Everything In Between

If your project so much as pretends to have a profit motive, I will tell you to go fuck yourself and your project.

A Conversation About Email Security with Road Runner

13 comments

Yesterday I was having a bunch of fun playing with SSH tunnels. While I was at it, I glanced over at Thunderbird when it beeped at me, signifying I had new mail. That’s when I realized that I hadn’t yet taken the time to secure any POP3 or SMTP traffic travelling from my local machines. While I was having all this fun with various SSH shenanigans, I had completely forgotten about one of the simplest things I could do to secure my account: running POP3 and SMTP over SSL, aka POP3S and SMTPS (or SSMTP).

Enabling this kind of connection for my own server was no problem at all. Actually, my web hosting provider is smart enough to offer these services right off the bat, so it was merely a matter of confirming their existence.

telnet my-domain.com pop3s

However, I also have a Road Runner account because those folks are my home ISP. Unsure whether or not they offered these services, I scoured their online help pages but no avail. There was only scant information on security, and most of it had to do with how to block pop up windows in Internet Explorer (a futile excersize anyway).

So I turned next to their online chat support. In order to connect, they required that I fill out my full name and email address in a form (which was not itself secured with HTTPS by the way). Here’s a transcript of my conversation with their representative.

Mike S.: Thank you for choosing Road Runner Technical Chat. My name is Mike S.. May we have the first and last name, and the phone number with the area code of the master account holder?

Meitar: Believe I just gave that to you, but sure: Meitar Mxxxxxx (xxx) xxx-xxxx

Mike S.: Thank you, and with whom am I speaking currently?

Meitar: That’s me. Meitar.

Mike S.: Thank you, what technical issue may we assist you with?

Meitar: I’m wondering if you support pop3s (or POPs) for email?

Mike S.: What is it that you are attempting to do?

Meitar: Use it. If it’s available, I’d much rather retrieve my email via an SSL-secured connection than a plaintext one.

Mike S.: If you are trying to connect to a POP3, then that is fine. If you are attempting to setup a POP3 server on your home connection, this would not be supported, and in fact against the Road Runner Terms of Service Agreement.

Meitar: Nonono, I’m not trying to set up a server, I just want to know if *you* support the protocol.

Meitar: That way I can hit that “Use SSL” checkbox in my Mail program.

Mike S.: If you are connecting to the Road Runner POP3 e-mail server to receive your e-mail messages, you will not be able to set it to SSL. If you are using another POP3 server to receive e-mail from another account, you will have to contact the provider of that POP3 server.

Meitar: So you *don’t* use it, right? I’m connecting to the pop-server.nyc.rr.com machine, whichever that is, for my Road Runner email, in case that helps any.

Mike S.: I am sorry, but I do not understand what it is that you are asking of me. That is the correct POP3 server for the Road Runner e-mail accounts.

Meitar: I’d like to know if my computer can still talk to yours if I tell it to speak POP3S rather than plain-old POP3. I want to know this so that I can set up my mail programs to “use SSL” if your server supports it. As I said before, I’d much rather use an SSL connection than not because I frequently check my mail from hotspots around the city.

Mike S.: As I mentioned, you are not able to “use SSL” for the Road Runner e-mail server.

Meitar: Okay. That’s what I wanted to know. :) As an alternative, do I have access to an SSH account along with my subscription to Road Runner?

Mike S.: Unforunately we do not offer such a service at this time.

Meitar: Hm. Drat…. Well, thanks anyway Mike. Hopefully Road Runner will soon offer secure email alternatives for their customers. :) Have a great rest-of-the-day.

Mike S.: You are very welcome! Have a great day!

Mike S.: If you have no further issues that we can assist you with, you may end the chat session by clicking on the Hang Up button and a chat transcript will be displayed for you. Once again thank you for choosing Road Runner!

In an ongoing effort to continue improving our quality of service, we are conducting a customer survey. If you would like to participate, please copy and paste the following link into your browser: http://help.rr.com/html/chatsurvey.html .

Mike S. Has Disconnected

I couldn’t help but be so nice because he really made me laugh.

Written by Meitar

September 28th, 2004 at 3:09 am

Posted in Security & Privacy

13 Responses to 'A Conversation About Email Security with Road Runner'

Subscribe to comments with RSS or TrackBack to 'A Conversation About Email Security with Road Runner'.

  1. [...] n huge ISPs still don’t offer POP3S or SMTPS support these days. (Remember my little

  2. Even if Roadrunner offered https: you could not connect to it using Microsoft Outlook. You would have to use IE/Firefox/etc… unless you were connecting to Microsoft Exchange. http://www.itd.umich.edu/itcsdocs/s4326/

    geek

    10 Feb 06 at 10:03 AM

  3. Hi there. Yes, it is really pethatid that such ISP do not support SSL and SPA connections. most of the ISPs such as SBC, Yahoo! Business Accounts, Road runnit (you know that very well), hotmail, etc. do not suppor tthis feature. It is that they live in primtive time and even local mail service provider do support these features but they do not.

    joe

    24 Mar 06 at 11:54 PM

  4. over 3 years later and roadrunner still does not support SSL :(

    This seems like pretty basic security these days.. pretty sad they do not offer it.

    Kevin

    3 Nov 09 at 8:09 PM

  5. you may also try and check out opolis secure mail (http://www.opolis.eu)
    opolis offers free encrypted point-to-point email transfers, whereby the sender also decides what the recipient is actually allowed to do with a message (copy, print, forward ….)

    opolis

    31 Jul 10 at 11:24 AM

  6. What a joke I just got off the phone with someone from road runner who in his futile attemps to help me with the same problem eventually referred me to microsoft. My problem still isn’t fixed, what a joke. I don’t think either one of these people I talked to had any idea of what I was talking about. I want my e-mail secure for gods sake.

    Jim

    2 Dec 10 at 7:07 PM

  7. Update as of today October, 22 2011 – they still don’t provide SSL. (I just got off one of their not-so-friendly chat sessions).

    Here we are, seven years down the road, and they’re still treating security like it’s a 1996 issue! Clear text for authentication is not acceptable any more. It would be to their benefit to enable SSL – mandating it, along with the use of a moderately strong password, would help.

    We have a proliferation of iPhones and mobile devices. All it takes is one open connection to a wifi network at a coffee shop or fast food place and someone has your account info.

    Shame on Time Warner Cable / Brighthouse. This is completely unacceptable.

    JT

    22 Oct 11 at 3:11 PM

  8. Lack of SSL makes Roadrunner email almost useless for me. Time to look for something else.

    Boris

    24 Oct 11 at 2:52 PM

  9. 8 years later and RR still does not have secure email.

    mwc

    9 Jan 12 at 8:34 AM

  10. If you’re using cable internet, the connection from the cable modem to the server at Time Warner should be encrypted already; am I right? (At least I think all traffic between the cable modem and Time Warner is *supposed* to be encrypted.) Wouldn’t the SSL selection only improve the security of the connection over the network (or single wire in most cases) between your PC and the cable modem? Between Time Warner and your sender/recipient’s email provider, I assume the data would be sent unencrypted? I generally assume all email to be insecure. Still, it would be nice if Time Warner were willing to take baby steps toward better security.

    David

    22 Sep 12 at 1:05 PM

  11. If you’re using cable internet, the connection from the cable modem to the server at Time Warner should be encrypted already; am I right? (At least I think all traffic between the cable modem and Time Warner is *supposed* to be encrypted.)

    What gave you the idea that this is happening, David? As far as I can tell, it is not, and never was. An ethernet Internet connection (like a cable modem) is not encrypted by default from terminal to service provider, like a cell phone signal is.

    Meitar

    18 Oct 12 at 10:35 AM

  12. Can someone tell a technically challenged person If my TWC RR account is more secure now…Jan 2013. I also have access to an iCloud account. I would sincerely appreciate anyone’s help on this one.
    Thank you

    CJ

    21 Jan 13 at 12:20 PM

  13. Well, as of today–9 March ’13–the answer is still no. This is simply unacceptable. Sadly, TW is a monopoly where I live, so I have no choice. I have tried to bring this up as an issue but, like most big corporations, TW makes it impossible to actually reach anybody. Chatting or submitting support requests is a waste of time. (I did the online chat thing with someone today and he proved he was an idiot in record time.)
    Grrrrrrrr.

    Jason

    9 Mar 13 at 2:54 PM

Leave a Reply

To skip the moderation queue, enter the BitCoin address from which you will send BTC