haven't tried all the other
> options on the k9 program.  I have also tried googling around some in the
> past to figure out what all this means and how and why it should be set a
> certain way, but haven't had success.
>
> So, if the email is, in fact, fully secure at all times, whether I'm
> running a vpn or not, then that's good to know.
>
> Sincerely,
>
> Ron
>

"Secure authentication" is the choice of authentication mechanisms that do
not expose plaintext credentials even over an unencrypted channel.
 CRAM-MD5 is the "commonly" supported choice there.

One note about CRAM-MD5 is that it requires the server store plaintext
passwords... so CRAM-MD5 was at a time (maybe we're still there for some
providers) where transport security was a bigger deal than storage
security.

-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130426/7d8a38de/attachment.html>