F2S asks for e-mail password

[shamus]

If anyone remembers, I have been having trouble with e-mail authentication for some months. Just takes forever to establish an IMAP session.

I wrote to F2S and in their reply today they say "...please supply the password for the affected mailbox for further investigation...".

I don't think I am clinically paranoid but is this not a step too far? All my private correspondence will be for anyone at F2S,and who knows, to read. They do not state how long before I can instate a new password.

The best I could offer, in reply, was to set up a dummy account as all my mailboxes are affected by this problem.


Dillon

[kmount]

I agree, you shouldn't ever need to hand over your credentials.

[Justin]

You really shouldn't need to hand it over. I worked as a Supervisor and Team Lead for an Irish ISP for a couple of years, and I'd never allow my team to ask for something like this by email. If all else fails and they cannot access it any other way they should reset it and allow you to change it afterwards

[shamus]

Of course, an ISP can read all one's mail anyway. It's there on some storage in plaintext. And we "trust" an ISP not to rummage around.

The more I think of it, the more apparent it becomes this is simply not good enough in the modern world given the sort of sensitive data that regularly moves to and fro via e-mail.

Dillon

[Justin]

I would never read the users mail - I know it's possible, and I'm sure I could do it if I wanted to have done - but doesn't interest me at all.

[shamus]

Justin please don't think, at all, I was refering to you. My apologies. I should have expressed myself better.

What I'm thinking of is an 'encrypted mailbox'. That is to say, anything that lands in one's mailbox(s) is encrytped by default (i.e. not readable by any ISP).

This is not the same as the Alice and Bob scenario sending encrypted messages to one another; although that might be another layer of encryption.


Dillon

[kmount]

The problem with storing anything encrypted is the extra cpu cycles it takes to encrypt/decrypt it, and if you're "admin" even on locked down filesys encrypted boxes it's tricky.

The reality is that in this day and age, I'd suggest everyone to communicate using GPG/PGP and never to use Email for anything you wouldn't send in the post.

[Justin]

Quote:

Originally Posted by shamus

Justin please don't think, at all, I was refering to you. My apologies. I should have expressed myself better.

Hi Shamus - no worries, I didn't think you were refering to me, was just commenting in general on my experiences in the industry!

[shamus]

Quote:

Originally Posted by Chaz

The reality is that in this day and age, I'd suggest everyone to communicate using GPG/PGP and never to use Email for anything you wouldn't send in the post.

Granted CPU cycles will be required to encrypt. Decryption, however, should only take place on a user's machine. Encryption need not take place on any ISP machine; it could but that is not mandatory.

Yes, it's an excellent suggestion that people communicate using PGP, inter alios, but the problem with that is no one does -- even if one has a public key that is available to all.

I really hope in the next few years it's something that will be fixed and hard to "crack" unlike the CS wizzard in Spooks who seems to be able to decrypt everything in less than an hour :-)

I know it's nearly XMAS and one should be generous in spirit but can you imagine F2S handling this? I shudder at the thought.

Actually, to their credit and after several quite nasty moans from me, they do seem to have cleared up my problem.

Further problems excepted Happy Christmas to everyone and see you in the New Year...

Dillon