Popular free mail services still use vulnerable versions of SSL
New research from information security company High-Tech Bridge reveals that the security of some of the most popular mail services, including Gmail, Outlook and Yahoo is lacking.
The company used its SSL checker service to test the popular email services for 31 different criteria, including the most recent SSL/TLS vulnerabilities and weaknesses, compliance with PCI DSS requirements, and compliance with NIST guidelines.
Almost all the tested email providers still support the old SSLv3 standard. Earlier this year, the Internet Engineering Task Force declared that SSLv3 shouldn't be used as it's insecure and threatened the confidentiality of encrypted communication. The Task Force recommended moving to the more secure TLS 1.2 instead.
Fastmail gained the highest score of A+ in the tests and is the only email service provider that meets PCI DSS compliance requirements for SSL/TLS. Hushmail, which describes itself as 'a privacy-oriented email service' with 'built-in encryption', has the weakest configuration of SSL/TLS, and scored an F in the SSL test.
Despite gaining a B+ grade, Gmail has one of the most flexible SSL/TLS configurations to ensure its compatibility with old and outdated email clients. Based on results from High-Tech Bridge's test, Outlook.com -- which gained a B- score -- does not visibly have a centralized SSL/TLS configuration of its email servers, potentially delaying and over-complicating update processes, and slowing down patch management.
"With the new functionality of our SSL testing service we aim to enable anyone to verify how well his or her data is being encrypted in transit," says Ilia Kolochenko, High-Tech Bridge's CEO. "With the increasing growth of wireless networks strong encryption becomes very important. However, many people tend to think that SSL can be applicable to HTTPS only, as they use HTTPS websites every day. Now they can test their SSL connection to their email and any other SSL-services as well".
You can read more about the test results for each of the services on the High-Tech Bridge blog.