Email Security Privacy and anonymity

Email Security Privacy and anonymity

E-mail is widely used communication medium over the network, there are many security concerns related to E-mail and it’s mitigation which everyone should be aware of.

Before going further first we will understand basics of How Email is sent and how it travels across the network.

Mail Server

A mail server is a computer system that sends and receives email. In many cases web servers and mail servers are combined in a single machine. However large ISPs and public email services such as gmail and hotmail may use dedicated hardware for sending and receiving mails,

In order for a computer system to work as a mail server, it must include mail server software. This allows the system administration to create and manage email accounts for any domains hosted on a server for example if the server hosts the domain name “abc.’com” it provide email accounts ending in “@abc.com”. Mail server send and receive emails using standard email protocols for example SMTP protocol send message and handles outgoing mail request.

The IMAP and POP3 protocols receive message and are used to process incoming. When we logon to a mail server using a web mail interface or email client these protocols handle all the connection behind scenes.

Mail Server software is available for multiple platforms. The most popular mail server for windows is Microsoft exchange servers for windows.

How Email Server works ?

Whenever we send a message and when it is in transit, it will go through many points

Ø  Sender Workstation

Ø  SMTP Server

Ø  E-mail Message Storage

Ø  Receiver Workstation

Sender workstation is our own computer where we have email client, SMTP Server or email server, this is from where the mail is coming from there may  be one or two SMTP server. Email message storage is a place where all messages are get delivered this is a place like databases of all messages.

“Emails are never send directly to your computer to recipients computer, mail servers are involved in the path. Recipients periodically checks his mail store to see if there is any message waiting from him/her”

Whenever user triggers an email from it’s workstation or email client, the very first E-mail goes to the SMTP server (A server on which mail server software is installed). A SMTP server is server which sends and receives mail. Now SMTP server checks the mail which is triggered from the user, SMTP server is pretty complex program, it will look at email header, examine the destination and will try to find the location or the destination of recipients SMTP server. In order to find the destination or location of recipients SMTP server, it will check the DNS and in DNS, it will check the MX records and MX records will give the IP of the recipients SMTP server than the mail is forwarded.

Clients Protocol and Authentication

Email is one of the most important online service which we use and there are many security vulnerability related to the E-mail, if someone’s Email account is compromised than all other accounts related it with can be compromised. Email also holds private information, confidential data, contacts etc but Email is fundamentally broken as far as security is concern but we continue use email because much convenient way of communication and now everyone have email addresses.

There are two ways of accessing E-mail

1)      Web Mail – Web Browser Having Functionality like HTLM and Javascript and most people see it as an most convenient way such as Gmail, yahoo

2)      Email Clients – Email clients are also used by the people for accessing the Mails such as thunderbird, mail apps (on the mobile phones)

With web mails, mails are accessed through HTTPS port 443 which is running SSL and TLS encryption. Server authentication is done via certificate and client authentication is done via password/two factor authentication. If web mails are used than E-mails are only stored on the Web Server.

With E-mail clients there are no of protocols and port option for sending and receiving emails

Ports and Protocol for receiving Email via Email Clients

Ø  IMAP port 143 (Unencrypted)

Ø  POP port 110 (            Unencrypted)

Ø  IMAP port 993 (SSL/TLS encrypted)

Ø  POP3 port 995 (SSL/TLS encrypted)

Server authentication is usually done via Certificate and Client authentication is done with passwords, two factor authentication, NLTM, OAuth2

When it come to choose between IMAP and POP, IMAP is popular option when one need to check emails from different devices such as laptops, computers, mobiles etc. With IMAP Emails are synced on clients and Server all devices retain copy of emails with Server having master copy alternatively POP3 downloads emais from the server to a single Email Client than delete the emails from the server because your emails are downloaded from the server to a single email client than delete the E-mail from the server, since mail is downloaded to a  single email client and get deleted from the server so mail seems to be missing or disappeared from the inbox if you try to check that from different email client or webmail. This can be useful in terms of security concern to no mails to be stored on email server, if you are worrying about people accessing the mail server use POP3

Ports and Protocol for Sending Emails

Ø  SMTP port 25 (Unencrypted)

Ø  STARTTLS port 587 (SSL/TLS  encrypted)

Ø  SMTP port 465 (SSL/TLS encrypted)

Here SMTP port 25 (SSL/TLS encryption) is most suitable option in terms of security while STARTTLS port 587 (SSL/TLS encrypted) is most vulnerable to Man in the middle attacks and Server authentication is usually done via Certificate and Client authentication is done with passwords, two factor authentication, NLTM, OAuth2

For both Web mail and Email Clients SSL/TLS uses Cipher Suits and this cipher suit must be strong because if the cipher suite is weak it can be cracked and the session key can be compromised.

E-mail Weaknesses

Let’s take a Scenario where john@gmail.com is trying to send  E-mail to zack@yahoo.in and we will discuss the security weaknesses related to it. If an E-mail Client is used without encryption than anyone can perform man-in-the middle attack between mail server and Email Client and can see all the passwords, data and authentication methods, if IMAP is used on port 143, POP on port 110, SMTP on port 25, all these are unencrypted and on can easily see all the traffic and passwords but if SSL/TLS is used than it all depends upon Cipher Suit and it’s Configuration because many weak Cipher Suits can easily be bypassed another factor that one should focus on in terms of security concerns is the storage of Emails because E-mails are stored on both mail servers and Email Client in Clear text, if IMAP is used than E-mails are stored in both mail servers and email client but if POP is used emails are erased from the mails servers after receiving all the mails in email client’s inbox. POP is inconvenient to use and people widely use IMAP. The issue that the E-mails are stored in clear text in both mail servers and email clients so who have access to your mail server can access your all the emails. If you are having very confidential email which can cause severe consequences if read than you should encrypt your email with key that you only have PGP/GPG is often used for that. For sensitive E-mails it is best to store them remotely with encryption and with the email provider who is out of influence of the adversaries.

When John sends the email via it’s email Client it first goes into Gmail’s mail server and than gmail’s mail server forward that email to yahoo’s mail server and also connection between two mail servers can also be unencrypted. Facebook research found that 76% of unique MX hostnames that receive our emails support STARTTLS. As a result, 58% of notification emails are encrypted. Additionally, certificate validation passess for about half of the encrypted email and other half is opportunistically encrypted. 74% of hosts that support STARTTLS also provide perfect forward secrecy.

Any security focused email provider will do transport encryption at all the platform. Moreover Emails can be easily spoofed if SPF records are not correctly set. SPF stands for Sender’s Policy Framework, it tells that which mail servers are authorized to send the email on the behalf of the particular domain.

 

    PGP GPG Privacy

If we implement additional encryption at application layer than we can provide some guarantee of privacy and authentication at sender and receiver which is not present natively in the standard email.

PGP stands for pretty good privacy, it is hybrid cryptosystem that prevents email being read from the intended recipients, the email can flow safely over the network and it uses digital signatures so that receiver can check if the mail is sent from legitimate sender or not. Since the encryption is application to application it is true end to end encryption if implemented correctly. If you want to communicate with someone privately you both have need PGP which needs installation of software.

Pretty Good Privacy or PGP is a popular program that uses cryptographic techniques in order to provide email security PGP  used to encrypt and decrypt email over the Internet, as well as authenticate messages with digital signature and encrypted stored files.

Working of PGP 

Pretty Good Privacy uses a variation of the public key system. In this system, each user has an encryption key that is publicly known and a private key that is known only to that user. You encrypt a message you send to someone else using their public key. When they receive it, they decrypt it using their private key. Since encrypting an entire message can be time-consuming, PGP uses a faster encryption algorithm to encrypt the message and then uses the public key to encrypt the shorter key that was used to encrypt the entire message. Both the encrypted message and the short key are sent to the receiver who first uses the receiver's private key to decrypt the short key and then uses that key to decrypt the message.
PGP comes in two public key versions -- Rivest-Shamir-Adleman (RSA) and Diffie-Hellman. The RSA version, for which PGP must pay a license fee to RSA, uses the IDEA algorithm to generate a short key for the entire message and RSA to encrypt the short key. The Diffie-Hellman version uses the CAST algorithm for the short key to encrypt the message and the Diffie-Hellman algorithm to encrypt the short key.
When sending digital signatures, PGP uses an efficient algorithm that generates a hash (a mathematical summary) from the user's name and other signature information. This hash code is then encrypted with the sender's private key. The receiver uses the sender's public key to decrypt the hash code. If it matches the hash code sent as the digital signature for the message, the receiver is sure that the message has arrived securely from the stated sender. PGP's RSA version uses the MD5 algorithm to generate the hash code. PGP's Diffie-Hellman version uses the SHA-1 algorithm to generate the hash code.