[vbit]

> When you send an e-mail today it’s sent in plaintext. This means that when you connect to your local coffee shop’s WiFi they can intercept all e-mail that is sent through their router. This is probably not the relationship you have with your barista…

Um, how many users use native clients on unencrypted ports as opposed to https based web-clients or TLS?

[jlgaddis]

I manage e-mail servers used by "smaller" government users (individual agencies/offices, municipalities, and counties), schools, businesses and individuals -- those who are typically using a "real" mail client (e.g. Outlook) over web-based mail (although we offer that as well).

I haven't ran any type of extensive usage statistics but from what I see daily plain-text POP3 (i.e. 110/TCP) is overwhelmingly more popular than anything else. STARTTLS (with both POP3 and IMAP4) is a bit behind that, followed by {POP3,IMAP4}-over-TLS (i.e. 99{5,3}/TCP).

This is probably due to a mostly stable user base that doesn't reconfigure or set up new mail clients often. As new mail clients are installed / configured, they typically use "native TLS" (not STARTTLS) but I think this is likely because of the autoconfig/autodiscovery that most mail clients (especially mobile) support nowadays.

We will hopefully be completely doing away with plain-text mail "soon" but it will require a LOT of reconfiguring of mail clients.

[tommorris]

A worrying number of small companies who hire "an IT guy" who will promptly install an unpatched old version of Exchange Server and only turn on POP3. (Yes, paying for Exchange and not having ActiveSync.)

This is why the best thing for most small companies is to just use hosted Google or Microsoft mail.

[EmilStenstrom]

I don't have any stats, but I imagine lots of users still connect over unencrypted ports directly to their ISP. We have to remember that most users are not like the HackerNews demographics. If you have stats that points to this conclusion being wrong I'm happy to change my mind.

[Matt_Cutts]

It looks like 80-85% of emails to/from Google are encrypted in transit, according to this page: https://www.google.com/transparencyreport/saferemail/

Encryption at rest is still a difficult UX/UI issue, but encryption during transit seems like something that most mail providers can get behind.

[jcranmer]

Note that this is MX-MX routing of emails between email providers, which sort have has to allow plaintext in practice.

The question of user-level IMAP/POP/SMTP access is different, but I'd expect somewhere in the region of 95+%. Note that the IMAP specification prohibits authentication that sends passwords in the plaintext [1] (although I don't know if the various IMAP servers permit AUTHENTICATE PLAIN before STARTTLS--checking, Outlook doesn't, and the other servers I had access to aren't open on 143 anyways), which means IMAP in practice requires SSL.

[1] The alternative is to use schemes like CRAM-MD5 or SCRAM-SHA-1 which don't send the password in plaintext, although these have become quite rare in practice.

[hannob]

Fortunately most ISPs and mail providers have disabled unencrypted logins. And many mail clients give really scary warnings if you try to use unencrypted imap or pop3.

[gruez]

...and how many people still use their ISP's mail as opposed to the "big" providers?

[jlgaddis]

Probably many more than you expect.

I was certainly surprised by how many users there were when I took over responsibility for such mail systems five years or so ago.

In our case the answer is "thousands" -- and we're relatively small.