Nicolas314

All my geeky stuff ends up here. Mostly Unix-related

GMail considered a liability

with 2 comments

Your digital life is online

Since free webmail providers have emerged, it has become common to enjoy universal e-mail access from every computer without restriction. This makes e-mail ubiquitous, giving us the power to delve into our oldest archives to retrieve pictures, messages, links or conversations whenever we want to access them.

Storing all of your digital life with a single webmail provider like GMail, Yahoo or Hotmail makes you more reactive and also provides this warm safe feeling that all your private information is always within reach. Yet it is also unfortunately a single point of privacy failure. If you can access all of your e-mail history, so does anybody with either your password or administrator access at your webmail provider, whether they are regular admins or successful hackers.

Convenience kills security

Webmail services suffer from security issues. In short:

Administrator access

Anybody with admin privileges at your webmail provider can read your e-mail. Why would a GMail administrator want to access your e-mail history? After all there are millions of users, why would your mailbox be more interesting to them than any other?

Thing is: the very fact that an unknown person (or software) potentially has complete access to your e-mail history should be enough to make you nervous. There are now laws in the US that enable government bodies to access anybody’s e-mail history without having to reveal their investigation, i.e. you will never be told that your messages have been used to gather evidence about you. This is an issue for everybody since GMail, Yahoo and Hotmail are storing a copy of all their users’ data on servers located in the US, where this law is applicable. Still not nervous?

Security breaches

A quick search on the web for webmail security breaches should be enough to convince you that no matter how hard they try, webmail providers will never be able to protect their users’ data with 100% security. See for example:

No matter how hard they try, a webmail system with millions of users will always have flaws and there will be people to exploit them. Securing a network is a very hard task, perfect security does not exist.

Stealing your password

There are many ways to steal somebody’s password. Shoulder-surfing is the most obvious one: observe a user when they type their password, in general you get enough clues to make an educated guess pretty quickly.

If you do not know the person, targeted phishing can be very successful. Send an e-mail to your victim containing a link to a web site you own. This web site displays a fake webmail error page about an expired session and invites the user to enter their credentials again. Done.

This may seem far-fetched but this kind of attack is actually very easy to put together and has been demonstrated to work exceedingly well with all kinds of population, including unwarned security experts. Believe me, I recently tried. Getting a GMail password is just a matter of setting up a tiny web site and sending an e-mail. And if you do not feel like doing it yourself you can hire somebody to do it for you. For a price between $50 and $200 you can get anybody’s webmail password in clear within a couple of days. True story.

Another phishing method was recently described. I believe this is virtually impossible to thwart except by pure chance. What this means is: sooner or later your webmail password will be known to other people than yourself. Prepare for that day or prepare to suffer.

Privacy breach

A privacy breach could destroy lives. Getting access to somebody’s e-mail history will give you more than just a view into their hearts.

To take a parallel, what if starting from now, everything you said was recorded forever and could be used against you at any time in the future with sentences taken out of their context? What if the database of everything you ever said was made public and searchable?

Keeping full control on your e-mail history should be considered an absolute priority. Possible outcomes from a privacy breach are broken lives.

What must be protected

Hardly any e-mail you send or receive is in itself a privacy liability in itself. There are of course countless examples of disastrous reply-to-all messages that were intended for a single person and unfortunately sent to a whole mailing-list, but this tends to remain a negligible part of the e-mail flow. Additionally, the reply-to-all catastrophe can also be avoided with better e-mail clients that warn you before sending messages to a list.

Take one embarrassing e-mail out of my mailbox, publish it on public forums and I will either ignore or deny it. You will not have enough information to embarrass me or if you do I will simply call you a liar.

Take my whole mailbox and the e-mail history it contains for several years and you have enough information to impersonate me with as much precision as you like. You will probably be able to gather a list of additional accounts I have on every web site I have been to, know my most intimate friends and thoughts, and probably be able to reconstruct my personal life day by day.

e-mails become a privacy treasure:

  1. When they gather in an archive
  2. Simply over time, by the very fact that they document past events

An e-mail is something instantaneous. It is written within a very focused and narrow context and may later acquire much more importance than the very message it carries. Think of the many books from famous authors that are only made of letter exchanges they had with their friends and families: the insight they give you about their authors teaches you infinite treasures about the context when they were written, both about the writers and the situation they were in. The whole is worth far more than the sum of its components.

E-mail encryption?

Encrypting individual e-mails would solve the issue but is obviously overkill. Individual messages taken separately are not really a danger.

PGP and S/MIME

If you want to take the encrypted e-mail path, PGP and S/MIME are two well-designed systems but quite impractical if not implemented seamlessly for the end-user. When you do activate PGP encryption on your mail client, you always ask yourself before sending any message “is this message sensitive enough that I need to encrypt it?”. The answer is almost always “no” and you quickly learn to forget how to use e-mail encryption.

Most importantly, e-mail encryption needs both sender and receiver to agree on an encryption mechanism, something that just cannot be asked from any user. Either it happens at the lowest level without users knowing, or it is not used. Neither PGP nor S/MIME are there yet.

Hushmail

Hushmail is a service offering a free public webmail with limited inbox size for non-paying users. Their whole business is designed around encryption built into their system and it turns out to work pretty well between Hushmail users. Unfortunately it quickly gets impractical or totally unusable when you need to communicate with anybody outside of Hushmail.

Despite heavy advertising on their encryption capabilities, Hushmail has lost a lot of credibility when it was revealed that they had at some point handed over the keys to US government agencies for “security reasons”.

So much for privacy…

While I have no doubt that authorities have good reasons to invade some user’s privacy, it shows that there are technical means to access user mailboxes. What does a determined attacker need to get the same access rights as lawful bodies? I do not have the answer to that question but I’d rather take no risk.

Damage control

Perfect security systems do not exist but disasters can be mitigated. Free webmail providers are convenient and there must be ways to keep using them without loosing all the benefits. What can we do?

Use encrypted e-mail storage

Use asymmetric cryptography and let the users choose their own keys. This way, no administrator could access your e-mail history. This kind of service is actually sold by http://www.lavabit.com for a modest fee.
The level of webmail functionality between lavabit and GMail just cannot be compared though. GMail’s web interface is beautiful, lavabit has the bare e-mail functionality. Apples and oranges: Google is the most powerful corporation on the planet, lavabit is not.

Roll your own

Stop archiving e-mails with your webmail provider!

A very simple solution is to keep your mail archive out of your webmail provider’s reach. Make it a habit to download all of your inbox to a local folder at regular intervals and make sure all archives are deleted on the webmail site.

For GMail, this implies downloading your mailbox off the GMail/[All Mail] box through IMAP. Make sure your IMAP client deletes mail really instead of just sending it to the Trash folder where it will still live for 30 days. I do not use Yahoo or Hotmail but there must be equivalent procedures.

Ok, now that you got your e-mail archive off the web you are a bit safer. There are two other topics you want to address though:

  1. Make sure that only you can access your e-mail archive
  2. Enable mail archive browsing from any of the computers you use, ideally from your e-mail client.

First topic can be addressed using any disk encryption tool. Second topic can be addressed using services like Dropbox that take care of replicating the same data on all computers registered to your account.

One possible solution

I have spent a bit of time testing and tweaking and finally came to a workable solution:
Pre-requisites:

  • A Dropbox account. If you do not know Dropbox check out this previous post: dropbox love
  • Get TrueCrypt from http://www.truecrypt.org/. TrueCrypt is free and open-source, it works on Windows, Mac and Linux.

Initial procedure:

  • Create a TrueCrypt container and populate it with your e-mail archive.
  • Copy the TrueCrypt container to your Dropbox folder and let it sync.

This is going to take a while, depending on the size of your TrueCrypt container and available upload bandwidth. But fortunately this only happens once. Dropbox and TrueCrypt work fine together: when you change just one bit of a file in the encrypted container, only the difference are sync’ed, not the complete file.

Daily procedure:

  • Keep using your webmail as usual

Accessing archives to read or update them:

  • Start dropbox, make sure your encrypted container is sync’ed to the latest version, stop dropbox.
  • Mount your encrypted container with TrueCrypt
  • Start your e-mail client and browse your e-mail archive. You can move mails from your webmail archive to your encrypted container at that point.
  • When you are finished: stop your e-mail client, unmount your encrypted contained. To upload your modifications: start dropbox, let it sync.

This solution is by no means ideal, it requires a number of interactions with three pieces of software: TrueCrypt for encryption, Dropbox for synchronization, and an e-mail client to move mail around. But in the end it is incredibly safer than anything I have seen so far. Taking matters into your own hands guarantees that:

  1. Your e-mail archive is only available to you
  2. You have multiple copies of your e-mail archive on all computers you use, and one at Dropbox.
  3. Your e-mail archive is integrated with your e-mail client.

There are probably more convenient solutions but for now this is the best I found. Suggestions are welcome.

Have a safe e-mailing day!

Advertisements

Written by nicolas314

Monday 21 June 2010 at 5:15 pm

2 Responses

Subscribe to comments with RSS.

  1. Regarding email encryption I invite you to check out Echoworx at http://www.echoworx.com and specifically Encrypted Mail (http://www.echoworx.com/products/encrypted-mail.cfm). Standards based S/MIME encryption, extremely easy to use, send to anyone

    Michael

    Tuesday 22 June 2010 at 5:30 pm

    • Echoworx is one possible solution for e-mail encryption. That would not solve the issue described in the post, namely: encrypting individual e-mails still leaves out the names, subjects, message length, frequency, dates, thread length. Only encrypting your e-mail archive can solve this.

      nicolas314

      Thursday 24 June 2010 at 10:12 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: