Webmail Insecurity

Forget Diamonds, Data is Forever.

Webmail is wonderfully convenient and most of us use it. But as far as security goes, it’s a nightmare. If you’ve ever thought that it might not be that bad, please don’t do it again. Webmail is bad. Really bad.

There is a popular saying, “There is no such thing as a free lunch,” yet we have been dining on Gmail and other webmail systems for years. Many people use free webmail provided by their ISP or by a third-party like Google, Yahoo, Hotmail. These corporate giants are not providing free email as a gesture of kindness, infact quite the opposite. They use your mail as massive data-collection and marketing tool for their profit by selling your information, and by giving their advertisers targeted access to you. In both cases, they gather information on you based on the contents of your mail and address book, and provide it to paying advertisers and data-mining operations in one form or another.

Consider that Google knows more about what is going on in your life than a close family member. It knows not only where you live, who your friends are, who you are talking to, but where you’ve been online, the subjects of your email, and what kinds of projects you’re working on. Yahoo and Microsoft aren’t far behind, and the others are struggling to catch up.

Understand, these services have massive server-farms for hoarding all of your details, mining them, cross-referencing them, and providing a lot of it to anyone who is willing to pay. They remove things like names, but it remains your data and they tie your true identity to it when they can or when they are forced to.

The information they save forever includes everything you type, even when you’ve had too much to drink or are in a bad mood. It used to be only when you hit the enter button on your keyboard, but now they are using technology that lets them capture as you type, even if you changed your mind and deleted it before sending or searching. It is rather alarming how little control we have over our data, or how it is used. You can delete such things from your own computer, and your friends can delete them from theirs, but once a big corporation has it, it isn’t likely to give it up.

The concern is not that corporations are using your data for profit, but that they’ve got so much of it. Anyone who can convince their database to give them access to that information, whether ethically, legitimately, or otherwise, is dangerous to your privacy.

The Two Pressure Points

There are two places where other people can capture your webmail. The first is by eavesdropping on the connection between you and your webmail site, and the other is by getting the data from your webmail provider directly.

All sorts of data is captured in transit, not just webmail. We’ll pass over an explanation of who steals this data, but everything you do in the on the Internet is regularly available to someone other than the webmail site you are visiting. This is neither cynicism, nor paranoia, it is much worse: a happily-forgotten and unpleasant fact.

When you visit a website, including webmail websites, your web traffic is typically vulnerable, even if your login is secured by encryption. This fact recently embarrassed Google’s Gmail when it was revealed that anyone could steal your cookie in transit, and use it to logon as you and read your private mail. How could this happen? Google only encrypted during your login, but then switched back to insecure mode and sent both your authorization data and your messages in the clear. By sending your messages in the clear, anyone inbetween you and the webmail server can read them. By sending your authorization data in the clear, anyone could impersonate you and access all your Google information, not just Gmail.

The second risk is the webmail systems themselves. Webmail, unfortunately, uses lots of different technologies to make it work. Because webmail depends on so many components, every time a vulnerability is found in one of those components, it is possible to exploit that hole to get access to your messages. The result is that webmail security is reduced to the equivalency of a secret handshake or knowing wink: any motivated hacker has a good chance of either reading your mail over your shoulder, or going straight to the webmail system and tricking it. How often are such bugs found? Daily. Rest assured that bugs are reported less often than they are found. The fact is that the hackers finding these bugs don’t report them, they use them or sell them.

Webmail systems have an exceptionally long and detailed history of being hacked. Unfortunately the weak security inherent to webmail isn’t just limited to those with for-profit intentions, this also means that school and university webmail systems are just as ripe for the picking to a passing hacker. Infact, they are usually the low-hanging fruit because an educational institution cannot afford the upkeep required to maintain data security.

The Bottom Line

Think of webmail as like writing a sticky-note on the world’s refrigerator. Anyone can come by and read it, so only use it for things you don’t mind being publicly exposed. That means webmail is safe for contacting Aunt Phyllis, when you’re on the road, or for things you don’t mind bad guys reading. Webmail is never safe for personal mail, and should never be used for business. Don’t send it as webmail if you don’t want a hacker, an ex lover, boss, or competitor to know. Webmail is only for public information, because that’s what it becomes.

Written by my partner: http://xerobank.com/

This entry was posted in browser and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *