Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Simple email question, complex answer

Simple email question, complex answer 

Email has improved over the last two decades, but it still suffers from gaping security holes. Efforts are underway to develop more secure alternatives, although consensus has not been reached on the best approach and significant technical, business, and political barriers must be overcome to achieve widespread adoption.

Until more secure alternatives are available, the practical security approach is to do the best we can with what we have.

A fundamental email security challenge is that organizations only control half of the system as it pertains to each external communication. Simple Mail Transfer Protocol (SMTP) servers can be configured to use Transport Layer Security (TLS) for opportunistic session encryption. However, DNS security weaknesses, flawed certificate models, and the potential for sophisticated adversaries to prevent opportunistic encryption from occurring make this only effective against casual interception.

Highly secure closed email systems can be built using Virtual Private Network (VPN) technologies and by forcing SMTP servers to always use TLS and verify certificates. However, this is only practical when dealing with branch offices and pre-arranged business partners. For general Internet email, organizations can generally only control what happens once email is received via SMTP.

Most large organizations operate their own SMTP servers. This places email in their physical possession as soon as it is received. But email servers require static IP addresses, reliable Internet connectivity, regular patching, and constant monitoring by an experienced administrator. As a result, individuals and small businesses often outsource their email servers. Depending on the organization’s security concerns, outsourcing might be a good decision. A reliable, well-maintained email server is much more likely to be available for use and less likely to be hacked. However, outsourcing places the email in the hands of a third party and may make it subject to different legal jurisdictions.

As a rule of thumb, most organizations without dedicated IT staff should outsource their email to a quality provider. It is unlikely that individuals and small companies will do a better job than Google provides for $5 per user per month. The physical location of the email provider and threats facing the organization should be carefully considered, especially with respect to exposing email to foreign governments and jurisdictions.

Cloud computing provides additional alternatives. Individuals and organizations without suitable physical locations may build and maintain their own SMTP servers in the cloud. While this may create jurisdictional exposures similar to outsourcing, it does provide the organization with more control, especially with cloud providers that offer storage encryption. By forwarding email to an on-premises server or configuring email clients to download email and delete it from the server, some risks can also be mitigated. However, this may not align with users’expectations of reading email on multiple devices.

Up to this point, the primary security concerns are the protection of email while in transit across the Internet and at rest on the STMP server. Once email is on the server it must be accessed by users. Different access methods have different security characteristics.

POP3 is the simplest access method. The email client connects — hopefully over TLS — and downloads email. Depending on the configuration chosen, the client may delete the email from the server after it is downloaded, or a copy may be left on the server. The client uses SMTP to send outgoing email.

IMAP provides a more robust synchronization mechanism and is intended to leave a copy of email on the server. This allows multiple client applications (for example a desktop computer and an iPhone) to both synchronize with the mailbox, including additional folders. The client also uses SMTP to send outgoing email.

Web email clients allow users the convenience of accessing their email using any web browser. Emails remain on the server until deleted and are only exposed to the endpoint while being viewed or if attachments are downloaded.

In addition, some products such as Microsoft Exchange and Blackberry Enterprise Server use proprietary communication protocols between the email server and their respective client software.

Assessing the relative security of each access method requires considering the connection between the client and the server, how authentication occurs, and endpoint security.

The vast majority of email providers require the use of TLS for all communication with clients. Assuming that their servers have not been compromised, and that a sophisticated threat agent is not committing a man-in-the-middle attack against users, email in transit between the client and server is reasonably protected.

Client authentication is a weak point in most email systems. POP3 and IMAP use static passwords. While the password is generally protected by TLS session encryption, if an adversary is able to guess, intercept, reset, or obtain the password by brute force, the email account is subject to total compromise.

Adversaries able to redirect traffic to a site with a fraudulently obtained web certificate are capable of obtaining the password and using it to subsequently monitor the email account. Phishing campaigns against the users of popular email services may also succeed in obtaining user credentials.

While web-based email systems that use a simple username and password are vulnerable to the same types of attack, those that implement Multi-Factor Authentication (MFA) offer significantly strong protection against intrusion. Google and (formerly Hotmail) offer a two-step verification process that requires both a password and an additional authentication received via SMS or generated by a hardware or virtual token. In addition, Google has also announced support for the second factor authentication standard by the Fast IDentity Online (FIDO) Alliance that also offers strong protection against phishing attacks.

It should be noted that regardless of which email access method is used, if the server retains copies of emails, they may be subject to legal or illegal compromise at any time. In addition, users that access email from multiple computers, mobile devices, and who use multiple access protocols are likely at higher risk than those who use a single device.

Endpoint security is also a significant issue. If an intruder is able to introduce malware onto a user’s PC or mobile device, all bets are off.

So to answer the original question, it depends on a number of factors. If achieving physical control of email as soon as possible is desirable, operating an SMTP server from a physically secure location is the best option. This approach allows the email owner to defend it, limit the organizations and jurisdictions to which it is exposed, and be able to quickly delete email that is no longer required. Downloading mail to a PC using POP3 over TLS and deleting it from the server is a distant second best.

On the other hand, if the primary threats facing email are criminals, competitors, or people who simply don’t like you, outsourcing email to an established company that provides MFA and accessing it using a web browser may be the most suitable solution.

In any case, it is essential to exercise good endpoint protection to avoid the introduction of malware that can compromise the system, and to remember that email traversing the Internet remains subject to interception unless it is encrypted.

Related posts