Frontier has been sending messages to its customers saying that the company has noticed their use of “a lower security sign-in that is sometimes used in third-party mail applications such as Outlook, IncrediMail, MacMail, Mozilla Thunderbird and others.”
The message is somewhat vague and misleading. It gives the impression that these “third-party” tools don’t encrypt credentials.
What is going on?
Frontier and many other ISPs use Yahoo for their email. Yahoo prefers for customers to access their mail via web browsers. However, web mail has a number of security problems including increased risk of phishing.
Of course, Yahoo has had spectacular security problems of its own recently, with the largest breach in history and other gigantic ones. Attackers stole over one billion user accounts in August 2013. Yahoo only noticed this over three years later in November 2016. Meanwhile, other attackers stole over 500 million accounts in late 2014. Yahoo described it as a “state-sponsored attack”, but researchers determined that a criminal organization stole the accounts and then sold them to an eastern European government. Then, other criminals offered to sell another 200 million accounts in August 2016. We talk about large breaches in Learning Tree’s System and Network Security Introduction course. They just keep happening, it’s hard to keep up with the news!
If they can’t convince you to use web mail, then Yahoo wants you to use a tool that supports OAuth. I wrote about OAuth some time ago. It has several security issues, and the standard’s former leader famously resigned from the project.
OAuth’s benefit, it seems to me, is to enable more data collection of user activity across multiple platforms. Let’s say that shared OAauth identity ties your Yahoo email identity to your Facebook activity and possibly to other social media platforms. Just imagine how much more money those companies could now make selling your personal activity to advertisers.
So, OAuth may help something, but it isn’t user privacy. To me this is another big problem with web mail.
You can use OAuth with Thunderbird, as long as you use IMAP for your network protocol. Unfortunately, Frontier tells you that POP is the only choice! That’s not true, we can do this.
If you define a new account within Thunderbird, it queries the Mozilla database for details and then offers both POP/S and IMAP/S configurations for Frontier.
Simply select IMAP if you are setting up a new account definition. It should use TCP port 993 and the server imap.frontier.com.
If you are already using POP/S, then the fix is to define a new identity within Thunderbird and transition to that. Mozilla provides a step-by-step procedure.
First, disable the POP/S identity: Edit > Account Settings > Server settings. Un-check the options for checking for new messages at startup and every so often.
Now create a new identity: File > New > Existing account. Specify your name, your email address, and enter your password. If you have a complex one stored within Thunderbird, as I do, you may have to open the KeePassX tool I recommended. Then, select IMAP/S.
Once you have set up IMAP, specify OAuth: Edit > Account Settings > Server settings. Under the “Authentication method” pull-down select OAuth2, and for “Connection security” keep SSL/TLS.
Test the new identity and verify that you can send and receive mail with it. Then drag all your folders from the original POP identity to the IMAP one. That is, if you want to upload them to the server.
Once it’s working, you can delete the POP/S identity.
Frontier has a procedure to generate an “application-specific” password. It’s not specific to any one application!
It’s really an automatically generated complex password with 16 lower-case letters. This is pretty secure if it’s randomly generated. As I’ve written, randomness is crucial, but surprisingly difficult. This password should be roughly equivalent to a random 75-bit key, because 2616 is a little larger than 275:
$ bc -l 26^16 43608742899428874059776 (26^16)/(2^75) 1.15431381325494630991 (26^16)/(2^76) .57715690662747315495
Migrate your Yahoo-hosted email from POP/S to IMAP/S, staying on Thunderbird and avoiding web mail. The security is based on the complexity of your password plus the TLS wrapper around your traffic. It uses IMAP to retrieve messages and SMTP to send. Use KeePassX to generate and store a secure password. OAuth is involved, but it will be much less privacy-violating than if you used web mail.
Do the “application-specific password” if you need a quick workaround.
Finally, if you’re concerned about email security, look into alternatives to Yahoo-hosted mail services.