HQ/EMEAFind out how we can help your business
A new report revealed that over three million POP3 and IMAP mail servers lack TLS encryption and are susceptible to network sniffing attacks.
The affected servers are platforms that allow users to access email on mail servers. IMAP is suggested for checking emails from numerous devices, such as phones and laptops, because it saves messages on the server and syncs them across devices.
Conversely, POP3 emails are sent from the server and made available exclusively on the device from which they were obtained.
These two servers do not have a substantial TLS secure communication protocol that protects users’ information while exchanging and accessing emails over the Internet using client/server apps.
Moreover, when TLS encryption is not enabled, their communications and credentials are delivered in clear text, leaving them vulnerable to eavesdropping and other malicious exploits.
Network sniffing attacks may be a widespread threat due to the current issue.
According to investigations, around 3.3 million hosts operate POP3/IMAP services without TLS encryption enabled. This lack of security features could expose usernames and passwords in plain text when communicated over the Internet.
As of now, the researchers have already informed mail server admins that their POP3/IMAP servers do not support TLS, exposing unencrypted usernames and passwords to sniffing attacks. This issue also means that a network sniffer might intercept passwords to access email, which could lead to brute-force attacks against the server.
Hence, if an admin receives this report, they should immediately enable TLS support for IMAP and decide if the service should be enabled or moved behind a VPN.
The original TLS 1.0 specification and its successor, TLS 1.1, have been used by most admins for nearly 20 years. After significant deliberations and the creation of 28 protocol drafts, the Internet Engineering Task Force (IETF) ratified TLS 1.3, the next primary version of the TLS protocol, in March 2018.
In an October 2018 joint release, Microsoft, Google, Apple, and Mozilla stated that the insecure TLS 1.0 and TLS 1.1 protocols would be retired in the first half of 2020. In August 2020, Microsoft enabled TLS 1.3 by default in the latest Windows 10 Insider versions.
