Password Secure?

On Thu, 29 Jun 2006 18:48:50 -0400, RZ wrote in :

In a word, no. Most hotel Wi-Fi is wide open. WEP is easily cracked. For any real security, you need a secure connection over the Internet to the remote site; e.g., https connection. Or use a VPN service.

Depends. If you use HTTPS sites for email and banking you are pretty safe. Email programs like Outlook Express or Outlook are not safe as they transmit your password in the clear. Web based email app Yahoo Mail claims to be secure but the site itself is not https. Makes me suspicious.

It's possible to use secure POP and IMAP. Not all services support this.

If you're connecting to POP and IMAP on ports 110 or 143 then it's not secure.

So no, it's not safe to use services with passwords unless you're SURE the connection is using some form of encryption. Otherwise anyone else on link can sniff your username and password out VERY, VERY easily.

I use a VPN back to the office. That way all my traffic is tunneled through it and is encrypted. I still use secured services but using a VPN makes it doubly secure.

-Bill Kearney

Not true. Most servers these days do TLS over the standard ports. My mail/news program correctly negotiates TLS with any server that advertises it. I don't know if OE would, these days.

That I'll agree with - it isn't a simple matter to verify that traffic on the standard ports is using TLS.

Interesting to know, I didn't really give TLS over standard ports consideration. This, however, assumes they'll be using a recent vintage of mail server. I've no idea how many servers out there aren't recent enough, or configured properly, to do TLS in this manner. So while it may well be incorrect to assume use of plain ports as insecure, it's at least a rule of thumb worth considering.

Indeed, it would be handy to have a way to easily verify the availability of TLS on the server and actual USE by the client. Meanwhile I'll stick with using secure port numbers as my primary guide.

-Bill Kearney

On Fri, 30 Jun 2006 08:25:17 -0300, Derek Broughton wrote in :

Depending on the email client, it may be possible to ensure that only TLS connections will be made. Mozilla Thunderbird is one such client.

On Fri, 30 Jun 2006 07:55:35 -0400, "Bill Kearney" wrote in :

Mozilla Thunderbird provides the following secure connection options:

• Never

• TLS, if available

• TLS

• SSL

By selecting TLS or SSL, you can ensure that all connections are secure.

Otherwise, I always configure it for TLS if available rather than Never.

Given that free Gmail (Google Mail) supports TLS, I strongly advise people to never use any service that lacks support for TLS.