EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > The Technical Zone...
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

The Technical Zone... The Geeky forum... Use this forum to discuss technical aspects of email, from authentication protocols to encryption.

Reply
 
Thread Tools
Old 16 Mar 2024, 10:46 PM   #1
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,769
What security level for your email?

I'm curious what security level you use on your email accounts? I do not use desktop apps, though I do use an email app on my Android phone. For my main account I use the typical username and password (long and unique), plus I have 2-factor authentication via a physical security key. For Gmail I could be using Passkeys instead, but not 100% sure I want to go there yet. I'm wary of using IMAP and POP on accounts since they seem to be possible security problems. Still, despite any security I use at my end, it all comes down to how well the company is implementing security at their end. For example, what type of password recovery or account recovery security do they use? Do they store your passwords securely? Or, maybe the better philosophy is just to delete your emails fairly often so there is little there worth finding, though once they have control of an email address they might be able to access other accounts like banks and investments.
TenFour is offline   Reply With Quote

Old 17 Mar 2024, 02:18 AM   #2
JeremyNicoll
Essential Contributor
 
Join Date: Dec 2017
Location: Scotland
Posts: 494
What do you mean by

"I'm wary of using IMAP and POP on accounts since they seem to be possible security problems."


How else can you access mail on a server? (Maybe you meam you login to some webmail system ... but surely it then has to access the server by POP (unlikely) or IMAP (or its successor)?)
JeremyNicoll is offline   Reply With Quote
Old 17 Mar 2024, 05:37 AM   #3
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,769
Quote:
How else can you access mail on a server? (Maybe you meam you login to some webmail system ... but surely it then has to access the server by POP (unlikely) or IMAP (or its successor)?)
I don't use a separate email app to access my email. In other words, to access my Gmail I login to the Gmail website, and I use the Gmail app on my phone. If you instead access Gmail via Thunderbird or Outlook on your desktop or via the FairEmail app on your phone you need to use another login via POP or IMAP to do so.
TenFour is offline   Reply With Quote
Old 17 Mar 2024, 07:18 AM   #4
JeremyNicoll
Essential Contributor
 
Join Date: Dec 2017
Location: Scotland
Posts: 494
So ... IIUC you're saying that an https: connection to a webmail session (which internally uses IMAP to talk to the backend servers) is "secure" but an external client talking directly to the server over a secured (TLS or whatever) connection isn't?

Why do you think that?

What /specifically/ are the "possible security problems"?
JeremyNicoll is offline   Reply With Quote
Old 17 Mar 2024, 04:17 PM   #5
hadaso
The "e" in e-mail
 
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,895
Quote:
Originally Posted by JeremyNicoll View Post
So ... IIUC you're saying that an https: connection to a webmail session (which internally uses IMAP to talk to the backend servers) is "secure" but an external client talking directly to the server over a secured (TLS or whatever) connection isn't?

Why do you think that?

What /specifically/ are the "possible security problems"?
A webmail client implemented correctly as an IMAP client would communicate with the IMAP server either over an internal network, or else over a secure connection. Of course you have to trust whoever runs the service.
hadaso is offline   Reply With Quote
Old 17 Mar 2024, 08:07 PM   #6
Folio
Member
 
Join Date: Jul 2014
Posts: 77
Thunderbird supports OAuth2. Both Gmail and Fastmail use that when you connect to your account using Thunderbird. Presumably that authentication is just as secure as logging into the web site.

Still, it looks like you may be making a somewhat different point. I take it that you disable POP and IMAP access in your Gmail settings to reduce the number of attack surfaces exposed by your account. So, if I understand correctly, the question is, just how secure can one make one's account? That's a question I think about myself. With respect to a Gmail account, I can't think of anything you are not already doing (apart from making the move to Passkeys, as you noted).

To your last point, Troy Hunt (Have I Been Pwned) once characterized email addresses as the skeleton key to one's life. If somebody gets access to your email account, they get everything: your bank account, your health records, etc. So, you obviously want to be very careful about where your email account is hosted. Setting aside the privacy concerns associated with Google, Gmail may be about as secure as you can get.
Folio is offline   Reply With Quote
Old 17 Mar 2024, 08:53 PM   #7
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,769
Quote:
So ... IIUC you're saying that an https: connection to a webmail session (which internally uses IMAP to talk to the backend servers) is "secure" but an external client talking directly to the server over a secured (TLS or whatever) connection isn't?

Why do you think that?

What /specifically/ are the "possible security problems"?
Actually, I'm not sure and that's why I asked the question! First, I'm not certain that Gmail's web interface uses IMAP--I've read that it doesn't, but uncertain. Second, as pointed out by Folio, OAuth should be a secure way to sign in from third-party IMAP applications, but still you add another party, another interface. The more links in the chain between you and your email the more potential points of security failure. You have to put a level of trust into any app you are using.

Even OAuth has its vulnerabilities.
Quote:
One of the other key issues with OAuth is the general lack of built-in security features. The security relies almost entirely on developers using the right combination of configuration options and implementing their own additional security measures on top, such as robust input validation. As you've probably gathered, there's a lot to take in and this is quite easy to get wrong if you're inexperienced with OAuth.

Depending on the grant type, highly sensitive data is also sent via the browser, which presents various opportunities for an attacker to intercept it.
https://portswigger.net/web-security/oauth

Quote:
I take it that you disable POP and IMAP access in your Gmail settings to reduce the number of attack surfaces exposed by your account.
And with Gmail you can disable them, which I imagine eliminates those possible failure points. Not sure if they still exist, but until fairly recently I encountered apps that didn't use OAuth, but instead required app passwords that seem inherently less safe.
TenFour is offline   Reply With Quote
Old 19 Mar 2024, 02:22 AM   #8
JeremyNicoll
Essential Contributor
 
Join Date: Dec 2017
Location: Scotland
Posts: 494
OK, I understand better now.

When you say "an email app" on your phone ... that strikes me (depending on where it came from) as maybe a potential security hole. I think I'd trust a generic webmail system running on a mail provider's servers & a stable browser more.

There's also a risk if you lose the phone especially if it was unlocked at the time.
JeremyNicoll is offline   Reply With Quote
Old 19 Mar 2024, 02:56 AM   #9
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,950
Quote:
Originally Posted by JeremyNicoll View Post
There's also a risk if you lose the phone especially if it was unlocked at the time.
This can be mitigated (but not completely removed) by setting a short "relock" time. Yes, I know this is a nuisance for the legitimate user
janusz is offline   Reply With Quote
Old 19 Mar 2024, 03:25 AM   #10
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,769
Quote:
When you say "an email app" on your phone ... that strikes me (depending on where it came from) as maybe a potential security hole. I think I'd trust a generic webmail system running on a mail provider's servers & a stable browser more.

There's also a risk if you lose the phone especially if it was unlocked at the time.
In my case, the email app on my phone is also the Gmail one. Me losing or someone stealing the phone is always a possibility, so I do use various locks and timeouts. OTOH, you can remotely lock your phone and account, at least with Google. From what I read the #1 security problem is phishing via email and text messages. Someone gets you to click on a malicious link and steals your login information, but I believe it is blocked by using a security key and/or passkeys.
TenFour is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 11:49 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy