21

My ISP gives instructions how to connect to its POP3 and SMTP email servers:

These settings will help you to set up your email program.

  • email server: POP3
  • POP server (incoming): pop.orangehome.co.uk

  • POP incoming port: 110

  • SMTP server (outgoing): smtp.orangehome.co.uk

  • outgoing SMTP port: 25
  • use secure connection (Secure Sockets Layer or SSL): no
  • authentication: none

As I understand, these settings imply the connection won't be secured with SSL/TLS:

  • IMAP uses port 143, but SSL/TLS encrypted IMAP uses port 993.
  • POP uses port 110, but SSL/TLS encrypted POP uses port 995.
  • SMTP uses port 25, but SSL/TLS encrypted SMTP uses port 465.

Is there a risk to sending and receiving emails via without a secure SSL/TLS connection? Should I be concerned? What could happen?

EE is a British ISP with about 1 million customers. Plusnet, another British ISP, also instructs users to connect insecurely to its IMAP and POP servers "SSL/TLS: No"

Colonel Panic
  • 2,214
  • 2
  • 22
  • 23
  • 3
    I think this might answer your question http://security.stackexchange.com/questions/51552/how-insecure-is-pop-imap-smtp – iainpb Dec 20 '16 at 12:56
  • smtp also uses port 587 – Jasen Dec 20 '16 at 18:40
  • 1
    [Yes, there is a risk](https://res.cloudinary.com/peerlyst/image/upload/v1468956699/post-attachments/wall-of-sheep_oryqui.jpg). – André Borie Dec 20 '16 at 19:31
  • 2
    Why are you surprised? Email protocols were designed before people had any thoughts about security on the internet, and hence they do not provide integrity, authenticity nor confidentiality. – Bakuriu Dec 20 '16 at 19:39
  • 3
    Note that being a big ISP doesn't mean anything in terms of security - in fact it may be the opposite, bigger = less secure. I've personally seen horrors on O2's internal systems as well, like passing sensitive customer and credit card data through outdated Windows XP machines with Flash *and* Java. – André Borie Dec 20 '16 at 20:08
  • Wow, they don't have STARTTLS support either. – Michael Hampton Dec 21 '16 at 04:11

7 Answers7

28

Is there a risk to sending and receiving emails via without a secure SSL/TLS connection?

The problem is equivalent to using your webmail via plain HTTP. A man-in-the-middle attacker could capture the emails you exchange with the server and sniff your login credentials as they are sent in plain text.

Such an attack is possible for someone in the same Wifi as you, your roommate, your employer or your ISP - it is particularly easy for everyone who processes the traffic on the way between you and the server, but it's usually not feasible for a remote attacker (like a friend who's attacking you from their home).

So, if you do it in your private home network and don't fear your ISP logging your data1, you're fine. In a public Wifi however, it's a serious risk - especially because email clients usually contact the server periodically in the background without your interaction. So, as opposed to using your webmail, you would not send your password just once in the beginning, but broadcast it every 15 minutes to check for updates.

(Also note that it's particularly easy for an attacker to automatically extract POP3/IMAP/SMTP credentials from the traffic as their transmission is part of the respective protocol. For a webmail login form, they would at least have to search through the HTTP traffic to find the request where the password is transmitted.)

1In your case, the ISP is the mail provider so they obviously already have access to that information.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • Note that even in your secure wifi, at home, for the mail of your ISP, there is still a problem: infected routers in your ISP infrastructure. Not a myth. They already inject ads into http traffic. Who knows if they don't catch passwords too? – Tom Dec 22 '16 at 11:40
  • @Tom I've heard of infected routers, and routers injecting ads, but not router infections causing them to inject ads. (Who would waste such a valuable attack vector on something so trivial?) – user253751 Jan 30 '17 at 10:00
  • @immibis If I remember correctly, it was unclear if theses routers were infected or act maliciously on purpose. The source: https://www.blackhat.com/docs/us-16/materials/us-16-Nakibly-TCP-Injection-Attacks-in-the-Wild-A-Large-Scale-Study.pdf and https://www.blackhat.com/docs/us-16/materials/us-16-Nakibly-TCP-Injection-Attacks-in-the-Wild-A-Large-Scale-Study-wp.pdf – Tom Jan 30 '17 at 12:36
18

pop.orangehome.co.uk

There is in theory support for explicit TLS in POP3 using the STLS command (similar to STARTTLS in SMTP) but this server does not support this command and thus no TLS is possible. While the ISP might argue that the connection from your home to this server is controlled by the ISP and thus are secure this argument is invalid once you are trying to access your mails from a public hotspot or similar where the missing encryption means that everybody can read your password and the contents of the mail. And this is also true for anybody having access to your network at home.

smtp.orangehome.co.uk

This server is not reachable from outside but only from inside the ISP network. If the ISP has tight control over the network it can argue that nobody can sniff the content and he might be mostly right. But hopefully you can fully trust your internal home network since anybody with access to this network can read any mails you send since these are not encrypted. Interestingly, the server requires no authentication which might mean that the ISP authenticates you by your internal IP address.

EDIT: as pointed out by @Jasen in a comment there is a way to connect this host if your are not at home by using port 587. This access then requires authentication but only offers plain text and still no encryption. Thus the security is comparable to the POP3 case: somebody can sniff your password and read your mail.

In summary: that's not the security you should expect from a major ISP.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 4
    When you are outside of your ISP's network, simple eavesdropping is not possible, but one still could pretent she is smtp.orangehome.co.uk and read/modify your outgoing e-mails. – v6ak Dec 20 '16 at 17:33
  • @v6ak: good point. – Steffen Ullrich Dec 20 '16 at 17:51
  • 2
    smtp.orangehome.co.uk is reachable by me from the other side of the world (on TCP port 587) still no tls and only plaintext authentication offered. not a good look at all. (see "not connected..." on the help page linked in the question) – Jasen Dec 20 '16 at 18:14
  • @Jasen: thanks for the information. I've updated my answer accordingly. – Steffen Ullrich Dec 20 '16 at 18:59
4

As you speak of your ISP there is normally nothing between your host and your ISP's network. So of course nothing is encrypted but even it you used SSL it would be decrypted before reaching the server application. Said differently, unless you have an untrusted local network which would be weird for a personnal connection, SSL encryption would bring no additional security. Use encrypted messages if you do not want your mail provider to read your mails content, not SSL.

But next paragraph in the linked page is IMHO much worse. Because they say that when you are connected through an external service (say a public WiFi hotspot) you use port 587 (fine), authenticated with your username and password (still normal) and with no encryption (glp...). Said differently if you send or read mail outside of your home you are sending your password in clear text on an unknown network which is clearly unacceptable.

You can use EE as your ISP if there is no other problem with them, but you should use another mail provider if the do not support encryption when you are connected through a third party network.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
1

Just like pineappleman said, as soon as you leave your home-network with a mobilephone or laptop, a Desktop-PC brought to a LAN-party, you might be attacked. An attacker could not only read your mails, but also alter them, add malicious content to attachments, use this access to reset our passwords on Webservices, more bad stuff...

Also if you use a VPN for some reason and your entire traffic is tunneld you might open your communication to whoever is inbetween you and the ISP then.

And last but not least there is a whole lot of malicious traffic in the internet, trying to crack your router. In case it succeeds and changes DNS entries you gonna get a problem aswell.

Anders
  • 64,406
  • 24
  • 178
  • 215
SchreiberLex
  • 251
  • 1
  • 5
0

That is not safe. What could happen? Lets say you set up that mail on your phone and your phone checks for new mails each 15 minutes. If you connect (your phone) to a untrusted network, like a public wifi network, anybody could intercept your e-mail traffic. You would not even need to open the e-mail client on your phone, as it sends the username/password in cleartext automatically to check for new mails in the background. Intercepting such unencrypted traffic and getting cleartext passwords is quite easy for an attacker who just needs to be on the same network and to use a tool like ettercap.

pineappleman
  • 2,279
  • 11
  • 21
0

IMO this was somewhat acceptable a decade ago when most people used desktops or laptops and only connected them to the internet at home/work, wifi was just starting to appear and public wifi was nonexistent. Your home network and your ISP were reasonablly trustworthy and you shouldn't be sending super-secret stuff by email anyway.

The rise of mobile computing has dramatically changed the threat model. More and more people use mobile devices and connect them via insecure public wi-fi networks.

Unfortunately many providers, including the site we are discussing this on right now have not caught up with this and still think it's fine to use plain http for authenticated users.

Peter Green
  • 4,918
  • 1
  • 21
  • 26
-1

It depends on your threat model and type of connection. If you are just cable-connected and don't use Wi-Fi on that computer, you might be relatively OK. Well, I know nothing about securing the connection line to the ISP, but if you assume no threat is there.

Once you use Wi-Fi for some network, your position gets much worse. Many networks are WPA2 PSK, some are even open networks. Once you have connected to an insecure network (e.g. weak PSK or open network**, a nearby attacker can sniff or modify your traffic (password and e-mails)**. Furthermore, once you have enabled automatic connection to such network, an attacker can use tools like Pineapple to connect you through his own network, even if you are on secure network. The Pineapple would just offer a network named and secured like the insecure one. Then, you will connect to it. (Maybe it also tried to deauth you from your legitimate network. I am not sure if Pineapple does so, but I know that's possible.)

This can result in:

  • stolen password to e-mail (credentials will be probably resent after a connection loss, thus just after connecting to a new network)
  • resetted passwords to other services
  • leaked outgoing and incoming e-mails
  • modified incoming/outcoming e-mails
v6ak
  • 609
  • 5
  • 12