In his Fast Forward Help File earlier this week in the Washington Post, Rob Pegoraro is asked about the security implications of ISPs not using encryption on their Webmail logins.
Rob reports that Cox is planning to offer SSL webmail the first quarter of this year.
Rob comments that “The biggest reason to look for the visual cues of a secure login is to help spot phishing scams — phony pages that, unlike the sites they impersonate, almost never use encryption.” I think its a dangerous oversimplification to trust all sites protected by SSL without verifying the certificate, who its signed by and preferably whether its been revoked or not. In my experience most users don’t know to be worried about SSL errors. To be fair, the newer browsers do a better job of giving a dire warning.
People dont understand SSL and what it offers. Over at broadband reports a user commenting on the need for Cox to provide SSL login says,
“It is my perception that security vulnerabilities in Windows are being exploited at a even higher relentless, frenetic pace right now. Cox needs to be part of the solution and not contributing to the problem.”
Unfortunately SSL does nothing to keep you from being exploited if you haven’t patched. It does nothing to detect a keystroke logger on your computer that collects your passwords to financial websites.
SSL is designed to preserve the message confidentiality. Without client side certificates it only provides authentication of the servers identity claim. The main risk this addresses is the risk of a rogue lan administrator sniffing passwords. This is an important consideration if you use webmail anywhere outside of the cox network and also if you use a unencrypted wireless connection at home.
I wonder if Cox is going to offer POP3 over SSL. Webmail isn’t the only way passwords are passed in cleartext.