0

I want to set up a MailServer on Ubuntu for my website, and access the email from my POP3 client without enabling SSL encryption (I suppose the SSL is used to encrypt the password?).

My questions are:

  1. What is possible for a "bad actor" to do in such a scenario?

  2. I once read that all data on the internet is encrypted in some way or the other... so why does SSL make such a big difference?

Note: The reason I want to do it without SSL is that I want to use GMail as my POP3 client, and it refuses to read a self-signed SSL cert. I don't want to go through the hassles or pay up for a commercial SSL cert.

Update: I'm aware of free certs. via StartSSL, but it seems a lot of hassle to set up... apparently worth the hassle though.

RoraΖ
  • 12,347
  • 4
  • 51
  • 83

2 Answers2

4

1) Using POP3 unencrypted opens you up to all sorts of exploits. Typically, you aren't going to be so concerned about someone intercepting your mail, or more importantly your login credentials, via the open internet. The folks who do this would have to have access to internet exchanges, ISP routers, . It can happen, but it's not that common.

What does happen frequently is the unencrypted credentials are observed over a local network, either by legitimate access to or hacking the router/switch, or observing WiFi traffic. For example, intrusion detection systems like snort are often configured by default to alert on this and show the administrator your username/password. In an environment with questionable privacy on their local network, e.g. a coffeeshop, or within a corporate environment.

Thus it is possible for a bad actor to eavesdrop on the mail stream, as well as simply recover your login/password and login as you. They can then try this password/username combination on other sites, or send password resets to other sites like Facebook and then sign into your e-mail for the reset. So, it exposes you to quite some area of vulnerability.

Note that SSL over POP3 (POP3S) encrypts not just the password exchange, but all the data therein to prevent snooping on what your mail contents are.

2) It is not. If you send out data unencrypted over the internet, it remains unencrypted end to end -- including within both end's local/perimeter networks before the packet reaches its internal destination. This means that anyone in between the route the packets take has access to the information contained within. SSL removes this vulnerability by applying a layer of encryption, so only the ends that are communicating may see the information.

The internet was not designed for security, it was designed for speed and resilience. Then, it became like the Wild West for hackers, so layers of security like SSL were added to help make it more secure. Without SSL or other encryption enabled, you're much more susceptible to attacks which are very old, well known and don't have to be very sophisticated.

Herringbone Cat
  • 4,282
  • 15
  • 19
2

I suppose the SSL is used to encrypt the password

No, SSL is not about encrypting passwords, that is the common misunderstanding. SSL is rather establishing an encrypted link between a server and a client such as a web server (website) and a browser, or a mail server and a mail client.

I once read that all data on the internet is encrypted in some way or the other.

I'm not sure where you read this but that is also a common misunderstanding. Such points of views date as far as when famous websites dealing with massive traffic dared to use login forms on an HTTP page as Facebook was used to do:

enter image description here

Not all people are aware that Facebook in that time was forwarding the login requests on an SSL (HTTPS) channel. So scenarii like this one lead few people people to think that way even if Facebook no longer manages the login form on an HTTP page (vulnerable to man-in-the-middle attack)

What is possible for a "bad actor" to do in such a scenario?

POP3 is one of the favorite services hackers like deal with not only because of its high insecurity as you may read here How (in)secure is POP/IMAP/SMTP and the common but serious vulnerabilities it frequently suffers from but POP3 insecurity goes further:

It's probably not the security of the login, if they indeed have SSL/TLS enabled. It's probably more an issue of security regarding the e-mail content itself.

POP3 is different than MAPI/IMAP fundamentally because the messages are not retrieved and removed from the server in MAPI/IMAP, but they are with POP3. This means it's easier to lose e-mail in POP3 environments because it gets permanently removed from the server.

  • Interesting bit about Facebook. Does *"forwarding the login requests on an SSL channel"* mean that the password was being sent encrypted and securely despite the login page not having an HTTPS URL? – thanks_in_advance Jul 30 '15 at 15:56