Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A simple method for securing email Internet
I plan on spending more time with my PowerBook in cafes and other offices over the summer to beat the heat. One thing always worried me, though. As you know, normal email clients send your email account name and password in "plain text," so if there is some bad guy next to you at the cafe, then he can scoop it up using a sniffer app.

Well, the best solution is to use SSL or POPS or other secure forms of email communication so that your account name and password will be encrypted. The problem is that my ISP (verizon.net) does not have secure email. I've had this email for years, so it's not possible for me to drop it and start over with something like gmail, which does support SSL, so I looked around for another solution. What I came up with is simple and perhaps obvious, but it works great.

Most of the suggestions I found say to use a SSH tunnel or some such, which you still need a server for. Forget that. Way too complicated for me. Here's my little trick, assuming you have at least one SSL-enabled email account somewhere (which is not your main account).

My Verizon account lets me forward all my email to another address. I am a .mac subscriber (which DOES SSL email) so i forward my verizon email (which is an insecure account) to my .mac account (which is secure). I then "de-enabled" my Verizon account in Apple Mail, and now do all my mail off of .Mac using the Apple Mail client. Secure. and yet another reason to keep my .Mac account.
    •    
  • Currently 3.25 / 5
  You rated: 3 / 5 (4 votes cast)
 
[13,325 views]  

A simple method for securing email | 28 comments | Create New Account
Click here to return to the 'A simple method for securing email' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A simple method for securing email
Authored by: Teeluca on Jun 30, '05 11:03:51AM

This would be more useful if .Mac allowed you to change the return address used on email. The last I checked, you can use .Mac to collect all of your email securely but you still have to send email through your old servers. All email going out through .Mac servers must have a @mac.com return address.



[ Reply to This | # ]
.Mac does ssl?
Authored by: sjonke on Jun 30, '05 11:17:35AM

I have .Mac and use email with it, but if in Mail.app I check the "Use ssl" checkbox (Advanced tab), then I just get an error on the account saying the connection on port 993 was refused. If I uncheck it, it works. Does ssl really work for others with .Mac? If so, what am I doing wrong?

---
--- What?



[ Reply to This | # ]
.Mac does ssl?
Authored by: joey03 on Jun 30, '05 11:22:06AM

You're right. SSL only works for SMTP (sending mail) on .Mac, but not for POP (receiving mail).



[ Reply to This | # ]
.Mac does ssl?
Authored by: diamondsw on Jun 30, '05 03:33:29PM

dot-Mac and SSL works just fine for both POP and SMTP here, using default settings.



[ Reply to This | # ]
No SSL for IMAP
Authored by: extra88 on Jun 30, '05 10:30:48PM
The hint is in the error. You're using IMAP (yay!) and port 993 is for IMAP over SSL. Apparently .Mac supports using SSL with POP but not IMAP (boo!).

[ Reply to This | # ]
No SSL for IMAP
Authored by: tehpeh on Jun 30, '05 11:09:52PM

Strange. .Mac IMAP with SSL works for me.



[ Reply to This | # ]
Use google mail
Authored by: atverd on Jun 30, '05 01:20:51PM

Guys, just get yourself a gmail account - it's free, has 2 gig of space, SSLed smtp/pop3 and will archive all incoming/outgoing mail automatically as a side effect. Why to use those lame services which don't even provide fully protected access?



[ Reply to This | # ]
Use google mail
Authored by: kikjou on Jun 30, '05 04:33:47PM

There is no such thing as a free meal. Your communication with Gmail may be safe, but the data you put there are not. If you, like me, do most of your communication via email, your entire life will be there for Google to mine. If you have exhibitionistic tendencies, go for it. Unfortunately, you also drag all people you communicate with into this. Google is the only free email service provider that explicitly states that they will mine your data. I myself use a small community-owned internet service provider who I know and trust. My service may not have SSL, but at least it respects my privacy.



[ Reply to This | # ]
Use google mail
Authored by: Blah on Jun 30, '05 07:52:33PM
Thank goodness somebody gets it! "Public" servers, for mail, IM, etc., are exactly that: public. Every time you use one of these servers you are giving information to a 3rd party about one of your "friends", typically without their permission.

Would you walk into a Walmart or Starbucks and fill out someone else's personal information and post it on the bulletin board? For any purpose? When you send email with personal information (what that consists of is up to each person to decide!), especially from a public server, you're infringing on the other party's privacy. How rude.

Obviously the public servers serve a purpose, but people use them willy-nilly for any old thing, and all that information gets stored and mined (by most providers, not just gmail). You think your IM conversations aren't saved in some huge archives? You don't care? How about all the people you IM and email? Did you bother to ask?

And "services" (purposely in quotes) like Plaxo are just plain evil. They encourage you to put other people's personal information into their databases and (last I checked) don't provide any way to remove it - ever. Wonder what they do with all that info....

Bottom line: ALWAYS ASK IN ADVANCE before you put anyone ELSE'S information online. That goes for .mac servers too. Do you have your address book online or backed up online? Is it encrypted? Did you ask every single person in it if they wanted their personal information made available to other party(s)?

Grrr, better stop before I start frothing.... :-)

There is no such thing as a free meal. Your communication with Gmail may be safe, but the data you put there are not. If you, like me, do most of your communication via email, your entire life will be there for Google to mine. If you have exhibitionistic tendencies, go for it.

Unfortunately, you also drag all people you communicate with into this. Google is the only free email service provider that explicitly states that they will mine your data. I myself use a small community-owned internet service provider who I know and trust. My service may not have SSL, but at least it respects my privacy.


[ Reply to This | # ]
Use google mail
Authored by: friedguy on Jun 30, '05 10:17:35PM

I guess my stupid question is: what are they going to do with that information? I understand where you are coming from and what you are saying, but have you ever been contacted by a email server because you sent to email to someone who uses there "services"? I sure haven't and I highly doubt that google is going there every email just to find information to exploit. I really wouldn't be too worried about this.

I could, however, be missing your point. For the moment I just don't feel your concern.



[ Reply to This | # ]
Use google mail
Authored by: kchrist on Jul 01, '05 08:15:43AM

My service may not have SSL, but at least it respects my privacy.

Actually, I'd argue that by not providing secure services, they do not respect your privacy (or security!).

SSL/TLS for mail services (whether POP3, IMAP, or SMTP) is standard now -- required, in fact, if you're going to be using public wireless networks. If your ISP doesn't provide it, complain until they do or take your business elsewhere.



[ Reply to This | # ]
Use google mail
Authored by: atverd on Jul 01, '05 02:37:22PM

This is a big fat illusion that you can protect your privacy on Internet. Measures to protect it even in some basic manner would involve anonymous accounts, heavy encryption on different levels, untraceable IPs and rather strong expertise in the area. In fact you are putting yourself in more vulnerable position by thinking that you privacy is protected by some good guys whom you "trust", because in this case you cannot trust anyone and actually you just proved this by saying that they don't have SSL on their service (this means that they are at least incompetent in security and privacy protection). So believe it or not - gmail is "ok" alternative now and unless you do some really nasty stuff you are reasonably safe with them.



[ Reply to This | # ]
Use google mail
Authored by: ibalbin on Jun 30, '05 09:48:06PM

This doesn't work when your corporate network doesn't let you connect
to google mail

I haven't seen a way to bypass that.



[ Reply to This | # ]
Use google mail
Authored by: chjabu on Jun 30, '05 11:00:24PM

I've not been able to figure out how to get a gmail addy.
I know there were invites sent out, but I don't know anybody that got an invite, either.
How does an outsider get in?
Thx.



[ Reply to This | # ]
Gmail invitations Galore
Authored by: DC Watts on Jul 24, '05 08:16:57PM
Check here.

[ Reply to This | # ]
Use google mail
Authored by: revolution1965 on Nov 28, '05 01:35:34PM

A bit off topic but I have 99 free invites if anyone wants one. Just let me know!



[ Reply to This | # ]
A simple method for securing email
Authored by: innate on Jun 30, '05 01:52:13PM

Fortunately Mail supports APOP, so even if you're not using SSL your POP3 password will not be sent in the clear unless you're using one of the few mail servers (cough, Microsoft Exchange, cough) that doesn't support APOP.

But APOP doesn't protect your SMTP password.

So this tip is still useful, and I agree with a previous poster that a Gmail account makes even more sense than a .Mac account.



[ Reply to This | # ]
A simple method for securing email
Authored by: xternal on Jun 30, '05 01:58:37PM

I can't recommend a paid IMAP service enough. Gmail is great, but, I prefer having access to my mail via mail clients on both my laptop and desktop. fastmail.fm has usable services ranging from $20-40 annually. They offer encrypted IMAP and SMTP services. I don't mind paying it at all. Also, most people with shared hosting websites already have access to services like this, so check with your hosting provider.

Having spotlight access to my email is well worth it.



[ Reply to This | # ]
A simple method for securing email
Authored by: Dennis Groves on Jun 30, '05 03:52:05PM
Again, Gmail is the better option, it is free, you get 2gigs of storage and it is secure. Further more, you can use mail.app to both send and recieve gmail securly so you get all the spotlight benifits. You can ever use gmail from your Treo650 like I do or a blackberry:
 http://mail.google.com/support/bin/answer.py?ctx=gmail&hl=en&answer=12103 
Additionally you get "google" benefits when you for some reason do not even have your own machine, because all of your email is accessable to you online via web browser, for you to use securely.

[ Reply to This | # ]
A simple method for securing email
Authored by: xternal on Jun 30, '05 07:18:44PM

Not trying to knock it for all setups, it's just not _always_ better. I use both my laptop and desktop for mail. I want to use the mail.app client in both locations. POP3 in this situation is not a valid option. I don't mean to sound snippy, but, how would you suggest someone keep their mail state on two machines sans webmail? Many people I know prefer an email client over webmail as well. And since you mentioned access via a cellular device, I should point out that many email capable phones support IMAP as well (including the Treo650). If you manipulate your email on the phone, your laptop, desktop, and webmail will all be in sync.

Also, most IMAP providers also grant access to the IMAP folders via secure web access.

If the most important consideration in setting up your email is cost, Gmail is always better. However, in other regards, it is not.



[ Reply to This | # ]
A simple method for securing email
Authored by: rotaiv on Jul 01, '05 06:42:46AM

I have four machines all checking the same mailboxes via POP. I simply have three of the clients configured to "leave mail on server".

I then configured the client on my main desktop (where all my mail is archived) to delete mail after 2 weeks. This gives the other three machines enough time to download their copy of the mail before it is deleted by my desktop.



[ Reply to This | # ]
A simple method for securing email
Authored by: xternal on Jul 05, '05 07:06:42PM

Your original mail content starts the same across the systems. The state however, is not the same. If you move a message from folder A to B on machine A, systems B,C,and D are unaffected. The _state_ of your mail is not in sync across the machines, it is nearly there.



[ Reply to This | # ]
A simple method for securing email
Authored by: david-bo on Jul 02, '05 06:12:44PM

Not a hint, indeed not a hint. This so called hint is spam, nothing else.

---
http://www.google.com/search?as_q=%22Authored+by%3A+david-bo%22&num=10&hl=en&ie=ISO-8859-1&btnG=



[ Reply to This | # ]
A simple method for securing email
Authored by: chrispar64 on Jul 05, '05 05:04:40AM

If I am wrong in my understanding them please let me know...

BUT

I believe the following to be true...

ServerA is the secure server, for sending
ServerB is you None secure account

You send a mail via the secure serverA with a forward to the non secure ServerB.

Well, if I am correct, this then becomes a NONE secure mail transfer.

Reason, if two servers talk witheach other, then they MUST speak the same language, thus in this scenario, one asks the other if they speak secure, the other says NO. The Secure server NOW drops the secure and sends a standard mail, in Cleartext. This is HOW mail works.

However to truely secure the mail you need to use some form of Encryption, OR Certificate.

Anyhow it is more safe than NOTHING right.

Please beware that if any point of the mail route is Unsecure the mail int he described method, become Unsecure.

But my understanding could be wrong.
Chris



[ Reply to This | # ]
A simple method for securing email
Authored by: PeteVerdon on Jul 24, '05 11:20:54AM

Your understanding is totally wrong. The hint is not about sending email, it's about receiving it. Also, it's not an attempt at end-to-end secure email, merely to avoid broadcasting user details over a public wireless network, to which anyone can listen (like on older ethernets with hubs instead of switches).

Pete



[ Reply to This | # ]
Another simple method for securing email
Authored by: bgleason on Jul 05, '05 09:44:35AM

Another way to avoid having unencrypted usernames and passwords on the airwaves is to check your e-mail via a service like mail2web. You can use the service (and I'm sure there are others like it) to check most e-mail accounts. Make sure to click "secure login." For example, I've used it for checking both Verizon and GMail.

Sure, your e-mail is still going through a third party, and you probably can't trust Verizon or Google anyway, but at least you're not broadcasting your username and password unencrypted to everyone in the cafe...



[ Reply to This | # ]
A simple method for securing email
Authored by: edcroteau on Nov 27, '05 12:42:55AM

Has anyone looked into this recently ? You can't seem to get SSL email easily. Also, you can't use the .Mac account servers with a non @mac.com email address (for the FROM and REPLY TO fields), so the sometimes working SSL connections via .Mac aren't viable if you want to use other email addresses.

It looks like the mail2web.com method is the easiest way to be safe on wireless networks. Any thoughts ?

Why isn't SSL email the default ? It seems crazy.

Ed



[ Reply to This | # ]
A simple method for securing email
Authored by: edcroteau on Nov 28, '05 12:47:35PM

I think that I've cobbled together a solution to the secure email (SSL) problem of .Mac accounts requiring a "@mac.com" FROM address. This is from the many posts in several discussion areas on secure email - thanks!

1. I forward my ISP (main) account to my .Mac address
2. I then use my .Mac account for SSL retrieval of mail in IMAP mode (default) - this allows me to sync my two desktops and laptop using Mail.app as well as universal web access all to the same Inbox and saved mail folders
3. Then I set up a free Google GMail account. I use the mac.com server for retrieval but then set the smtp (sending) account to smtp.gmail.com which supports both SSL and using my preferred non @mac.com email address for FROM and REPLY TO
4. I set the SSL flags for both receiving and sending mail in the accounts tab of preferences
5. For WEB access, I just go to mac.com and login

So after all of that, does anyone have the answers to these questions :

1. Am I really getting SSL secure email from .Mac while retrieving ?
2. Am I really getting SSL secure email from GMail while sending ?
3. Are my passwords and usernames being sent securely ?
4. Does the mac.com web access do SSL after all by default ?
5. Why is it not easier to get SSL email, shouldn't it be standard ?

Thanks,

Ed



[ Reply to This | # ]