I was reminded of some cloud security issues recently while helping family restore their e-mail connectivity.
Where they live, Frontier is pretty much the only practical choice for landline phones plus high-speed Internet. Their performance is quite good, and I have found them to have the most technically savvy customer service of any major provider I’ve had to call.
If you use the web-browser-based interface you use
login.frontier.com. If you are using something like Thunderbird, then you download from
imap.frontier.com depending on your protocol of choice, and for outbound messages you connect to
Or at least that has been the system. All at once Thunderbird couldn’t connect. No immediate failure, no error message, just an endlessly pending connection.
What was going on?
I happened to be troubleshooting this during the recent polar vertex, of course, so while I was waiting in the enormously long virtual queue for the next available customer service representative, I captured some traffic with Wireshark. Ah, there’s the trouble.
It looks like if I delete the POP-based identity and create an identical one using IMAP, it will work. Just then the technician suddenly came on the line and immediately verified what I had concluded: they had suddenly disabled IMAP. Only partly disabled, though —
imap.frontier.com would accept connections to TCP port 993 for IMAP over TLS, but you were then doomed to repeated authentication failures.
I had forgotten, but Frontier long ago turned over their e-mail operation to Yahoo. Yahoo made this change without warning Frontier. To Yahoo’s credit, they have recently made encryption the default.
One security angle here is that Thunderbird tries to automatically figure out how it can talk to a
frontier.com address, and it concludes that both IMAP and POP are available. First, select POP instead of the default IMAP.
You immediately get a dire warning from Thunderbird that Frontier (or really Yahoo) runs POP with no cryptography. Dismiss that warning, saying that you understand the risk. Then go into Thunderbird’s account settings and enable TLS/SSL.
Problem solved! But there’s a potential bigger security problem here.
Frontier is in business to make money, which means doing what the market wants, not necessarily what is safest. Most people’s eyes would glaze over at all these details of POP and IMAP protocols and enabling TLS/SSL.
They want it easy! And that means web mail, just use your browser and click.
A big risk with web mail is that your identity is based “out in the cloud”. You use a malware-infected system one time — maybe in the hotel lobby, maybe your own Windows machine — and the criminals have your credentials. With web mail, now they also have your address book and your recently sent and received messages. Now they’re ready to send those reasonably convincing scams, “Help! I’m traveling and my wallet was stolen! Please wire money to …”
As we discuss in Learning Tree’s Cloud Security Essentials course, security and convenience have an inverse relationship. For one to go up, very often the other must go down.