Kindle, GOP etc: What to do with insecure email servers

Created at 28.July 2016, 17:00 | Category: Blog

Dear Posteo users,



In the last few days we have received a lot of positive feedback on our new TLS-sending guarantee, for which we would like to say thank you. We’re very pleased about how well the new security feature is being adopted. Within just a few days more than 20% of our users have activated the new feature. With the TLS-sending guarantee activated, your emails are only sent if they can be transferred to the recipient over an encrypted transport route. Because we are currently receiving a lot of queries, we will here look at some insecure email servers and show what options are available when sending is stopped.



First, here is an example, which we are receiving many enquiries about: Amazon “@kindle.com”.



The email servers for the commonly-used domain “@kindle.com” are in fact not secure. Even three years after the NSA scandal, the domain still does not support TLS encryption when receiving emails. Our tests confirm this. We have received numerous queries about the security of “@kindle.com” from users with the TLS-sending guarantee activated. In our view, the lacking TLS support presents a large problem, because customers use “@kindle.com” addresses to send their own documents to their Kindles. Amazon describes this feature as follows: “Kindle customers can send documents to their registered Kindle devices, free Kindle reading applications, and their Kindle Library in the Amazon Cloud by e-mailing them to their Send-to-Kindle e-mail address name@kindle.com.”



It appears that Amazon domains are not generally affected.



The current configuration of “@kindle.com” is insecure and presents a security risk. Whether you wish to continue sending sensitive data to “@kindle.com” addresses is your own personal decision. If desired, you could temporarily disable the TLS-sending guarantee in order to send. Please note, however, that due to the lacking security of @kindle.com, these communications can be read by unauthorised third parties such as criminals and intelligence services. For privacy reasons, you should not send other people’s data to kindle.com addresses – the others should be able to decide this for themselves.

We have no influence over Amazon’s IT. You could contact Amazon directly. It is generally not especially difficult for administrators of email services to activate TLS encryption on their servers. We assume that the domain will soon be secured if complaints arrive, as the lacking security constitutes a grave security risk. You would then once again be able to send emails to kindle.com addresses with the TLS-sending guarantee activated.



No encryption for GOP (Republican National Committee), the University of Oxford or Ryanair either



We are asking all users who have contacted us regarding email servers that are not capable of TLS encryption such as @gop.com, @kodakpulse.com, @communication.microsoft.com, @ox.ac.uk, @ryanair.com, @unog.ch, @melia.com and other domains (listed below) to decide in each individual case whether they wish to send an email to the insecure email system. For all servers that are not capable of TLS, communicating with these outdated email systems is insecure.





When sending is stopped, you have the following options:

- You can inform the recipient (if desired, using an alternative contact method) that securely sending an email to their address is not possible and ask them to provide an alternative email address.

- You can temporarily deactivate the Posteo TLS-sending guarantee and send the email securely, by furnishing it with end-to-end encryption.

- You can temporarily deactivate the TLS-sending guarantee and send the email unencrypted/insecurely, as an exception.



Ask the domain holders for better security



If you would like to, you could contact the holder of a domain to ask them to activate TLS encryption on their servers. By doing this, you contribute to achieving an improved overall security of email traffic.

Overall, it can be said that these days, mainly only outdated and poorly-maintained email servers do not support TLS. If you activate the TLS-sending guarantee, it will generally only rarely occur that one of your emails is not sent for security reasons.



Last of all, we have collated a list of examples of commonly-used email domains that astonishingly do not yet support TLS, about which we have received queries during the last few days:



- Amazon Kindle: @kindle.com

- Microsoft: @communication.microsoft.com

- United Nations Office at Geneva: @unog.ch

- University of Oxford: @ox.ac.uk

- Yahoo! Japan: @yahoo.co.jp

- Melia Hotels: @melia.com

- Kodak Pulse “Email pictures to the display”: @kodakpulse.com

- Germanwings: @germanwings.com

- eBay: @members.ebay.com

- German American Chamber of Commerce: @gaccny.com

- Pacific National Bank: @pnb.com

- Ryanair: @ryanair.com

- Voyages SNCF: @voyages-sncf.com

- Republican National Committee: @gop.com





Best regards,

The Posteo team