Anyone else realize that the emails that come out of Service Desk are not being sent with any type of TLS encryption support? We just realized that all data in emails are not encrypted when they come out of the GTA mail server. This is a dead simple thing to fix and we cannot believe that such a corporate service would not have any type of mail encryption. Anyone have any thoughts on this?

Hi Chase, We're currently looking into this, you're right we should be sending emails using TLS. I'll keep this thread updated as we make progress :) Luke

Luke, Any update about this? Really should be an easy mail server switch change. Thanks

Hi Chase, Our Ops guys are currently assessing the impact this may have on other products. Once they've made this change, I'll update this thread. Thanks, Luke

I cannot believe I am now just looking for this topic. Today I was just thinking "wait these emails coming from the service desk are sent in plain text, and the emails sent back to it from Customers are as well". User Object passwords etc are sometimes in the Incident. This is a major security risk. Have you guys addressed this? Why not allow us to use our own Exchange mailbox for this using IMAPS/TLS and SMTP/TLS beween your mail servers. I'm not the expert but other service desk services have this functionality. Can you please provide Chase and I an update on this. The workaround I have is Users must check the "hide from customer" option when including any passwords in an incident.

This was a response I received about this back on April 2nd: "I hope you are doing well. Our Engineering team advised me that the feature you requested has been approved, is currently on the product roadmap, and will be included in the upcoming releases within the month. Thanks for your continued patience." I then received this response at the end of August: "Next week, our Q4 starts. I will contact Operations/Service Desk Engineering to see where we are on this as they had proposed it would be likely available during this time period." We'll see if this ever happens. It is a major security flaw and I'm actually surprised their auditors let this continue.

TLS encryption for emails | GoTo Community

35 Replies

Bcshay
Active Contributor
11 years ago
As we can see with all the data breaches occurring weekly security is a very serious topic. Sending sensitive information via SMTP in clear text is a huge vulnerability. A secure IT Service Desk is of high importance. Customers should not need to worry about insecure communications. Further security mechanisms to harden or lock down electronic communications would be nice too.

BTW: desk.gotoassist.com scored a C via an SSL report and is vulnerable to POODLE attacks. Citrix should be using TLS and not SSLv3 to secure communications to desk.

https://www.ssllabs.com/ssltest/analyze.html?d=desk.gotoassist.com
Chase Beydler
New Member
11 years ago
Please keep us a bit better updated on this. We were told that it was going to be completed in a matter of months when I first pointed it out to support, and it was only half implemented over a year later.
GlennD
GoTo Manager
11 years ago
Hi, this is planned for Q2 of this year.
Bcshay
Active Contributor
11 years ago
This reply was created from a merged topic originally titled TLS connections for SMTP.

Please keep security in mind with this release. We are still waiting for the service desk to accept inbound TLS connections for SMTP.

Note: This conversation was created from a reply on: Fresh New Look Coming March 23, 2015.
Bcshay
Active Contributor
11 years ago
Any update on this Luke? All you need to do is turn on opportunistic TLS for inbound mail.

This is still a huge security concern as un encrypted mail often contains sensitive information such as usernames and passwords.
Bcshay
Active Contributor
12 years ago
Luke - this is fantastic news to kick off the weekend.

For those of us like Chase and I who are internal and support an organization would love it. Since we don't support external clients it would be easy for us to implement but just cost us the cost of a certificate.
Luke Grimstrup
Retired GoTo Contributor
12 years ago
I'm following up with the ability to turn on similar secure mail delivery to our incoming mail servers. I'll keep you guys posted here.
Chase Beydler
New Member
12 years ago
Thought the same thing when we first got the product. Couldn't find a way to make it work.
Bcshay
Active Contributor
12 years ago
Same here. I was thinking about using DNS and creating a CNAME entry for *.assist.com but the IIS site won't allow URLs to be passed through it post authentication.

Can't wait till they support SAML 2.0 for Customers.
Chase Beydler
New Member
12 years ago
I would be fine with that if the links on notification emails actually took them to the portal. We use the active directory passthrough that GoToAssist "offers" and I've asked them multiple times when we'll be able to modify the notification emails because of it. If someone clicks on the link to view their ticket in the email, they just get a login screen asking for a username and password that they haven't actually been set up with.

Forum Discussion

TLS encryption for emails

35 Replies

Recent Discussions

Access original customer email messages

ASSIST SERVICE DESK API

Removing/cleaning up tags in service desk

DELETE MY ACCOUNT

Email Notifications - Bounced Address