Analysis Summary

There are already more than three million POP3 and IMAP mail servers on the Internet that are not protected by TLS encryption, making them susceptible to network sniffing attacks.

There are two ways to access email on mail servers: IMAP and POP3. IMAP saves your messages on the server and synchronizes them across devices, which is why it's advised for checking emails from different devices, including laptops and phones. In contrast, POP3 gets emails from the server and only allows access from the device that downloaded them.

When using client/server applications to exchange and access emails over the Internet, the TLS secure communication protocol helps protect user data. However, their credentials and message contents are transmitted in clear text when TLS encryption is not enabled, leaving them vulnerable to network sniffing and eavesdropping attacks.

Approximately 3.3 million servers are using POP3/IMAP services without TLS encryption enabled, exposing usernames and passwords in plain text when sent over the Internet, according to scans from a security threat monitoring platform. Mail server administrators are now receiving notifications that their POP3/IMAP servers lack TLS enabled, leaving users' unencrypted usernames and passwords vulnerable to sniffer attacks.

This implies that a network sniffer may intercept passwords used to access mail. Furthermore, service exposure could make it possible for the server to be the target of password-guessing attacks. Users are advised to enable TLS support for IMAP if they receive this notification. They should also think about whether the service should be enabled at all or whether it should be moved behind a VPN. Introduced in 1999 and 2006, respectively, the original TLS 1.0 specification and its successor, TLS 1.1, have been in use for almost 20 years. The next major version of the TLS protocol, TLS 1.3, was accepted by the Internet Engineering Task Force (IETF) in March 2018 following lengthy deliberations and the creation of 28 protocol drafts.

Microsoft, Google, Apple, and Mozilla said in a joint statement in October 2018 that they would phase out the unsecure TLS 1.0 and TLS 1.1 protocols within the first half of 2020. Beginning in August 2020, Microsoft started making TLS 1.3 enabled by default in the most recent Insider editions of Windows 10. Additionally, the NSA issued recommendations in January 2021 on how to identify and swap out antiquated TLS protocol versions and setups with more secure, contemporary options.

Through a number of methods, including passive decryption and traffic manipulation via man-in-the-middle attacks, adversaries can gain access to sensitive operational traffic through obsolete setups. With very little expertise, attackers can obtain sensitive data by taking advantage of out-of-date transport layer security (TLS) protocol setups.

Impact

• Information Exposure
• Credential Theft
• Unauthorized Access

Remediation

• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Carefully check the URLs before entering credentials or downloading software.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.