[ale] how secure is ssl email login

Phil Turmel philip at turmel.org
Fri Apr 26 17:01:40 EDT 2013


On 04/26/2013 04:23 PM, Ron Frazier (ALE) wrote:
> Hi Mike T, and all,
> 
> Thanks for the replies on this.  This last bit is the key piece of
> information I needed.  So, the SSL link is brought up first, then my
> credentials are sent to the server.  The fact that my credentials are
> not in plaintext on the wire (or wifi) is exactly the result I was
> hoping to hear.  You would think it would be that way, but I'd be rich
> if I had a dollar for every time a software maker has done something
> stupid or tried to do it right and got it wrong.  It's good to know that
> my email is secure from snoopers (except over my shoulder) whether I'm
> running a vpn or not.  From an end user point of view, even a technical
> user, this stuff can be baffling.  And we all know that the default
> settings on software are almost always set for convenience and
> simplicity.  (IE lack of tech support phone calls.)  If you want
> security and privacy, you have to change them.  So, I wanted to make
> sure my settings were OK.

Mike's response completely answers your original question "I'm wondering
if my login credentials are sent in the clear or not.  Is there a
possibility that someone in the room could hijack my credentials?"  As
described, the answer is no.  And for most people, that's good enough.

But you can't go from there to the assumption that your email is secure
from snoopers--it's not.  The traffic between you and your mail server
is secure in both directions, but traffic between your mail server and
your correspondents' mail servers generally isn't.  And your
correspondents might not have their end set up properly.

Now, that's not the same class of exposure as an open wi-fi hotspot, but
the risk is non-zero (in my opinion).  Govenrment and ISPs are the ones
to worry about for transport security.  So your email isn't really
secure unless you also encrypt the *contents*.  The enigmail plugin for
thunderbird or equivalent tools offer that level of security.  Your
correspondents have to be similarly equipped, though.

Phil



More information about the Ale mailing list