Categories
observations

this is security?

Found out this afternoon that the email gurus at the local institution where I have an account don’t understand or don’t care about security: asked why, after a maintenance outage, I was unable to read email and an insider sent me a new server name I could use but told me that imap is going away as it doesn’t support encryption, sends passwords in the clear.

Really?

[/Users/paul]:: openssl s_client -connect mail:993
CONNECTED(00000003)
[ handshaking omitted ] 
SSL handshake has read 1272 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: B448E7A7B703C73C57BC7FA7E8D4E30F8B67DC76E4868C17C16AC2E48B88C642
    Session-ID-ctx: 
    Master-Key: 076960369DEDC2E9A2B8BC70D2FF070277D1E440CB2B5D1B0F5AA3770B48BB115FF61DDDF81E39CA23387186C0510F38
    Key-Arg   : None
    Start Time: 1310532030
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

Hmm, that seems to work.

openssl s_client -connect some.email.host:993
connect: Operation timed out
connect:errno=60

That doesn’t look like they’re listening on that port.

openssl s_client -connect some.email.host:143
CONNECTED(00000003)
49016:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s23_clnt.c:607:

So no SSL on the server.

Huh. If I was going to hazard a guess here, I would say that it’s not that imap is busted or insecure but that someone’s doing it wrong. When I pointed out that imap wasn’t to blame, it turns out that they did try requiring SSL 4 years ago but when it turned out that a lot of the user base didn’t have client software to support it, they turned it off. That’s actually worse: to know that the security of your communications is no better than the worst email client out there, with no standards or requirements, would be a fireable offense in some workplaces.