Security Basics mailing list archives

Re: Web Mail Vulnerabilities

From: Devdas Bhagat <dvb () users sourceforge net>
Date: Thu, 17 Oct 2002 01:06:29 +0530

On 15/10/02 16:01 -0400, Link, Jennifer wrote:

We are looking at provided mail access via internet connection (home,
internet cafe, library etc.) and I'm trying to research what vulnerabilities
exist for such access.  Any websites, books or personal experience you could
provide would be VERY VERY helpful.  I'm just getting started so all
tid-bits are welcome!!
From the address, I will assume that this is related to military

systems.
To begin with:
Connecting to the internet introduces threats (or at least a new route
of access to your systems). Attackers can break into your http
server/mail server and use that as a stepping stone into the rest of the
network.

Data on the internet is essentially unprotected (no authentication, and
no encryption by default). This implies that any net access to security
related material is vulnerable to sniffing on intermediate
routers/networks, which you do not control.

You are introducing an additional service to the world, so there may be
holes in that service (your http daemon and the webmail client itself).
Webmail clients are vulnerable to a number of attacks, including but not
limited to session hijacking, password exposure, cross site
scripting, holes in the scripting language itself....

Again, access is from unsecured systems, which may be compromised. You
could have usernames and passwords compromised on those systems.

googling for webmail security would be a good start.



My personal security procedures would probably include:

Use a physically separate network for web access. This should be
dissconnected from the secure network.

Use secure and patched products only (defend against attacks on
publically available services).

Since network security is a concern, use ipsec, or at least https.

Additionally, use SMTPS (or the STARTTLS ESMTP extension) to protect
(E)SMTP sessions.
Use gpg/pgp/ S/MIME to encrypt email.

As far as the webmail client goes, I personally don't trust PHP based
clients right now because there have been too many vulnerabilities (not
the language, just the coders). You could probably develop an inhouse
client in a week or two.

Email may contain spam, HTML, viruses... I would suggest something like
demime to strip everything except plain text from the email. This is the
safest way to deal with MIME (get rid of it).

Hope this helps a bit.

Devdas Bhagat

Current thread:

Web Mail Vulnerabilities Link, Jennifer (Oct 16)
- Re: Web Mail Vulnerabilities Leo Security (Oct 17)
- Re: Web Mail Vulnerabilities Devdas Bhagat (Oct 17)
- Re: Web Mail Vulnerabilities Jeremiah Grossman (Oct 17)
- Re: Web Mail Vulnerabilities Brad Arlt (Oct 17)
- Re: Web Mail Vulnerabilities Nick Warr (Oct 18)
  - RE: Web Mail Vulnerabilities Ben Corman (Oct 18)
- <Possible follow-ups>
- RE: Web Mail Vulnerabilities John Canty (Oct 21)