Report Questions Security of Free e-mail Services
The security and reliability of the most popular free e-mail services, including Gmail, Outlook, Yahoo and FastMail, are lacking.
This is according to a recent study conducted by High-Tech Bridge: ‘Can you trust SSL encryption of your e-mail provider?’
While a great deal of e-mail security research already exists, High-Tech Bridge says it focused on the communication channel that e-mail uses.
This is something that was not covered and tested in the past, as the industry only had tools for HTTPS testing, which covered the channel between Web server and browser, the security solutions company says. “We believe that nobody has ever tested SSL on non-HTTPS ports,” it claims.
High-Tech Bridge used its SSL checker service and tested the e-mail services for 31 different criteria, including the most recent SSL/TLS vulnerabilities and weaknesses; tests for compliance with PCI DSS requirements; and tests for compliance with NIST guidelines.
According to High-Tech Bridge, almost all e-mail providers still support depreciated SSLv3. Meanwhile, last year, the Internet Engineering Task Force declared SSLv3 must not be used, as it is insecure and threatens the confidentiality of encrypted communication, allowing attacks such as Poodle and Beast. The task force recommended moving to the more secure TLS 1.2.
“Poodle is a man-in-the-middle attack that takes control of a router at a public hotspot, forcing your browser to downgrade to SSL 3.0 (an older, outdated form of encryption), which they can then access and exploit to hijack your browser sessions,” Ilia Kolochenko, High-Tech Bridge’s CEO, explains. “Beast is a client-side vulnerability that leverages existing weaknesses to effectively read protected content, using a plaintext attack.”
Previously considered one of the most secure e-mail providers, Hushmail, which describes itself as “a privacy-oriented e-mail service” with “built-in encryption”, has the weakest configuration of SSL/TLS, and scored an ‘F’ in the SSL test, says High-Tech Bridge.
It points out that FastMail has the highest score, an A+, and is the only e-mail service provider that meets PCI DSS compliance requirements for SSL/TLS.
Despite a B+ grade, Gmail has one of the most flexible SSL/TLS configurations compatible with old and outdated e-mail clients, the company reveals.
Based on High-Tech Bridge’s test, Outlook.com does not visibly have a centralised SSL/TLS configuration of its e-mail servers, potentially delaying and over-complicating update processes, and slowing down patch management.
It warns that hackers can exploit vulnerable e-mails by intercepting incoming and outgoing e-mails, including attachments.