Friday, July 10, 2009

Securing Webmail Access

As more and more services go online, it is becoming increasingly important to prevent unauthorized access to one's data. Email is today the primary communication medium for the educated elite, and the vast majority amongst them use free webmail as their primary email service.

Since the storage capacity of webmail providers is increasing (Gmail is at 7GB and counting), there is a tendency to store almost everything (photos, documents, scans, software) in one's email account as attachments. Moreover, online merchants, financial institutions, utility companies, send a "lost password" message to your email account. If somebody has access to your email, he/she has access to a lot of stuff. Hence, it is no exaggeration to say that access to your email account must never be compromised.

Webmail generally functions as follow:
  1. Login to a portal using a username and password.
  2. If you have forgotten your password, recover it.
  3. Access email and related services.
  4. Logout completely (rare), or stay logged on and do other things.
  5. Some webmail providers also offer free POP3 or IMAP services. You can thereby use a desktop email client (such as Outlook or Thunderbird) to store your messages locally.
  6. If you have lost/deleted some particular email, ask the sender again, etc.
Each of the above can be considered a multi-vector vulnerability in its own right. Here's why:
  1. The login transaction must be via the HTTPS protocol (otherwise your username and password can be grabbed by others, especially if you are on a shared network such as WiFi), via a trusted certificate authority (otherwise HTTPS has no meaning), on a trojan-free and virus-free computer (otherwise you are already compromised at the very start), not having any keyloggers or other recorders (otherwise your login and other information is being recorded and sent somewhere), and the login page must not be a phishing site (otherwise, well, you're done for).

    Some web browsers also store the username/password that you use for login to a website in their "password database". This password database usually has no master password and therefore is completely insecure.

  2. Password recovery is usually insecure. There are many methods of recovering a lost password:

    1. "Security Question". This is insecure. It is very easy to have knowledge of somebody's date of birth and city of birth. A family member can easily guess one's "mother's maiden name" and "name of first pet". A schoolmate can easily guess one's "favorite teacher in school". If the service offers you to create your own security question, I recommend that you should create a question such as "What is your favorite string" and answer it with a grammatical but nonsensical long phrase (e.g. "mouse screeched to a red"). It should not be hard to remember this string. You should only recover your password on a secure computer, and in private (that is because the answer to the security question is not starred, as in a password field).

    2. "Secondary Email account". This method is only as secure as the secondary email account. Frequently, people have an easily-guessed password (or one with a weak security question) on one email system, and use that email account as a secondary email account on a trusted or valuable email system. While recovering a password, some systems (e.g. Gmail) also give a hint about the domain of the secondary email account so one doesn't have to guess too hard.

    3. Gmail has just come out with "Password recovery via SMS". I consider it one of the silliest and most insecure of methods to recover a password. Let's say you are in a meeting with your boss, and your boss leaves the room for a while and leaves his cellphone on the table. Need I say more? Never use this Gmail "feature".

    4. Interaction with the provider's service reps. In my opinion, this cannot be relied upon for free email accounts.

  3. Access to email is usually via HTTP, but since email can contain highly sensitive data (such as new account information, bank statements), I recommend that you exclusively use HTTPS for your webmail access. Gmail, Yahoo, Hotmail all provide an option (either on the login page or in the settings menu) to switch all traffic to use HTTPS. The emails you access (and the attachments that you download) are also stored in your web browser's and cache and "offline data" folders, so, remember to delete all offline data from the web browser when you are done.

    If you think your cached data and saved password database is secure on your computer, think again. Your computer can be easily compromised if infected by a trojan or a virus. It can be easily compromised if someone has physical access to it (no administrator passwords can save you). It can be easily compromised if you leave your office desk without enabling a screen-saver. And finally, there are various ways of accessing your hard disk over a shared network.

  4. If you do not logout, your web browser retains a cookie for your sessions. If someone accesses your computer while the cookie is active, or transfers the cookie via some means, he/she can access your email, but usually cannot change your password. If you use instant messengers, or other desktop applications (e.g. Picasa) (which applications share the password with the webmail provider), they also save passwords in some form. It is extremely easy to get a password if it has been saved but starred in, for example, a Yahoo messenger login window. (And let me not even start on the Yahoo messenger's message archive which is insecurely stored in C:\Program Files).

  5. Desktop email clients do not ask for a password when they start, they show all your email to whoever starts the program, they store your messages in clear-text on a folder on the hard disk, and they usually store the passwords for SMTP/POP3/IMAP access in their configuration files.

  6. Backup for one's primary email is something that I consider mandatory. If you don't do it, start doing it now. What is the cost of losing all your email, and of losing access to your email account? Is there a risk of losing access to your online merchant accounts? There are many ways to backup your email, and for Gmail one can simply run a POP3 client on a Windows/Unix system or on another webmail provider (e.g. GMX) to download all email every week or so.
What are my recommendations for securing access to your webmail account?
  1. Use strong passwords (also see (3)).
  2. Do not use a desktop application to access your email (unless you know about, and can use, encrypted filesystems). It is not safe to rely upon the pst folder encryption that MS Outlook provides, as you will often save attachments here and there.
  3. Use the desktop application Password Safe to store your online passwords, which, for important portals and merchants, should be unique. Make sure the master password is a long sentence and use the master password only on a secure computer. In password safe, generate passwords randomly and save the last 5 passwords.
  4. Create two webmail accounts on different providers (e.g. one on Yahoo and another on Gmail) with different passwords, and use them as secondary accounts for each other. Do not use a security question on either site, or enable any other way of recovering your password. Login to the lesser-used email account once in a while to keep it active.
  5. Do not login to your webmail account from a non-trusted computer. Cyber cafes are a strict no-no. There is just no way you can ensure that your transmission is secure on a non-trusted computer. If you have to access your webmail while not having access to a trusted computer, follow these instructions, and change your password as soon as you have access to a trusted system.
  6. Use a reputed anti-virus system along with an adjunct (MSRT and Avast's free antivirus do the job for me).
  7. If you can, use GNU/Linux or the Mac (as they suffer less from viruses and trojans).
  8. Create a master password for your web browser's password database, or disable saving of passwords across the board.
  9. Do not save your webmail passwords in desktop applications such as Yahoo Messenger, Picasa, etc.
  10. Schedule a weekly/fortnightly/monthly backup of your primary webmail account.
  11. Do not share your webmail password with anyone.
  12. Once you are done with using webmail, log out completely so that the cookie is no longer valid
  13. If you store some documents for yourself as attachments in your webmail account, encrypt them using 7zip in the 7z archive format with a password (or with trucrypt) before attaching.
These precautions are by no means exhaustive, and people with very sensitive information should not be using free webmail in the first place.

2 comments:

Anonymous said...

Thanks. A useful post and a public service. You are in your element when you talk about technology.

srid said...

If you want the encrypted passwords to be synchronized across computers: http://www.joelonsoftware.com/items/2008/09/11b.html