Experts warn that millions of email servers could be vulnerable to attacks
- New research shows that millions of host sites lack TLS encryption
- TLS encryption enables end-to-end encryption for more secure communications and browsing
- ShadowServer has recommended decommissioning these hosts
New research from ShadowServer has found that 3.3 million POP3 (Post Office Protocol) and IMAP (Internet Message Access Protocol) mail servers are currently exposed to network sniffing attacks because they lack TLS encryption.
TLS, or Transport Layer Security, is a security protocol that provides end-to-end security between applications over the Internet. It is used for secure Internet browsing and encrypts email communications, file transfers, and messaging.
ShadowServer scanned the Internet for hosts running a POP3 service on port 110/TCP or 995/TCP without TLS support. 3.3 million hosts were found without the security layer.
Time to retire
Without TLS, email access passwords could be intercepted, and exposed services could allow server-side password guessing attacks. Without the encryption, the credentials and message contents are sent in plain text, leaving hosts exposed to network eavesdropping attacks.
Nearly 900,000 of these sites were in the US, with more than 500,000 and 380,000 in Germany and Poland, but the researchers note that “regardless of whether or not TLS is enabled, exposure to services may allow password guessing on the server can make’.
“We have started reporting hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when sent,” the ShadowServer Foundation said said in a tweet.
“We see about 3.3 million such cases with POP3 and a similar number with IMAP (most overlap). It’s time to retire it!”
In August 2018, TLS 1.2 was updated with TLS 1.3, with 1.3 offering significant improvements in both performance and security. While TLS is very common, ImmuniWeb reports that from the first quarter of 2024 to date, 1,421,781 SSL/TLS events have occurred – so even with the encryption, there are dangers for users.
Via Safety matters