Email client SSL/TLS issues


Tuesday, June 12th, 2018 - General

Update – June 21, 2018

We have decided to revert these changes back to their original setting for the time being. We still believe that disabling TLSv1 and TLSv1.1 on the servers was the right move, but it has become obvious to us that there are still quite a few users still using very old and incompatible software. And there are major players on the Internet that still haven’t moved on to TLSv1.2.

It’s worth pointing out that the PCI security council recommended that everyone move to TLSv1.2 by June 30th, 2018:

https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

But sadly, due to the constraints that the rest of the Internet is not ready to move forward on this, we will not meet this June 30th deadline. From a security standpoint, this is very unfortunate. We believe the move to TLSv1.2 needs to happen as soon as possible, and we actually agree with the PCI security council on this. But we are seeing no movement from major Internet companies or the adoption of newer and more secure email clients to warrant such a change at this time. This means after June 30th, our servers will no longer be PCI compliant.

The disconcerting part about all of this is that there are some major players – including Facebook, AOL, and even PayPal – that have not yet moved their mail servers over to TLSv1.2. This is shocking to us. These are companies that we – and every other Internet user – trust with our information and they seem to either be unaware or unconcerned about the security of their servers.

What now?
We are trying to come up with a plan now, where we will notify you if your account is found to be using non TLSv1.2 email clients. If you get one of these messages, then that means you need to update your email client. Look for these messages to be sent out some time next week. We then would have plans to schedule the removal of early and insecure TLS versions late next month or sometime after that.

It’s really been mostly a shock to us at the lack of TLSv1.2 adoption. We did not anticipate this level of issues with this move. But we hope that by educating our users we can resolve this and increase the overall security of our servers at the same time.

Update – June 14, 2018

So what’s the bottom line?

If you have been sent to this post or if you are otherwise affected by this then this statement rings true:

You are using an email client or operating system that does not support valid security protocols.

Perhaps this can be fixed, perhaps not. We’re really not going to know. There are just too many email clients out there for us to have knowledge about what settings are where and what patches may or may not need to be applied. It’s best to contact the developer or vendor of the product you are using.

But chances are, if you are having problems with this, then the product you are using has reached it’s end-of-life and that may have occurred several years ago. Up until this latest server update, secure connections using TLSv1 were still being allowed. But it’s important to note that TLSv1 connections were never secure to begin with. That is why they have been disabled. To raise awareness that the client and operating system you have been using is not secure.

The Internet is always on, always available – which means it has to be secure. This means things have to change in order for it remain secure. When security vulnerabilities are discovered in Internet protocols, you can’t expect a secure Internet to continue to use those protocols. This is what has happened here. Vulnerabilities in TLSv1 have been known about for some time, but the Internet industries were giving people time to migrate to knew clients, programs, and protocols before completely shutting down TLSv1. The shut down of TLSv1 is beginning now.

Update – June 13, 2018

If you are having issues with this and you are using one of Microsoft’s Outlook products on Windows 7, then you might try applying this patch:

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

Some have made progress by utilizing this patch to update their Outlook to allow for modern and updated versions of TLS. But if you are depending on an outdated or discontinued version of Outlook, this patch probably won’t help you.

Original Post

An upcoming change to our servers will affect some older email clients (potentially older browsers as well).

Changes to the way security is run on the servers is going to change the available ciphers and only allow for TLS version 1.2. The aim here is to provide better security throughout the Internet. Known issues with TLS versions 1.0 and 1.1 essentially make them insecure.

Most users won’t notice this change. If you are using a modern email client, browser, and operating system then it’s probably already using TLS 1.2, and if not, it will switch to it when other insecure TLS versions are unavailable.

But if you are using an older email client, such as Outlook 2007 or Windows Live Mail (plus many others – too many to list), you will likely be affected by this. It is important to note that both Outlook 2007 and Windows Live Mail are end of life. That means they are no longer supported by their developer any more. And anything that is end of life, you really shouldn’t be using any more. You can’t expect end of life’d software to continue to be updated and work in modern system. It just doesn’t work that way.

So if you encounter an issue checking or sending out mail – consider the email client that you are using and if it is up to date and being kept up to date. If it’s end of life, then you really need to switch to a modern email client and/or operating system.

This will only affect you if you use one of these email client AND use secure mail settings. You can continue to use your old email client, you just can’t use secure settings – but we don’t recommend doing that. The best solution is to update to a modern email client or operating system.

We recommend Thunderbird, although any modern email client should be sufficient:

https://www.thunderbird.net

Additionally, you can use webmail to log into your email accounts. Simply point your browser to:

http://yourdomain.com/webmail

Enter the email address you want to check as the username and the password is that email account’s corresponding password. (Replace yourdomain.com with your actual domain name you have hosted with us).

All of this is being done with an object of making the Internet more secure. The Internet cannot be secure if insecure protocols and system are allowed to continue to operate. All of those insecurities will eventually be phased out.