New JQM Smartphone & Tablet Portal - Available Now

[smyers119]

TLS is an end to end solution what are you not understanding about that. There is no "ROUTE" when it comes to TLS. hense the term ->transport<- layer security

As far as not that many servers using it, maybe that would be true if it was 1999....

theoretical person A sends there secure message to email server with TLS going to theoretical person B, email server hunts down recipient and asks to send it via TLS, if TLS is not supported on your email server then TLS is not used from the secure email server to you, hense it would be your fault it did not stay encrypted no one elses.

There is still the valid question though of, does eyez-on use TLS?

http://www.checktls.com/ you can use this to see if your email server uses TLS.

[bwalter]

TLS is not end-to-end, it's mail server to mail server.

http://en.wikipedia.org/wiki/Email_encryption

The STARTTLS SMTP extension is a TLS (SSL) layer on top of the SMTP connection. While it protects traffic from being sniffed during transmission, it is technically not encryption of emails because the content of messages is revealed to, and can be tampered with, by involved email relays. In other words, the encryption takes place between individual SMTP relays, not between the sender and the recipient. When both relays support STARTTLS, it may be used regardless of whether the email's contents are encrypted using another protocol.

When it comes to security, even though I know my provider uses TLS, I'd rather not simply assume that eyez on is using TLS and that there either are no additional relays involved, or all additional relays are also using TLS. I'd also rather not need to trust that the people that have legitimate access to the mail on the servers.

In any case, my main point is that email should not be considered secure and as a result I don't believe emailing the mobile link which does not require authentication is a good idea.

[smyers119]

Though i find wikipedia to be nothing but reliable....*sarcasm*

Maybe this FAQ about TLS put out by a bank that utilizes it will help you understand.

http://www.bnymellon.com/security/tlsencryption.pdf

[smyers119]

In case anyone is interested I just ran a test and eyes-on does not receive email using TLS so the probability it sends it via TLS is a little lower then what I originally thought.

[bwalter]

I also did some testing as well.

I used the TLS check site, and Gmail uses TLS, as expected, but has certificate issues (host name doesn't match). Eyez On doesn't seem to support TLS.

This is the email header from a message sending me the mobile URL

Received: by 10.58.90.39 with SMTP id bt7csp27852veb;
Wed, 20 Mar 2013 12:32:28 -0700 (PDT)
X-Received: by 10.50.36.169 with SMTP id r9mr111122igj.96.1363807947689;
Wed, 20 Mar 2013 12:32:27 -0700 (PDT)
Return-Path: <noreply@eyez-on.com>
Received: from alerts.eyez-on.com (alerts.eyez-on.com. [184.106.215.218])
by mx.google.com with SMTP id k4si473909iga.64.2013.03.20.12.32.27;
Wed, 20 Mar 2013 12:32:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of noreply@eyez-on.com designates 184.106.215.218 as permitted sender) client-ip=184.106.215.218;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of noreply@eyez-on.com designates 184.106.215.218 as permitted sender) smtp.mail=noreply@eyez-on.com

The mail relays prior to alerts.eyez-on.com are internal since they are part of the 10. private address block, so I ran the test against a bogus address for alerts.eyez-on.com and it came saying it did not support TLS. Even if it did support it, we still wouldn't know for sure if it was used, though one would hope if both relays involved supported it, they'd .

I then used telnet to connect to the alerts.eyez-on.com mail server

220 alerts.eyez-on.com ESMTP
ehlo
250-alerts.eyez-on.com
250-PIPELINING
250 8BITMIME
starttls
502 unimplemented (#5.5.1)

From the ehlo command, we can see it doesn't seem to support TLS, and by issuing the starttls command we confirm it's not implemented.

If they had used TLS, the email would be protected from being sniffed from the wire and intercepted. Basically, you'd only need to worry about any of the mail relays being compromised. Without TLS, the email can be sniffed at any point between the time it leaves the eyez-on mail server and reaches Google's mail servers.

[smyers119]

Appears you just found quite a security hole...now the question is will they fix it?

[smyers119]

You should start a new topic, the moderators usually ignore the older ones...new ones also....but they ignore the new ones less

[bwalter]

Done

[telecomgeek]

It seems several "industry best practices" are not being followed. Even if they sent my mobile URL in an encrypted e-mail, that is just "security through obscurity" which is NOT security. I can probably write a perl script in the next ten minutes to randomly guess at the mobile URL "hash" number called "mid" in the URL.

https://www.eyez-on.com/EZMOBILE/index. ... y&action=s

If I left the script running long enough I'm sure I would find a valid URL, and the owner of that mobile link would be none the wiser. That is why security through obscurity is not security at all.

[smyers119]

I do agree with you telecomgeek....but at the same time there service is free, there is other options / routes that the more advanced user can use such as the TPI...(I wish they would do one that includes honeywell systems as i would like to go that route).