email without encryption

8 risposte [Ultimo contenuto]
muhammed
Offline
Iscritto: 04/13/2013

I signed up for an account with a local email provider. I logged into the webmail, and noticed that it used http (and not https). I asked the administrator about it; he told me that the danger is merely theoretical, and that no one has been compromised in these circumstances.

I connected the account to my email client, and the client showed me this:

Incoming: POP3, [...] No Encryption
Outgoing: SMTP, [...] No Encryption

I clicked "Done", and then the email client showed me a warning about insecure mail servers (screen capture attached). I decided not to use the account for now.

Could you guys comment on this situation? Is IceDove's warning correct?

muhammed
Offline
Iscritto: 04/13/2013

I forgot to upload IceCat's warning -- here it is

pop-warning.png
onpon4
Offline
Iscritto: 05/30/2012

There's a grain of truth to it: you can't necessarily trust some stranger running a mail server to keep your mail secret. Governments can demand that they turn over their private key, and then all of your email is compromised the same way it would be if your HTTP connection had been snooped. That's why you should use end-to-end encryption (e.g. GnuPG). Still, saying that TLS is unnecessary is a very strange attitude. It at least means that cooperation with the server owner is required to snoop on your email.

lloydsmart

I am a member!

Offline
Iscritto: 12/22/2012

I wouldn't use such an account, personally. Even if the provider is totally legit, your communication with their servers is being done entirely in cleartext. It's standard practise to at least enable TLS on SMTP, POP3 and IMAP connections these days. And personally, I'd insist on HTTPS for webmail, too.

The warnings are there for a reason.

SuperTramp83

I am a translator!

Offline
Iscritto: 10/31/2014

I think that too lloydsmart

muhammed
Offline
Iscritto: 04/13/2013

Thanks a lot guys

Eemeli
Offline
Iscritto: 01/04/2014

If you are using a non-encrypted connection and an open wifi-network (without encryption like WPA) then anybody in the same network can capture all your messages.

Even when using WPA someone could just have set a router with a stronger signal close to you and your computer will then happily connect to it instead of the authentic router. Then that person could very easily capture all your traffic.

Hence DON'T USE EMAIL WITHOUT TLS/HTTPS!!!

Magic Banana

I am a member!

Offline
Iscritto: 07/24/2010

Even when using WPA someone could just have set a router with a stronger signal close to you and your computer will then happily connect to it instead of the authentic router.

Indeed. That is analog to what IMSI catchers do with mobile phones: https://en.wikipedia.org/wiki/IMSI-catcher

That device even forces a weaker encryption for the phone communication so that the data can be decrypted. As for the meta-data, they cannot be encrypted.

After the French deputies, who already overwhelmingly voted "yes", French senators are about to adopt a law that will legalize the use of IMSI catchers by the secret services. They already use them anyway. And that law contains far more dangerous articles. In particular a global surveillance of the French Internet to detect suspect sequences of connections. Depressing...

Mampir
Offline
Iscritto: 12/16/2009

Data can be trivially intercepted even if you are connected using cables, after the WiFi device you're connected. Even if you are 100% sure your WiFi connection as perfectly encrypted, you should never rely on this to provide you even a bit of secure and private communication!

On another note, it's much better to keep your WiFi unencrypted and share the connection, so other people can use it. This provides freedom from cell phones, and independence and privacy for people in general. You aren't really using you Internet most of time, probably less than a 1% of time even.

I'm told that in some countries it's illegal to share free WiFi access, which is an injustice. So be aware. Maybe a weak encryption can be provided instead, to circumvent such laws. Maybe those laws aren't really enforced in practice or the penalty isn't severe. In Bulgaria there are many places which offer free WiFi access, so it seems pretty safe.

Also, the more people keep their WiFi encrypted it's much easier to push and enforce laws which forbid it. So you should take a stance and contribute to making a better society.