[WXC/VFX] What is wrong with Xnet Webmail ?

Forums › One New Zealand (including Vodafone, WxC, Farmside) › [WXC/VFX] What is wrong with Xnet Webmail ?

xlinknz

1126 posts

Uber Geek

Trusted

#28590 5-Dec-2008 10:00

My wife & I moan at the poor performance of Xnet webmail which has been going on for quite some time, what is the issue with it & why is it taking so long to resolve permantly ?

And when will Xnet take their customers security seriously and get a SSL cert for the site - WxC must be the only ISP who does not have secure webmail !

Quite frustrating

1 | 2

3267 posts

Uber Geek

Trusted

#182262 5-Dec-2008 12:31

I use "webmail2" a lot and find it slightly slow, but not enough to raise any complaint. It certainly is a lot faster than downloading Hotmail e-mails via POP. Perhaps it uses a large plug-in and your virus scanner takes a long time to check it, or the IE ant-phishing scanner is slow?

The only complaint I have with it is that it will not show the correct number of unread messages until you change to a different folder and then back to the inbox.

You can never have enough Volvos!

Tradepub

Free professional, reference and technical white papers (affiliate link).

xlinknz

1126 posts

Uber Geek

Trusted

#182278 5-Dec-2008 13:09

Niel: I use "webmail2" a lot and find it slightly slow, but not enough to raise any complaint. It certainly is a lot faster than downloading Hotmail e-mails via POP. Perhaps it uses a large plug-in and your virus scanner takes a long time to check it, or the IE ant-phishing scanner is slow?

The only complaint I have with it is that it will not show the correct number of unread messages until you change to a different folder and then back to the inbox.

My wife and I don't like to use webmail2 as it does not have anywhere near the number of features as the old webmail [old-webmail.xnet.co.nz] old-webmail has full calendar, tasks, comprehensive address books and does not bold unread spam and allow me to send from all my email alias which the new one does not

and the lack of https...

ps: they are currently having webmail problems [again] as it does not work at present refer to the network status ticker on there homepage. Webmail has had issues since this morning and it has been a number of hours now...

RedJungle

Phil Gale
1108 posts

Uber Geek

Trusted

Red Jungle

Subscriber

#182319 5-Dec-2008 15:31

Once again: Google Apps for your domain is free, ISP independant, secured by SSL and supports webmail or POP/IMAP.

nate

6473 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#182338 5-Dec-2008 16:23

xlinknz:And when will Xnet take their customers security seriously and get a SSL cert for the site - WxC must be the only ISP who does not have secure webmail !

What exactly is in your emails that it must be encrypted in transit between WxC and your browser? SSL adds an overhead to every request as data must be encrypted before being sent to you.

SSL is really only needed for online banking.

shadenz

29 posts

Geek

#182371 5-Dec-2008 19:47

One other alternative if you need web-based access would be to set Gmail up to retrieve your Xnet mailbox via POP - this solution seems to work well for me. Gmail has nice spam filters too :)

cokemaster

Exited
4921 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#182372 5-Dec-2008 19:58

nate:
SSL is really only needed for online banking.

You are serious? Right?

webhosting

Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!

Niel

3267 posts

Uber Geek

Trusted

#182375 5-Dec-2008 20:22

shadenz: One other alternative if you need web-based access would be to set Gmail up to retrieve your Xnet mailbox via POP - this solution seems to work well for me. Gmail has nice spam filters too :)

Have you read their T&C? They can use any data going through their servers for whatever purpose they want... But I agree, Google has very good applications/services.

You can never have enough Volvos!

nate

6473 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#182409 6-Dec-2008 00:46

cokemaster: You are serious? Right?

I am serious.

SSL on webmail is like retrieving money from a bank under heavy guard, when it's been trucked there on the back of open utes. There are much better technologies for encrypting an email from point A to point B (using keys) which would provide more security. Having said that, if you need to encrypted your emails, you are probably sending data which you shouldn't be sending via email in the first place.

I'm happy to change my original post to "SSL is really only needed for online banking AND when other sensitive account details are being transferred"

Happy now?

RedJungle

Phil Gale
1108 posts

Uber Geek

Trusted

Red Jungle

Subscriber

#182436 6-Dec-2008 08:31

I tend to agree - and I actually think SSL gives a lot of people a real false sense of security. There is a real lack of understanding from average users around what SSL actually is and does, and in my experience people assume when they see the 'padlock' in their browser that means the site is completely legit and their data is completely safe - which just isn't the case.

Top this off with the absolutely rediculous pricing model most SSL providers have in order to be issued a certificate.

/End SSL rant.

freitasm

BDFL - Memuneh
79016 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#182438 6-Dec-2008 08:40

Yes, the SSL security is false... In this specific case at least.

It only prevents people to see your username and password between the browser and the server. The emails have already travelled around the world in the open - they are not encrypted between servers so if anyone wanted they already read those messages.

A lot of people ask me "It's ok to give my credit card then, there's a padlock here"... Which is sad. The padlock just means the site owner bought a SSL certificate. It doesn't mean their security is any good - after you submit your credit card details for example, who can say that this data is not stored on a database that's accessible from outside? Who can guarantee this database has proper storage encyption? Who can guarantee an employee is not copying that data to a USB memory key and walking away with it?

SSL does not guarantee anything but security between your browser and the server. After this (or before this if your PC is infected with keyloggers) there's nothing safe on the Internet.

My technology disclosure

richms

27972 posts

Uber Geek

Trusted

Lifetime subscriber

#182570 7-Dec-2008 11:24

I read some survey before that had users putting more faith in a padlock icon on the page beside the fields then the one the browser supplies. Was a few years back so the changes that have happened with the addressbar may change the results, but the end result is that users are stupid when it comes to believing what the computer tells them.

The only time I dont like to use non ssl website auth is at public wlans since it is so easy for people to snatch them from the air. That is why there should be at least a secure signon for things that may contain personal information like email.

Richard rich.ms

Niel

3267 posts

Uber Geek

Trusted

#182974 9-Dec-2008 13:16

There is now a secure option. Since it is an option, I'm guessing that they have a good reason for not having it secure in the first place.

You can never have enough Volvos!

xlinknz

1126 posts

Uber Geek

Trusted

#183008 9-Dec-2008 15:02

freitasm: Yes, the SSL security is false... In this specific case at least.

It only prevents people to see your username and password between the browser and the server. The emails have already travelled around the world in the open - they are not encrypted between servers so if anyone wanted they already read those messages.

Mauricio, in a website that uses https for all pages all packets are encrypted between the client and the server. Therefore for a webmail site that remains https all the email & content [except the intial request packets before the ssl cert is exchanged] are encrypted regardless of how many networks and routes are transversed

Note some websites only use https for a login page in which case only the authetication [username & password] is encrypted.

Niel: There is now a secure option. Since it is an option, I'm guessing that they have a good reason for not having it secure in the first place.

Yes I noticed over the weekend WxC finally and to their credit

have offered https webmail interface which will ensure all packets [& emails] are encrypted. I suspect in time they will drop the non secure option as yahoo did sometime back.

I suspect the reason that WxC did not have a secure option previously is that it was not a high priority to them but they now recognise the need to meet best practise for any ISP.

nate

6473 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#183025 9-Dec-2008 15:37

xlinknz:
freitasm: Yes, the SSL security is false... In this specific case at least.

It only prevents people to see your username and password between the browser and the server. The emails have already travelled around the world in the open - they are not encrypted between servers so if anyone wanted they already read those messages.

Mauricio, in a website that uses https for all pages all packets are encrypted between the client and the server. Therefore for a webmail site that remains https all the email & content [except the intial request packets before the ssl cert is exchanged] are encrypted regardless of how many networks and routes are transversed

Yes that is true, but the data is only encrypted from your browser to the webmail server. What Mauricio is talking about is the delivery of the email from the sender's computer to your email server.

For example, imagine I am sending an email to you from Xtra. Assuming I'm using standard SMTP, the email would be transmitted unencrypted from my computer to Xtra's email servers. From there, it would be transferred (again unencrypted) to WxC's email server. It would be stored on their email server (unencrypted) until you connected and downloaded it.

As you can see, it's fine on the final path from their webmail to your browser, but you still have a lot of encrypted hops along the way (and this is a direct server to server path, there would be more vulnerabilities if the email passed through a couple of relays on the way).

My concern is what are you sending/receiving that is sensitive? I've seen it too often, clients transferring sensitive info such as credit cards via email. While the possibility of interception is low, it is still a very silly mistake to be making.

Niel

3267 posts

Uber Geek

Trusted

#183029 9-Dec-2008 15:46

nate: Yes that is true, but the data is only encrypted from your browser to the webmail server. What Mauricio is talking about is the delivery of the email from the sender's computer to your email server.

And the default for Outlook Express is not to use encryption. Most people use OE, so most e-mail downloads are unsecure anyway.

You can never have enough Volvos!

1 | 2