Tuesday, February 19, 2013

Step 1: Securing My E-mail


The hacking of Mat Honan scared me. A lot. While there was no "advanced hacking" involved, the attackers found data across multiple services, which when combined enabled them to gain access to one service after another through password resets.

It really made me think about my own mail accounts (I've got quite a few of them), and how they are secured. I didn't really know, so I thought I should have a look. This is part 1. With more to come, this is my summary here. Make a guess for which one I prefer here:
[Click for full size]


Here is some additional info on what I've done. Not at all complex, difficult or impressive at all - pretty much like the 'hackers' who hijacked Mat Honan. Simple stuff, really.


Tools used for testing

Thunderbird mail client
Cconfigure mail accounts, test for SSL/TLS & STARTTLS support on POP/IMAP/SMTP. Please note that I've let Thunderbird use discovered defaults, things could potentially be different.

Wireshark
Packet sniffing for finding default configurations of apps/clients on iPad & Android

Hak5 Pineapple
My MITM box for sniffing with Wireshark

www.checktls.com
For testing SMTP servers for RFC3207 STARTTLS support

Chrome & Internet Explorer for manual account registration and webmail access, and Telnet for talking to some SMTP servers directly. :-)


The basics

Webmail (Using insecure http or secured https)
Your web browser is your mail client. All mail is stored and sent to and from servers owned and operated by your service provider.

IMAP
Essentially the same thing as webmail (see above), except that you are using a dedicated mail application to handle mail. Server may support encryption for the connection.

POP
your dedicated mail application will connect and download all mail from the remote server to your local computer, and then remove it from the server. Server may support encryption for the connection.


Services tested

Hotmail

Webmail security
SSLLABS reports server (login.live.com, Feb 19, 2013) has 7 cipher suites, with SSLv3+ suites preferred. Reported vulnerable to the BEAST attack. Updated: see info from "Mangix" in comments below.

SMTP server security
Sending mail to users at mail.com will be in the clear due to the lack of RFC3207 support.

Gmail (Google mail)

Webmail security
SSLLABS reports server (service.mail.com, Feb 5, 2013) has 17 cipher suites, with SSLv3+ suites preferred. No vulnerabilities reported.

SMTP server security
Sending mail to and from Gmail will be encrypted, as long as the sending/receiving mail server supports RFC3207 with opportunistic encryption. Their server certificate is not trusted by OpenSSL (meaning you get encryption, but not "trust").

Mail.com

Webmail security
SSLLABS reports server (service.mail.com, Feb 5, 2013) has 6 cipher suites, server has no preference. Reported vulnerable to several attacks.

Registration link from front page leads to an insecure HTTP page. Registering for a new account requires HTTP to be used, otherwise final CAPTCHA won't show on screen and registration will fail. CAPTCHA is fetched using HTTP, and thus produces a mixed content page (which is not a good idea).

SMTP server security
Sending mail to users at mail.com will be in the clear due to the lack of RFC3207 support.

Yahoo

Webmail security
SSLLABS reports server (login.yahoo.com, Feb 5, 2013) has 8 cipher suites, server has no preference. Reported vulnerable to several attacks.

SMTP server security
Sending mail to users at yahoo.com will be in the clear due to the lack of RFC3207 support.

Mail client access security
POP access is available through Yahoo Mail Plus, which is a paid subscription, USD 19.99 for one year, IMAP access is free, and access is secured (using SSL/TLS). According to their configuration guide, POP access doesn't seem to be secured, but simple testing shows that SSL/TLS is available for POP. 

AOL

Webmail security
SSLLABS reports server (myscreenname.aol.com, Feb 5, 2013) has 5 cipher suites available, with SSLv3+ suites preferred. No vulnerabilities reported.

SMTP server security
Sending mail to users at aol.com will be in the clear due to the lack of RFC3207 support.

Apple iCloud

Webmail security
SSLLABS reports server (www.icloud.com, Feb 5, 2013) has 5 cipher suites available, with SSLv3+ suites preferred. No vulnerabilities reported.

SMTP server security
Sending mail to users at icloud.com or me.com will be in the clear due to the lack of RFC3207 support.

4 comments:

  1. A small note on the BEAST attack reported earlier on Hotmail.com

    It doesn't work. After it was published, all the major browser vendors decided to fix it and break support for a few outdated SSL sites.

    It's only a problem with outdated clients(Thunderbird I believe has the fix).

    http://youtu.be/LBbCec4Bp10?t=15m34s

    ReplyDelete
  2. Thank you for that information, I'll update my post!

    ReplyDelete
  3. Hi Per, good to see some focus on email security. My two cents is however that although one can control the transfer between the server and client, unless specific transport policies are published (and tested) between the various SMTP servers, it is very difficult to gauge the security of public email providers.

    That said, I'm not proposing having novices running their own servers, and in full disclosure I'm using Google Apps for my own email hosting. What I do propose, is however a stronger focus on end-to-end encryption, in particular using RFC4880 (OpenPGP). For Thunderbird the Enigmail plugin to add GnuPG support is working rather nicely.

    Maybe a post focusing on this can be a natural follow-up on email security?

    ReplyDelete
  4. Possibly relevant:
    https://blog.duosecurity.com/2013/02/bypassing-googles-two-factor-authentication/

    ReplyDelete

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.