Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

Can you trust SSL encryption of your email provider?

Tuesday, December 1, 2015 By Read Time: 4 min.

Have you ever though how secure and reliable is your SSL/TLS connection to your email servers? A brief research about encryption implementation of the most popular free email providers.


One month ago, High-Tech Bridge launched a free online PCI DSS and NIST compliant SSL test. Two weeks ago we updated the service functionality and added support of non-HTTP protocols to enable testing of SSL/TLS security and reliability of any service, such as email.


Free SSL/TLS security test of non-HTTP services by High-Tech Bridge
Free SSL/TLS security test of non-HTTP services by High-Tech Bridge

Previously, there were no similar free services to test SSL on protocols different from HTTP, and many companies have very insecure SSL configuration of their corporate emails, putting their users' privacy at risk.

We decided to conduct a brief assessment of the most popular free email services to verify how good their SSL encryption is. During the assessment we tested SSL/TLS implementation of such services as SMTP, SMTPS, POP3S and IMAPS used by mail agents (Microsoft Outlook, Mozilla Thunderbird, etc) to send and receive emails. The main goal of the assessment is to test security of communication channel between mail server and client's mobile device or computer.


Brief Facts and Findings

Here are the most interesting facts the research brought to our attention:

  • Almost all email providers still support deprecated SSLv3
  • Previously considered one of the most secure email providers Hushmail has the weakest configuration of SSL/TLS encryption
  • Fastmail has the highest score, and is the only email service provider that meets PCI DSS compliance requirements for SSL/TLS
  • Despite a B+ grade, Gmail has one of the most flexible SSL/TLS configurations compatible with old and outdated email clients
  • Outlook.com apparently does not have a centralized SSL/TLS configuration of their email servers, potentially delaying and over-complicating update process

One can easily reproduce the tests, or test his or her email server using Free SSL/TLS service by providing hostname and a port on which email service is running.

Below are the detailed results of our test and assessment of each email service (ordered by grade):


Fastmail

Overall Grade
A+

Gmail.com

Overall Grade
B+

Outlook.com (hotmail.com)

Overall Grade
B-

Mail.com

Overall Grade
B-

Yahoo!

Overall Grade
B-

Inbox.com

Overall Grade
B-

Hushmail

UPDATE: On the 1st of December, Hushmail has contacted us to confirm that they had quickly updated SSL configuration of all their servers and that now their grade is B+. Overall Grade

01/12/2015
F
02/12/2015
B-

Ilia Kolochenko, High-Tech Bridge's CEO, comments:

"With the new functionality of our SSL testing service we aim to enable anyone to verify how well his or her data is being encrypted in transit.

With the increasing growth of wireless networks strong encryption becomes very important. However, many people tend to think that SSL can be applicable to HTTPS only, as they use HTTPS websites everyday. Now they can test their SSL connection to their email and any other SSL-services as well."

Craig Spiezle, Executive Director & President, Online Trust Alliance says:

"With the onslaught of cybercrime and third party surveillance, encryption has become critical to consumers and business users. Not unlike the need to encrypt web sessions, TLS for email is essential to the security, integrity and privacy of email messages. OTA encourages all users to support these best practices which are core to protecting and enhancing online trust."


High-Tech Bridge Security Research Team regularly writes about web and mobile application security, privacy, Machine Learning and AI.

User Comments
Add Comment
1 responses to "Can you trust SSL encryption of your email provider?"
Anonymous 2015-12-04 18:30:25 UTC Comment this
A small complement to this very interesting overview:
The secure and private emailservice www.mailfence.com also gained the highest score of A+ in the tests and meets PCI DSS compliance requirements for SSL/TLS. In addition servers are located in Europe and comply with very tough privacy legislation.
↑ Back to Top

Quick Start
Products
Free Trial
Newsletter