Virtually no one uses SSL anymore - the setting is often still called SSL for historical reasons, but most clients recognise it as SSL/TLS which often defaults to using TLS

From OpenSSL connecting to imap.virginmedia.com

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 1A02DE70699EB538441043FB6EB9E7E1FE7141BBE316D6EFA844E057A049FB19
    Session-ID-ctx:
    Master-Key: 00B286BB6B4C4B412C29F4C9BD885C57590E3D020C9771C54A7906D22C97B0C42115C8E1D4105E3B53DA293723ECEF85
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1539265708
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK Virgin Media IMAP4 server ready [ e4c558782VM ].

My gripe here is that they're using TLS1.1 there's no reason IMHO not to use TLS1.2 especially with TLS1.3 having just been finalised.

Tim

Hi Tim

That (your original post) provides some great advice and information.

The key thing for me is that when you find an email account has been hacked it is usually a symptom of a much larger problem. Deleting the email account does not solve that larger problem and may indeed make it more difficult to identify and resolve.

I am guessing that many people go straight to 150 in these circumstances and do not get the benefit of advice from the Community.

It may be a forlorn hope but in my view when Virgin Media customers ask for an email account to be deleted because it has been hacked, VM staff should give them that advice before deleting the account. At the very least they should strongly advise the customer to check their online accounts with Amazon, Ebay, Paypal etc to ensure they have not been taken over by the hackers.

Coenoby

@Anonymous

Thanks for the compliment.

I use the questions to give me the impetus to research my answers properly.  I'm not always perfect mind you, but I don't just regurgitate someone elses answer I do try an understand it.

SSL is a fun subject in itself as we didn't really get encryption on the net til 1995 with SSL2.0 (Secure Sockets Layer)

https://en.wikipedia.org/wiki/Transport_Layer_Security

This was originally patented by Netscape and by extension by AOL who bought them out.  SSL3.0 followed and then after that the code was moved to open source and the next iteration was TLS1.0 - The name change was to avoid any rights issues similar to those that happened with things like the GIF format.  Add to that it was sufficiently different from SSL 3.0 but did of course provide a fallback option.

What really confused things for me was things like Microsoft Office.

Their dialogs originally gave encryption choices as SSL or TLS.  However whenever they mentioned SSL they were referring to SSL or TLS where the communication is encrypted from the outset and when mentioning  TLS they were referring to StartTLS whereby the communication uses the same unencrypted channels as before, but the client sends a StartTLS command to set up encryption.

In fact although few servers use them - it is possible to set up StartTLS encryption for POP3 and IMAP as well.  In theory that would free up ports 993 and 995 for other uses, but is probably unlikely to change any time soon.

But this lack of encryption standard also explains why email was broken as designed.  Until encryption techniques entered the public domain, standards like email http, telnet etc could not be encrypted.  After that companies were notoriously slow to adopt it.  TalkTalk only did so last year and PlusNet still doesn't.

Tim