Apple updates require email servers to use boosted encryption or none at all

Some businesses running their own email servers are faced with a choice to either upgrade their level of encryption to meet Apple Inc.’s new standards, or use none whatsoever.

After upgrading in-house Apple hardware to OS X 10.4.4 and iOS 8.4.4 last month, many businesses relying on their own email servers using the SMTP protocol suddenly found themselves without the capability to send a message from their iPhones and Macs. In threads detailed on Apple’s support forum, users describe receiving error messages effectively telling them that communications with their server were cut off. The problem is unique to the new version of iOS and OS X and is related to Apple’s efforts to a recently discovered security vulnerability known as “Logjam.”

Logjam is a vulnerability discovered by a group of security researchers in May. It “allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export -grade cryptography,” the group explains on weakdh.org. “This allows the attacker to read and modify any data passed over the connection.”

In other words, hackers could trick your server into using weaker encryption standards that they know how to crack and steal information. To fix the problem, Apple is requiring that servers use higher-grade encryption standards to receive connections from their products. Specifically, Apple wants administrators to use a group size of 2048 bits or more when using the Diff-Hellman key exchange encryption protocol. The company issued a support statement with the advice on July 1.

But those who hadn’t met Apple’s standards for encryption found that just turning it off altogether was the only workaround to get email to work. According to one forum user, email provider Easyspace suggested its clients disable SSL for their outgoing messages, leaving them unencrypted altogether.

Ian Morrison, operator of Toronto-based web services firm Nuclear Media passed on advice from a thread in Apple’s support forums to his clients, but recommended against upgrading Apple devices rather than resort to turning off SSL.

“Encryption is paramount, as users place an increasing amount of trust in the technology they use,” he says. “They trust the systems that are designed to keep their messages private, just as they trust a mail carrier not to open their packages.”

SSL is an encryption solution applied to many web-based communications, including email sent via SMTP protocol. Since SMTP was designed decades ago before communications were sent over public WiFi, it doesn’t have encryption built into it.

Sending email without it would be a “step back,” says Claudiu Popa, founder of Informatica Security. But administrators should ensure encryption is put in place at every step of the communications flow.

“In the absence of full cycle encryption, such a confidentiality control as SSL offers little more than a false sense of security,” he says.

Administrators of email servers can also prevent their servers from accepting unencrytped connections, which would prevent the workaround suggested in the forum.

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Brian Jackson
Brian Jacksonhttp://www.itbusiness.ca
Editorial director of IT World Canada. Covering technology as it applies to business users. Multiple COPA award winner and now judge. Paddles a canoe as much as possible.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.