Email without https: risk?

Sterox · 2 Jan 2016, 08:58 PM

Hi,

i have an old mail address, that is offered free from a provider.

I see that after the login (that us SSL) the webmail is not using https, there are some risk for my email or for privacy?

kijinbear · 2 Jan 2016, 09:15 PM

Yes, there is risk. SSL on the login page only protects your password. It doesn't protect anything that is subsequently transmitted in the clear, such as the entire contents of your mailbox.

If you ever log into your webmail over free Wi-Fi, everyone in your vicinity will be able to read your mailbox. They might even be able to impersonate you and mess with your mailbox, such as deleting messages and sending spam.

Even if you only use a wired connection, telecom employees and government agencies can easily do the same if they want to. It's like putting all your messages on the back of a postcard. Postmen aren't supposed to read them, but there is no guarantee that they won't.

Realistically, the chance of any of the above happening to you in particular and impacting your life is fairly low. So it's up to you to decide whether the risk is worth the benefit of keeping your old email address.

You can minimize the Wi-Fi risk by never checking your old email over public Wi-Fi, forwarding your old email to a more secure email service and checking it there (if the old provider supports forwarding), or fetching your old email via POP3 from a more secure service (if the old provider supports POP3). This won't protect you from a three-letter agency if you're on some sort of watchlist, but at least you'll be safe from casual eavesdroppers.

Sterox · 2 Jan 2016, 09:17 PM

Ok, it's better don't use it, i think that provider must consider more SSL

chrisretusn · 3 Jan 2016, 05:41 PM

Regardless of SSL or not, email is still a lot like a post card. That post card is enclosed in an envelope with SSL between you and your provider. It might be protected while stored on their server, it might not. Depends on the service. While a lot of emails these days do transit the Internet highway in the SSL envelope, there is no guarantee that an email will be always be protected from sender to receiver by SSL. You should always consider email as unsecured.

The only sure way of getting an email from sender to receiver securely is by using encryption. You encrypt before sending, your receiver of course will need to able to decrypt it after receiving it.

janusz · 3 Jan 2016, 06:01 PM

Quote:

Originally Posted by kijinbear

If you ever log into your webmail over free Wi-Fi

Nothing to do with free (as opposed to "paid") WiFi. What matters is whether the WiFi connection itself is encrypted. There are free WiFi hostpots which nevertheless require a password to gain access, for example in some hotels/restaurants/bars. In this case using SSL-less connection should be safe, but of course it's always better to use SSL if you have a choice.

David · 4 Jan 2016, 01:06 AM

Quote:

Originally Posted by janusz

There are free WiFi hostpots which nevertheless require a password to gain access, for example in some hotels/restaurants/bars. In this case using SSL-less connection should be safe,

But everyone (in the hotel) uses the same password - that being the case, are you not are still at risk....

n5bb · 4 Jan 2016, 02:50 AM

I agree with David. The password which is used to limit use of the WiFi hotspot only limits Internet access, and has no effect on WiFi packet sniffing. Anyone with simple widely available equipment can read the contents of unencrypted (http) packets (including login name and password you use for the email service) from any location where they can receive the WiFi RF signal transmitted from your device, and of course they can also see what the server is sending to you. The person who is snooping has no need for the hotel/restaurant login given to customers.

If you use an unencrypted connection for website access or email client access (IMAP, SMTP, POP), anyone who happens to intercept the packets can read them. The interception could be at any point between your device and the server to which you are connected. WiFi RF packet monitoring just allows the snooper to read your communications without getting physical access to the wired network.

Bill

ezkop · 5 Jan 2016, 04:43 PM

Or you could use a VPN. That will encrypt any traffic going through, so you don't need to worry about https or not.

mananee · 8 Jan 2016, 12:46 PM

The person who is snooping has no need for the hotel/restaurant login given to customers.
royal1688 คาสิโนออนไลน์

Sterox · 9 Jan 2016, 07:12 AM

In conclusion a webmail that don't use encryption SSL during the surf on the page is on an high risk of violation?

I have an old email that is on an Italian provider, LIBERO.IT (some one know it?) that actually don't support encrypted webmail during surf or use of the mail.

P.S: but it use SSL on IMAP

David · 9 Jan 2016, 01:37 PM

Speaking only for myself, my philosophy, is that anything I do deem to be possibly dicey, I do always avoid.

Sterox · 9 Jan 2016, 08:58 PM

Right, i will avoid this email service

kijinbear · 10 Jan 2016, 12:37 PM

If you really need to check that email, you could do so with IMAP+SSL or POP3+SSL instead of webmail.

2 Jan 2016, 08:58 PM	#1
Sterox Junior Member Join Date: Dec 2015 Posts: 15	Email without https: risk? Hi, i have an old mail address, that is offered free from a provider. I see that after the login (that us SSL) the webmail is not using https, there are some risk for my email or for privacy?

3 Jan 2016, 05:41 PM	#4
chrisretusn Cornerstone of the Community Join Date: Aug 2006 Location: Philippines Posts: 846	Regardless of SSL or not, email is still a lot like a post card. That post card is enclosed in an envelope with SSL between you and your provider. It might be protected while stored on their server, it might not. Depends on the service. While a lot of emails these days do transit the Internet highway in the SSL envelope, there is no guarantee that an email will be always be protected from sender to receiver by SSL. You should always consider email as unsecured. The only sure way of getting an email from sender to receiver securely is by using encryption. You encrypt before sending, your receiver of course will need to able to decrypt it after receiving it. Last edited by chrisretusn : 4 Jan 2016 at 08:03 AM.

2 Jan 2016, 09:15 PM	#2
kijinbear Cornerstone of the Community Join Date: Mar 2011 Location: ~$ Posts: 652	Yes, there is risk. SSL on the login page only protects your password. It doesn't protect anything that is subsequently transmitted in the clear, such as the entire contents of your mailbox. If you ever log into your webmail over free Wi-Fi, everyone in your vicinity will be able to read your mailbox. They might even be able to impersonate you and mess with your mailbox, such as deleting messages and sending spam. Even if you only use a wired connection, telecom employees and government agencies can easily do the same if they want to. It's like putting all your messages on the back of a postcard. Postmen aren't supposed to read them, but there is no guarantee that they won't. Realistically, the chance of any of the above happening to you in particular and impacting your life is fairly low. So it's up to you to decide whether the risk is worth the benefit of keeping your old email address. You can minimize the Wi-Fi risk by never checking your old email over public Wi-Fi, forwarding your old email to a more secure email service and checking it there (if the old provider supports forwarding), or fetching your old email via POP3 from a more secure service (if the old provider supports POP3). This won't protect you from a three-letter agency if you're on some sort of watchlist, but at least you'll be safe from casual eavesdroppers.

2 Jan 2016, 09:17 PM	#3
Sterox Junior Member Join Date: Dec 2015 Posts: 15	Ok, it's better don't use it, i think that provider must consider more SSL

4 Jan 2016, 02:50 AM	#7
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,929	I agree with David. The password which is used to limit use of the WiFi hotspot only limits Internet access, and has no effect on WiFi packet sniffing. Anyone with simple widely available equipment can read the contents of unencrypted (http) packets (including login name and password you use for the email service) from any location where they can receive the WiFi RF signal transmitted from your device, and of course they can also see what the server is sending to you. The person who is snooping has no need for the hotel/restaurant login given to customers. If you use an unencrypted connection for website access or email client access (IMAP, SMTP, POP), anyone who happens to intercept the packets can read them. The interception could be at any point between your device and the server to which you are connected. WiFi RF packet monitoring just allows the snooper to read your communications without getting physical access to the wired network. Bill

5 Jan 2016, 04:43 PM	#8
ezkop Junior Member Join Date: Dec 2015 Posts: 24	Or you could use a VPN. That will encrypt any traffic going through, so you don't need to worry about https or not.

8 Jan 2016, 12:46 PM	#9
mananee Junior Member Join Date: Aug 2015 Posts: 2	The person who is snooping has no need for the hotel/restaurant login given to customers. royal1688 คาสิโนออนไลน์

9 Jan 2016, 07:12 AM	#10
Sterox Junior Member Join Date: Dec 2015 Posts: 15	In conclusion a webmail that don't use encryption SSL during the surf on the page is on an high risk of violation? I have an old email that is on an Italian provider, LIBERO.IT (some one know it?) that actually don't support encrypted webmail during surf or use of the mail. P.S: but it use SSL on IMAP

9 Jan 2016, 01:37 PM	#11
David Ultimate Contributor Join Date: Dec 2001 Location: Canada. Posts: 10,355	Speaking only for myself, my philosophy, is that anything I do deem to be possibly dicey, I do always avoid.

9 Jan 2016, 08:58 PM	#12
Sterox Junior Member Join Date: Dec 2015 Posts: 15	Right, i will avoid this email service

10 Jan 2016, 12:37 PM	#13
kijinbear Cornerstone of the Community Join Date: Mar 2011 Location: ~$ Posts: 652	If you really need to check that email, you could do so with IMAP+SSL or POP3+SSL instead of webmail.