[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] how secure is ssl email login

One little tidbit of info:  Unless you use their paid version, Yahoo web mail only encrypts the login credentials - after that, your e-mail is transmitted in the clear.  If you pay for it, they offer full encryption.
Allen B.

Allen Beddingfield
Systems Engineer
The University of Alabama
From: ale-bounces at ale.org [ale-bounces at ale.org] on behalf of Michael B. Trausch [mbt at naunetcorp.com]
Sent: Friday, April 26, 2013 12:00 PM
To: ale at ale.org
Subject: Re: [ale] how secure is ssl email login

On 04/26/2013 12:50 PM, Ron Frazier (ALE) wrote:

So, the question is this.  I'm in a coffee shop.  I engage the wifi.  Immediately, before I bring up my vpn, the email will poll its server for mail.  I know that the email will be encrypted once it's logged in.  But, I'm wondering if my login credentials are sent in the clear or not.  Is there a possibility that someone in the room could hijack my credentials.

Only if "SSL always" means "SSL only after you've authenticated".  Of course, such a mechanism would be patently useless.  :)

More seriously, the answer is no?barring the normal methods one would require to break the encryption, such as having the private key, it is not going to be snooped.

As a side note, you could have confirmed this through an experiment, which would have also had the effect of discovery of the information you sought aiding in your retention of it.  Login to email with a packet sniffer running and see what you see when you follow the resulting TCP stream.  Does it look like random noise?  Can you find any of your information or your information's patterns in the stream?  Probably not, since SSL encryption is known to work.  :)

Or, you could have hit Google and found that secure POP3 on port 995 is always encrypted, while POP3 on standard port 110 is in the clear until encryption parameters are negotiated, which occurs before user-level authentication.

    ? Mike