Time Warner suggests turning off SSL after its mail certificate expires.
Over the weekend, the SSL certificate securing Time Warner Cable’s email server expired. This caused widespread outages for users, who couldn’t access their email.
Shortly after the problem started, users began posting on Time Warner’s forum complaining that they could not access their email – popular apps’ like Mail for iOS were refusing connections entirely.
Time Warner support suggested a fix: “going into your email settings and disabling SSL will stop the pop-up message and re-enable the webmail fetch.” The company was giving the same advice on its Twitter account.
[su_pullquote]It is shocking to see a major ISP condoning such a solution, which would leave users with an unsecured connection to their email.[/su_pullquote]
It is shocking to see a major ISP condoning such a solution, which would leave users with an unsecured connection to their email. That would make it incredibly easy for those emails to be read and intercepted by malicious third-parties. This is downright dangerous due to the sensitive information sent in emails and the well-known threats of un-encrypted communication.
Users who take this advice will be happy their email works again, unlikely to remember they need to check back in and see if it’s okay to turn SSL back on. This could leave users without a secure connection to their email for years.
In its post, Time Warner did not explain what SSL was or the security risks of turning it off. Time Warner support also suggested users use the webmail site, which had working SSL, as a secondary solution.
The certificate expired right before 7 p.m. EST Dec. 30. It took nearly 24 hours for the issue to be resolved. In that time, more than 4,000 people viewed threads about the problem and could have heeded the bad advice of disabling SSL
In 2017, making sure your SSL certificate is renewed ahead of time should be on any company or organization’s checklist of basic security procedures, next to “remove default admin login.”
What makes this situation even more egregious is that it comes from an ISP. Given the amount of resources and IT expertise an ISP has at its disposal, there is simply no excuse to allow a certificate to expire, or to give such poor advice. This is like your car manufacturer telling you to just ignore the check engine light.
Friday night during a holiday weekend is probably the worst time to have to fix an outage. Is it disruptive? Sure. Did it mean someone had to drive back to the office? Maybe. But that’s what an organization that actually takes security seriously would do.
Note: Thanks to my father, a long-time Time Warner customer, who pointed me to the issue.