This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How important is IMAP SSL for personal email?

I am switching over from Eudora and POP3 accounts to POP3 or IMAP account in Thunderbird, and am wrestling with how much revamping to do. My email server, web.com (which hosts my personal website), offers IMAP but does not offer SSL encryption for incoming or outgoing email in either POP3 or IMAP. I have read the advice at https://support.mozilla.org/en-US/kb/server-doesnt-use-encryption. However, I would like to hear from a few well informed folks as to how important they really believe this type of security is for personal email, and how strongly would they recommended I change email vendors (and thus website hosting) in order to have SSL email processing. Since they don't offer SSL, I can't count on objective advice from web.com.

Thank you,

MCM

I am switching over from Eudora and POP3 accounts to POP3 or IMAP account in Thunderbird, and am wrestling with how much revamping to do. My email server, web.com (which hosts my personal website), offers IMAP but does not offer SSL encryption for incoming or outgoing email in either POP3 or IMAP. I have read the advice at https://support.mozilla.org/en-US/kb/server-doesnt-use-encryption. However, I would like to hear from a few well informed folks as to how important they really believe this type of security is for personal email, and how strongly would they recommended I change email vendors (and thus website hosting) in order to have SSL email processing. Since they don't offer SSL, I can't count on objective advice from web.com. Thank you, MCM

தீர்வு தேர்ந்தெடுக்கப்பட்டது

In my view any email provider not offering SSL/TLS will be out of business soon. Already today there are email providers who refuse to deliver a message to another provider's mail server, if that server doesn't support SSL/TLS. There's a tendency towards SSL/TLS for the WWW too, and we'll probably see nearly 100% encryption at some point. Without SSL/TLS every time you login to your email the password will be transmitted in clear text, as well as the messages sent and received. Keeping the Snowden revelations in mind, you can decide for yourself if this is something you want or not.

Read this answer in context 👍 1

All Replies (7)

தீர்வு தேர்ந்தெடுக்கப்பட்டது

In my view any email provider not offering SSL/TLS will be out of business soon. Already today there are email providers who refuse to deliver a message to another provider's mail server, if that server doesn't support SSL/TLS. There's a tendency towards SSL/TLS for the WWW too, and we'll probably see nearly 100% encryption at some point. Without SSL/TLS every time you login to your email the password will be transmitted in clear text, as well as the messages sent and received. Keeping the Snowden revelations in mind, you can decide for yourself if this is something you want or not.

This is very helpful. I'll mark it as the solution, but wonder if there are any dissenting opinions.

Thank you Christ1.

You cannot afford to leak the login for any email account for these reasons:

(1) Anyone with that login can take over your email account and change the password and deny you use of it. Possibly there is personal information in past and future emails.

(2) Anyone with that login can use it to send out email on your behalf to anyone on your contacts list or anyone who has emailed you, which is a convenient way to steal money and personal information from those people based on their thinking it is you.

(3) Anyone with that login can reset your account passwords for other services, taking over those accounts, locking you out of them, and taking any actions those websites would allow you to take. That's not possible on all sites, because some require other identification before allowing a password reset, but it could apply to some social media and ecommerce sites, as well as more casual sites.

So... in my opinion, it's pretty important.

Much appreciated also, looks there is an unwavering consensus. I'm convinced.

Thank you.

Can you then mark the thread as 'Solved' please? Thank you.

No offense jscher2000, I had already marked the first response from Christ1.as the solution, your comments are equally valued as a solution, doesn't seem possible to mark more than one as a solution.

Thank you