Is Orange e-mail secure?

From FVue
Jump to: navigation, search

Problem

I'm using Orange (formerly known as Wanadoo) as my Internet Service Provider. I can receive mail on my Orange account via POP (non-SSL) or via webmail (non-https). I'm concerned if this is secure because I've read the passwords are send in cleartext, i.e. not encrypted. This can easily be tested by sniffing my own network using tcpdump: 

# Anybody sniffing the network while you're fetching mail via
# pop/imap (non-ssl), can retrieve your password in cleartext
sudo tcpdump -A -i eth0 -s0 | grep PASS
# Anybody sniffing the network while you're logging into webmail via
# your browser (non-https), can retrieve your password in cleartext
sudo tcpdump -A -i eth0 -s0 | grep LOGIN

It appears my passwords are send in cleartext...

Solution

Do not use your Orange e-mail account for sending secure e-mail. It is not secure: anyone with access to your network traffic can read your (unencrypted) e-mail and your password. It would be secure if Orange would offer SSL with POP3 or HTTP (https), but Orange doesn't.

Encrypt your mail messages. For example via GnuPG.

Journal

20071230

Interception of files with tcpdump
Network monitoring with tcpdump, tcpflow and foremost

Investigating my traffic while receiving mail: 

$ sudo tcpdump -A -i eth0 -s0 | grep PASS
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
...PASS ...
...PASS ...

My passwords are revealed in cleartext! So my conclusion is that anyone who is sniffing my TCP packets can read my passwords. So POP3 is not secure...

Let's try to connect to pop.orange.nl using SSL: 

$ fetchmail -p POP3 -u yourname pop.orange.nl  # First try without ssl
Enter password for yourname@pop.orange.nl: 
fetchmail: No mail for yourname at pop.orange.nl
$ fetchmail -p POP3 --ssl -u yourname pop.orange.nl  # Second try with ssl
Enter password for yourname@pop.orange.nl: 
fetchmail: connection to pop.orange.nl:pop3s [80.12.242.66/995] failed: Connection timed out.
fetchmail: timeout after 300 seconds waiting to connect to server pop.orange.nl.
fetchmail: socket error while fetching from yourname@pop.orange.nl
fetchmail: Query status=2 (SOCKET)
Externe SMTP Server niet te bereiken
Forum thread about Orange mail problems in general and SMTP problems in particular. Dutch.

Comments

blog comments powered by Disqus

Retrieved from "https://fvue.nl/w/index.php?title=Is_Orange_e-mail_secure%3F&oldid=10667"