There has been a lot of news in the last few months of politicians using non-secure/non-governmental email servers. Some of these politicians’ accounts have been hacked, leading to the concern that secret information may have been leaked to those hackers. In some cases – the ability to change e-mail settings to become non-secure is trivial, and can be accomplished in just a few seconds.
Just this week, Mike Pence has been accused of using his AOL account for government business as governor of Indiana. In addition to this being not secure, and a breach of governmental security practices, AOL allows e-mail to be sent without HTTPS.
AT&T’s Video Optimizer examines the packets sent between your mobile phone and the network. One of the cool new features is the ability to look for text strings that are sent in clear text. I the following example, I turned off SSL to my AOL e-mail account:
I then tested my phone with Video Optimizer, and collected a trace of e-mail arriving on my phone. To look for private data being sent during the transactions, under Tools-> Private Data Tracking, I added 2 fields:
The trace is re-analyzed, and these strings are looked for, and found!
As you can see, my e-mail address, and password are being sent in cleartext. Here is the actual data being sent:
I can replicate this on old Android devices like the Samsung S3, but also on the Samsung S7 running Android 7.0 Nougat (although when I changed the setting, the device did warn me that this was not safe):
So, be careful with your e-mail by making sure you have SSL turned on. And never give your phone to others – because turning SSL off can be done in just a few moments by someone who knows what they are doing.
Or, better yet, if you are a politician – use secure government e-mail accounts for all secure communications.
Doug Sillars: Performance Expert and Developer Advocate 