[opensuse] No encryption on imap on some servers [WAS: Basically every WiFi device just hacked?]
On 2017-10-16 22:37, James Knott wrote:
On 10/16/2017 04:02 PM, Carlos E. R. wrote:
On 2017-10-16 20:11, James Knott wrote:
On 10/16/2017 01:51 PM, Carlos E. R. wrote:
Besides, any communication protocol that uses encryption is safe, even if they get entry to our WiFi: ssh, https... but not, I think, smb, nfs, most email... Many email providers are moving to SSL/TLS for POP, IMAP and SMTP. Not mine.
Geez... Spain is really behind the times. Can you not even configure it with your email apps? Also, email web interfaces now use https. Also, Google tries to favour https web sites, to encourage encryption on the web.
It is the ISP, email is secondary for them. It is no longer offered to new clients, so they don't care that much. So currently the IMAP connection has no security at all, whereas the smtp connection does. I tried to enable starttls or ssl/tls and the connection failed. I also looked at my fetchmail log of one connection, it is this: - - 6.3.26 querying imap.telefonica.net (protocol IMAP) at 2017-10-16T13:07:35 CEST: poll started - - Trying to connect to 86.109.99.71/143...connected. - - IMAP< * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=CRAM-MD5] e.movistar.es. - - IMAP> A0001 CAPABILITY - - IMAP< * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=CRAM-MD5 - - IMAP< A0001 OK Pre-login capabilities listed, post-login capabilities have more. - - IMAP> A0002 AUTHENTICATE CRAM-MD5 - - IMAP< + ***********== - - IMAP> ************== - - IMAP< * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MUMULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE QUOTA - - IMAP< A0002 OK Logged in - - IMAP> A0003 SELECT "Inbox" - - IMAP< * FLAGS (\Answered \Flagged \Deleted \Seen \Draft NonJunk Junk) - - IMAP< * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft NonJunk Junk \*)] Flags permitted. - - IMAP< * 3 EXISTS - - IMAP< * 0 RECENT - - IMAP< * OK [UNSEEN 1] First unseen. - - IMAP< * OK [UIDVALIDITY 1496821626] UIDs valid - - IMAP< * OK [UIDNEXT 33] Predicted next UID - - IMAP< A0003 OK [READ-WRITE] Select completed (0.002 secs). - - IMAP> A0004 EXPUNGE - - IMAP< A0004 OK Expunge completed. - - 3 messages for SOMEBODY at imap.telefonica.net (folder Inbox). - - IMAP> A0005 FETCH 1:3 RFC822.SIZE - - IMAP< * 1 FETCH (RFC822.SIZE 31383) - - IMAP< * 2 FETCH (RFC822.SIZE 15673) - - IMAP< * 3 FETCH (RFC822.SIZE 16227) - - IMAP< A0005 OK Fetch completed. - - IMAP> A0006 FETCH 1 RFC822.HEADER - - IMAP< * 1 FETCH (RFC822.HEADER {2994} - - reading message SOMEBODY@imap.telefonica.net:1 of 3 (2994 header octets)Trying to connect to 127.0.0.1/25...connected. - - SMTP< 220 Telcontar.valinor ESMTP - - SMTP> EHLO Telcontar.valinor - - SMTP< 250-Telcontar.valinor - - SMTP< 250-PIPELINING ... Looking at the exchange and that it used cramd5, I changed Thunderbird to also use encryption for the password and apparently it works - this is new. But I see no nothing about using TLS or SSL in the body fetch. On another provider (pop3), I see: - - POP3> CAPA - - POP3< +OK - - POP3< CAPA - - POP3< TOP - - POP3< UIDL - - POP3< RESP-CODES - - POP3< PIPELINING - - POP3< AUTH-RESP-CODE - - POP3< USER - - POP3< SASL PLAIN - - POP3< . - - pop.dominioabsoluto.net: upgrade to TLS succeeded. <========== so fetchmail tries and succeeds on another provider, but not on telefonica aka movistar. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 10/16/2017 05:22 PM, Carlos E. R. wrote:
It is the ISP, email is secondary for them. It is no longer offered to new clients, so they don't care that much.
So currently the IMAP connection has no security at all, whereas the smtp connection does. I tried to enable starttls or ssl/tls and the connection failed.
Time to get another email provider. GMail supports SSL/TLS & HTTPS. You can even configure it to pull email from your old provider, to help you transition. Also, I ran my own IMAP server for a few years. I used IMAPS (IMAP over SSL./TLS) with it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-16 23:41, James Knott wrote:
On 10/16/2017 05:22 PM, Carlos E. R. wrote:
It is the ISP, email is secondary for them. It is no longer offered to new clients, so they don't care that much.
So currently the IMAP connection has no security at all, whereas the smtp connection does. I tried to enable starttls or ssl/tls and the connection failed.
Time to get another email provider. GMail supports SSL/TLS & HTTPS. You can even configure it to pull email from your old provider, to help you transition. Also, I ran my own IMAP server for a few years. I used IMAPS (IMAP over SSL./TLS) with it.
Oh, I use other email providers as well. But is Gmail really secure? The FBI and CIA will be reading it. Google machine reads it. So I guess it is not really more secure and private. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 16/10/17 05:59 PM, Carlos E. R. wrote:
On 2017-10-16 23:41, James Knott wrote:
On 10/16/2017 05:22 PM, Carlos E. R. wrote:
It is the ISP, email is secondary for them. It is no longer offered to new clients, so they don't care that much.
So currently the IMAP connection has no security at all, whereas the smtp connection does. I tried to enable starttls or ssl/tls and the connection failed.
Time to get another email provider. GMail supports SSL/TLS & HTTPS. You can even configure it to pull email from your old provider, to help you transition. Also, I ran my own IMAP server for a few years. I used IMAPS (IMAP over SSL./TLS) with it.
Oh, I use other email providers as well.
But is Gmail really secure? The FBI and CIA will be reading it. Google machine reads it. So I guess it is not really more secure and private.
It might be worse, much worse. There's an entry in my DatabaseOfDotSigQuotes Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench. -- Gene Spafford Or perhaps in reverse. Securing the end points but leaving the steps along the way unsecured. If and only if the originator used a secured machine that overwrote the temp file, overwrote the temp memory, after using TLS to authenticate itself the server and SMTP-S to transfer, and the server was the machine you accessed via TLS and IMAPS so you didn't have to worry about the security of any intermediate machines (check the 'received-by in your headers!), and it also wiped temporary storage .... and you PGP encrypted the message ... and traffic analysis wasn't an issue for your operational security, then OK. But I don't think all that holds when reading this list. And WTF, its not like most mailing list that I subscribe to don't send me a reminder of what my password each and every month, in plain text. Not this one :-) -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-17 03:43, Anton Aylward wrote:
On 16/10/17 05:59 PM, Carlos E. R. wrote:
Oh, I use other email providers as well.
But is Gmail really secure? The FBI and CIA will be reading it. Google machine reads it. So I guess it is not really more secure and private.
It might be worse, much worse.
There's an entry in my DatabaseOfDotSigQuotes
Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench. -- Gene Spafford
I'm sure I don't live in a cardboard and that my end is safe. That's as much as I can do.
Or perhaps in reverse. Securing the end points but leaving the steps along the way unsecured.
That is what is actually happening with plain email today.
If and only if the originator used a secured machine that overwrote the temp file, overwrote the temp memory, after using TLS to authenticate itself the server and SMTP-S to transfer, and the server was the machine you accessed via TLS and IMAPS so you didn't have to worry about the security of any intermediate machines (check the 'received-by in your headers!), and it also wiped temporary storage .... and you PGP encrypted the message ... and traffic analysis wasn't an issue for your operational security, then OK.
I'd worry about that if I had to transmit state or industry secrets.
But I don't think all that holds when reading this list.
And WTF, its not like most mailing list that I subscribe to don't send me a reminder of what my password each and every month, in plain text.
Not this one :-)
Getting the list password does not allow people to intercept or fake list email, I think. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
participants (3)
-
Anton Aylward -
Carlos E. R. -
James Knott