Email access in clear text, least effort by a Swedish ISP
Introduction
Yesterday I got a call from a friend living near Södertälje, in the south of Stockholm. He got a new internet modem from his local ISP which he needed help with installing. So I went over to his place for being the helping hand.
About the local ISP
The internet service provider he is using is called C-SAM AB, which is a local company mainly delivering internet, telephony and TV to customers in and around Södertälje area.
According to their homepage the company has been delivering broadband internet since 1999 and has now about 11.000 customers.
Finishing the installation
Once we finished connecting everything as it should be, we needed to activate his internet connection.
The web browser was sending us directly to the ISP’s activation page. But something felt a bit strange here.
Yes, the site did not have any encryption! HTTP in clear text with the request to enter his user credentials, HTTPS is not available!
Ok, since we had no other choice and thought this site is anyway only accessible for him as a customer, we activated his internet connection by entering his credentials.
The ISP with missing HTTPS
Back home again I was checking more on the ISP’s homepage. First I saw that the site used for activating the internet connection, was actually accessible even for non-customers.
Going further and checking the ISP’s links for customers web mail service, I saw that HTTP(S) was missing even there. Basically all customer login page for webmail, mail account administration to set up additional e-mail addresses for your family members. Actually the whole ISP’s internet page does not offer any encrypted communication.
I talked more with my friend and we cerated an additions e-mail addess so I could test C-SAM’s email service myself. The setup was done while connected to their admin portal in clear text of course.
The e-mail setup instructions is saying ”Don’t use SSL”.
While creating the e-mail adress, I was reading the few existing instruction’s on their homepage about how to configure your e-mail client. There I was reading some shocking instructions:
Server requests authentication WITHOUT SSL (secure transfer)
Once the e-mail address was created, I was starting configuring the e-mail account in Thunderbird. With manuell settings and test-configuration Thunderbird suggested to use ”STARTSSL” as a connection.
Using this configuration on finishing the setup I got the message that the certificate on the e-mail server is invalid because it’s stolen or to old.
Checking the certificate more in detail i see it’s a couple of year since this certificate end date has passed. The cert is just over five (5) years old!
Not trusting this certificate, and following the stupid instruction on the ISP’s homepage to not use SSL, i change the configuration in Thunderbird to not use any encryption.
My hope was that this information provided on the ISP’s homepage was outdated, and that the connection would have been refused by the e-mail server. Unfortunately, this was not the case!
While connecting I got a BIG red warning from Thunderbird because I’m using a non encrypted connection. I accepted this risk and continued.
This following was a successful connecting to the e-mail server, using my account information and sending it in clear text over the internet!
After a while I saw this e-mail in my the inbox of this ISP’s e-mail account.
Welcome!
If you can read this e-mail, then you have configured your e-mail correctly!
Best regards Administrator C-sam
Conclusion
- This local ISP is ignoring security standards used today to connect to your e-mail account by instructing the his customers to not use SSL. Those customers who choose an encrypted alternative need to accept the usage of an over 5 years outdated certificate.
- All customers of C-SAM reading their e-mails on an open Wifi networks while travelling are risking to get their account credentials stolen and their account compromised.
- That the C-SAM’s homepage has information about GDPR on it’s homepage feels somehow ironic.
- The ISP has been informed by e-mail today, awaiting a reply from them.