The hacking of Mat Honan scared me. A lot. While there was no "advanced hacking" involved, the attackers found data across multiple services, which when combined enabled them to gain access to one service after another through password resets.
It really made me think about my own mail accounts (I've got quite a few of them), and how they are secured. I didn't really know, so I thought I should have a look. This is part 1. With more to come, this is my summary here. Make a guess for which one I prefer here:
 |
| [Click for full size] |
Here is some additional info on what I've done. Not at all complex, difficult or impressive at all - pretty much like the 'hackers' who hijacked Mat Honan. Simple stuff, really.
Tools used for testing
Thunderbird mail clientCconfigure mail accounts, test for SSL/TLS & STARTTLS support on POP/IMAP/SMTP. Please note that I've let Thunderbird use discovered defaults, things could potentially be different.
Wireshark
Packet sniffing for finding default configurations of apps/clients on iPad & Android
Hak5 Pineapple
My MITM box for sniffing with Wireshark
www.checktls.com
For testing SMTP servers for RFC3207 STARTTLS support
Chrome & Internet Explorer for manual account registration and webmail access, and Telnet for talking to some SMTP servers directly. :-)
The basics
Webmail (Using insecure http or secured https):Your web browser is your mail client. All mail is stored and sent to and from servers owned and operated by your service provider.
IMAP
Essentially the same thing as webmail (see above), except that you are using a dedicated mail application to handle mail. Server may support encryption for the connection.
POP
your dedicated mail application will connect and download all mail from the remote server to your local computer, and then remove it from the server. Server may support encryption for the connection.
Services tested
Hotmail
Webmail security
SSLLABS reports server (login.live.com, Feb 19, 2013) has 7 cipher suites, with SSLv3+ suites preferred. SMTP server security
Sending mail to users at mail.com will be in the clear due to the lack of RFC3207 support.
Gmail (Google mail)
Webmail security
SSLLABS reports server (service.mail.com, Feb 5, 2013) has 17 cipher suites, with SSLv3+ suites preferred. No vulnerabilities reported.
SMTP server security
Sending mail to and from Gmail will be encrypted, as long as the sending/receiving mail server supports RFC3207 with opportunistic encryption. Their server certificate is not trusted by OpenSSL (meaning you get encryption, but not "trust").
Mail.com
Webmail security
SSLLABS reports server (service.mail.com, Feb 5, 2013) has 6 cipher suites, server has no preference. Reported vulnerable to several attacks.Registration link from front page leads to an insecure HTTP page. Registering for a new account requires HTTP to be used, otherwise final CAPTCHA won't show on screen and registration will fail. CAPTCHA is fetched using HTTP, and thus produces a mixed content page (which is not a good idea).
SMTP server security
Sending mail to users at mail.com will be in the clear due to the lack of RFC3207 support.
Yahoo
Webmail security
SSLLABS reports server (login.yahoo.com, Feb 5, 2013) has 8 cipher suites, server has no preference. Reported vulnerable to several attacks.
SMTP server security
Sending mail to users at yahoo.com will be in the clear due to the lack of RFC3207 support.
Mail client access security
POP access is available through Yahoo Mail Plus, which is a paid subscription, USD 19.99 for one year, IMAP access is free, and access is secured (using SSL/TLS). According to their configuration guide, POP access doesn't seem to be secured, but simple testing shows that SSL/TLS is available for POP.
AOL
Webmail security
SSLLABS reports server (myscreenname.aol.com, Feb 5, 2013) has 5 cipher suites available, with SSLv3+ suites preferred. No vulnerabilities reported.
SMTP server security
Sending mail to users at aol.com will be in the clear due to the lack of RFC3207 support.
Apple iCloud
Webmail security
SSLLABS reports server (www.icloud.com, Feb 5, 2013) has 5 cipher suites available, with SSLv3+ suites preferred. No vulnerabilities reported.
SMTP server security
Sending mail to users at icloud.com or me.com will be in the clear due to the lack of RFC3207 support.
A small note on the BEAST attack reported earlier on Hotmail.com
ReplyDeleteIt doesn't work. After it was published, all the major browser vendors decided to fix it and break support for a few outdated SSL sites.
It's only a problem with outdated clients(Thunderbird I believe has the fix).
http://youtu.be/LBbCec4Bp10?t=15m34s
Thank you for that information, I'll update my post!
ReplyDeleteHi Per, good to see some focus on email security. My two cents is however that although one can control the transfer between the server and client, unless specific transport policies are published (and tested) between the various SMTP servers, it is very difficult to gauge the security of public email providers.
ReplyDeleteThat said, I'm not proposing having novices running their own servers, and in full disclosure I'm using Google Apps for my own email hosting. What I do propose, is however a stronger focus on end-to-end encryption, in particular using RFC4880 (OpenPGP). For Thunderbird the Enigmail plugin to add GnuPG support is working rather nicely.
Maybe a post focusing on this can be a natural follow-up on email security?
Possibly relevant:
ReplyDeletehttps://blog.duosecurity.com/2013/02/bypassing-googles-two-factor-authentication/