Re: Time Warner Road Runner web mail not secure



In article <1174571312.643050.273610@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
SecretSquirrel <SecretSquirrel123@xxxxxxxxx> wrote:
Hi,

I use this site:

http://webmail.tx.rr.com/webedge/do/mail/folder/view

for accessing web mail. It is from Time Warner.

I called their help desk to indicate it is not using https:// and
therefore is not encrypted and not secure. Their response was that it
is a secure site and that it is using encryption.

I have contacted their security department to indicate this and never
got a response back.

I can see that other Time Warner sites use https (e.g. https://webmail.nyc.rr.com/),
but this texas site is not.

I am getting frustrated because they keep insisting it's secure and
encrypted even when it's clearly not so.

Am I wrong about this? How do I get them to fix it?

As others have pointed out, it is likely that the authentication is
using HTTPS. When you log into the webmail interface, watch your
browser to see if it briefly submits something to an "https://...."; URL.
Some browsers, such as Firefox, will also show a subtle change in the
appearance of the browser window to indicate that it has switched to
"secure" mode (the appearance of a padlock icon in one corner, or the
changing of the address bar to an alternate color).

The rest of your session, however, will be unencrypted. The support
representative you spoke with on the phone probably did understand
what you were asking, since your question doesn't fit into their
troubleshooting scripts, and they personally probably don't appreciate
the difference.

If you are looking for secure webmail, you're looking in the wrong
place. Road Runner, like most transport ISPs, offers e-mail simply as
an add-on service that they can tout in their marketing materials ("We
offer free e-mail!"). They support it, however, only as much to keep
customers from switching to another service (such as DSL or a competing
cable provider). The poor reputation of most of these companies among
anti-spam advocates should also tip you off that they have very little
interest in security, so long as it doesn't cut into their bottom line
*this* month, or expose them to expensive lawsuits.

I find it is best to pretend that Road Runner doesn't offer e-mail at
all, and simply pay $10/month for a service that (1) provides encryption
on my sessions all the time, and not just during authentication, and (2)
is actually responsive to reasonable customer requests. Talking to
someone who actually cares, and who has a clue, is worth every penny.

--
Gregory Pratt gp@xxxxxxxxx
East Rutherford, NJ, USA http://www.panix.com/~gp/
"You're only given one little spark of madness. You mustn't lose it."
PGP Key Fingerprint: DC60 FCDE 91E2 3D41 91A3 45DB B474 3D3A 3621 AAFE
.



Relevant Pages

  • Re: Tracking Confidential Files - solution?
    ... I appreciate the response. ... Some users have admin rights on their box, so the profiles ... aren't really secure. ... I believe that media encryption of the database ...
    (microsoft.public.security)
  • Time Warner Road Runner web mail not secure
    ... I called their help desk to indicate it is not using https:// and ... Their response was that it ... is a secure site and that it is using encryption. ...
    (comp.security.misc)
  • Re: Unbreakable Encryption ? Scenarios - What encryption method would be best?
    ... DES is a well-known algorithm so there are good reasons to have a good ... > risk it by storing one of the best possible passwords (or encryption ... > Ok lets say there will be a secure channel but it will happen only ... > because the decrypting method yielded a plain text message and vice ...
    (sci.crypt)
  • Re: [fw-wiz] Re: Firewalls breaking stuff: [Was re: fwtk]
    ... > access to the mail server's private keys and thus the monitor can follow the ... > in a way that's more secure rather than less secure. ... for service level encryption versus VPN access. ... >> reducing bugs reduces the number of sever bugs. ...
    (Firewall-Wizards)
  • Re: Best secure surfing solution
    ... I have set up a service with companies providing secure web ... the product would have to install a keylogger. ... If we caught anyone in> IS or elsewhere in our company sniffing our communications, even if they> were encrypted, they'd get laid off or, at least, suspended. ... If e-mails are sensitive then> the sender should be using encryption. ...
    (sci.crypt)