Russ Harvey Consulting - Computer and Internet Services

Safer Email

Security, privacy & protocols

Security | Attachments | Vulnerabilities
Email Tracking | Privacy | Security Protocols

All trademarks, company names or logos are the property of their respective owners.

A portion of a computer keyboard with a blue button with an envelope icon representing email.

Choosing Your Email Program

Email has changed significantly over since it became an important communication tool for individuals.

Much like your choice of a web browser, your choice of an email program (or app) makes a difference.

The Internet only stays healthy if we trust it as a safe place — to explore, transact, connect, and create. Our privacy and security online is under constant threat. But there's something you can do about it: get informed, protect yourself, and make your voice heard. A healthy Internet depends on you.
Mozilla

Check your email program's privacy settings and disable automatic downloading of images where your program supports it.

Email Security Issues

Email remains one of the most important forms of communications today. It is convenient and is now available “on the go” via your smart phone.

However, you don't want to jeopardize your mail, your security or trade your privacy for ease-of-use. Don't use unsupported or obsolete software.

Understanding Encryption

I recommend that you read Encryption: Protecting Your Data on this site to understand the importance of encryption in protecting your privacy and avoiding identity theft.

EFAIL Encryption Issue

EFAIL allows someone to break email encryption under certain circumstances. At issue are email and encryption protocols in use and their aging status.

In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.
Mozilla Thunderbird Blog

See the European EFAIL documentation includes details about the vulnerability and short-, medium- and long-term solutions.

Thunderbird, Outlook & AppleMail Vulnerable

Thunderbird, Outlook and AppleMail are vulnerable to the EFAIL encryption vulnerability if you're using S/MIME encryption or PGP encryption (through the Enigmail add-on in Thunderbird) giving the attacker access to your encrypted emails.

The Solution: Use External Encryption

The solution is to turn off internal encryption and disable HTML rendering in your email program. If you require encryption, use external encryption.

If you're worried about someone using this attack on your emails, disabling HTML rendering in your email client is a good way to mitigate risk.
Motherboard

The Cause and Potential Long-Term Solutions

Long term solutions will involve examining weaknesses in email.

Return to top

Attachments

It is very convenient to be able to attach documents and photos to your email.

However, attached documents can contain malware or other threats to your computer, including ransomware.

Unless you're expecting such a document, DON'T open it, just delete it.

There are several forms that such messages can take:

Be especially wary of any email that warns you to respond immediately. The intention is to scare you into acting quickly, without thinking.

At the very least these sorts of messages ask you to fraudulently provide personal information to an unauthorized recipient such as account passwords Watch out for embedded forms directing you to log into a recognized account like your Google, Apple or Microsoft account.

Malicious Office Attachments

Be wary of attachments in emails that you didn't expect, especially Microsoft Office documents.

Malicious Microsoft Office attachments are more common than malicious batch scripts and PowerShell scripts.
Tech Republic

If you open the document, you will probably infect your computer/device with malware.

Emotet is Back

The Emotet botnet has returned with improvements designed to get past security protections and your common sense.

A malicious email…attached a Word document that had a massive amount of extraneous data added to the end. As a result, the file was more than 500MB in size, big enough to prevent some security products from being able to scan the contents.

 

Another evasion trick spotted in the attached document: excerpts from the Herman Melville classic novel Moby Dick, which appear in a white font over a white page so the text isn't readable. Some security products automatically flag Microsoft Office files containing just a macro and an image. The invisible text is designed to evade such software while not arousing the suspicion of the target.

 

When opened, the Word documents present a graphic that says the content can't be accessed unless the user clicks the “enable content” button.
Ars Technica

Of course, the minute you follow that instruction and disable the protection against malicous macros, your computer will be infected with malware.

How to Verify Legitimacy

If you're unsure, verify the legitimacy of the document by calling the company using the contact information found on a recent invoice or statement.

Just because there are no attachments, doesn't mean the email is safe.

Links embedded within the email itself (or requests to open a Google Doc online) can also be sources of infection.

Sometimes you'll see short links (URLs) like bitly.com/16M0Io3.

While this technique is handy for avoiding long addresses that wrap in the email window (or use too many characters on Twitter), it can also hide the destination of a malicious link.

Learn more about the various shortened URLs and how to deal with them.

Return to top

Email Vulnerabilities

Email programs have a number of recognized vulnerabilities which will depend upon the program and the platform (operating system) you are running it on. Those that wish to minimize spam (unsolicited junk email) should avoid software with these challenges.

Obsolete Programs Dangerous

Unsupported email programs like Windows Live Mail, Outlook Express or Eudora no longer receive security updates. Use only current email software.

Internet Explorer Message Viewers

Some legacy Windows email programs use Internet Explorer components for displaying images and HTML (styled) messages. These programs are subject to the same vulnerabilities that Internet Explorer has.

Internet Explorer isn't the default browser on many Windows systems, especially with the arrival of Edge in Windows 10. However, by embedding an Internet Explorer zero-day and delivering it through Word, an attacker can hit targets who don't have IE set by default.

 

[M]any applications that were once exploited in the browser can also be accessed using a Word document.
Dark Reading

More recent versions use Microsoft Word, which has its own vulnerabilities.

Remote Images

If a remote image (one not attached to the email, but downloaded from the sender's server) is automatically displayed you risk the fact that the sender might be tracking whether the image is downloaded to your computer.

Some spammers use an identifiable image to determine which users actually open the mail in order to verify whether an email address is valid and read. Many are only 1 pixel in size — invisible to viewers.

Email programs such as The Bat! and Thunderbird disable the downloading of images by default to protect you from this risk.

Return to top

Email Tracking

Some email companies like Mailchimp and Constant Contact market the ability to tell the sender if a person has opened an email and when that was.

Superhuman has Creepy Features

A new product, Superhuman has the ability to track not only the first time you open it, but every time plus where it was opened. But that's not all:

We've built Undo Send right into Superhuman. Just click Undo, and it will be as if the email never sent.
Superhuman

The creepiness of these features has been challenged (read Mike Davidson's blog on the issue) but the clear lesson is that everyone should block external images in their email as well as return receipts.

[Y]ou can still see exactly when and how many times someone has opened your email, complete with multiple timestamps — you just can't see the location anymore. That, to me, is not sufficient. “A little less creepy” is still creepy.
Mike Industries

Return to top

Privacy

So many people have moved to using “free” cloud-based webmail programs that the market has virtually collapsed for independent stand-alone email programs.

Free Email Threatens Your Privacy

The biggest issue is privacy.

Services like Gmail, Yahoo! Mail and Outlook.com (formerly Hotmail) can sift through your emails to build a profile about you which can then be used to more effectively sell advertising.

Even if companies claim not to use your emails for profiling, privacy policies can change in a heartbeat.

Running Google's free Gmail while surfing the Web (especially while using the Chrome browser) will provide even more information about yourself, helping to create a more accurate profile to serve ads to. Google never forgets!

Privacy Not a Priority

The Yahoo! data breach shows that your privacy was NOT a priority.

The company suggests the stolen information could include personal credentials such names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and even security questions and answers.
Mashable

Not only was that enough information to commit identity theft but Yahoo! took several years before telling anyone.

Security breaches are increasingly common, each revealing more about you to hackers and scammers.

Combining User Data

Google has become too powerful, purchasing existing companies with expertise in areas they traditionally didn't have access, then combining it with the users' data from all their companies to create powerful search and advertising profiles.

Don't Sign-in To Google

Chrome does this, in part, by keeping the user's data on their servers rather than on the user's computer so you have access to their data from any number of computers, phones and tablets.

More Effective Targeted Ads

This is convenient but eliminates your ability to fully control your own information. Google uses this information to serve more appealing ads based upon what you've viewed with Chrome.

Gmail

If you've had difficulty getting Gmail to work smoothly in your email program, you're not alone.

Google wants you to leave a browser window open with Gmail running. By knowing the sites you're visiting they can present “more relevant” ads (i.e., ads that you're more likely to click on based upon your surfing history). Of course, if you're running Chrome, Google already knows this.

StartMail Recommended

StartMail (US$59.95 per year) provides an alternative to ‘free’ email services that aren't free — you pay for them by sharing the most intimate details of your life with corporations and marketers. StartMail's privacy policy.

Everyone uses email, but sending regular email is like sending a postcard — it makes snooping very easy! That's why we built StartMail from scratch: a total solution for protecting your email privacy that includes features like extra-secure data storage, disposable email addresses, and an ownership that will resist unwarranted intrusion.

Return to top

Security Protocols

Like the Internet upon which it depends, email started as an open system of scientists communicating with each other.

Security was unnecessary and those early roots mean that today's email is not as secure as it could be.

Simple Security

For a long time email programs logged onto unsecured ports using only the user name and password for security.

Email later evolved to use other security measures to ensure the safe access to email on the server, particularly when sending mail.

SSL/TLS Protocols

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network.
Wikipedia

Secure TLS Recommended

TLS TLS 1.3 (established in 2018) or newer is recommended.

TLS encrypts data such as your username and password for delivery over the Internet to maintain security and privacy.

If TLS isn't supported by your email server, seek another ISP.

Secure SSL Obsolete

SSL, while providing better protection than using unsecured connections, is obsolete and should not be used.

Upgrade Unsupported Email Apps

If your email program doesn't support current versions of TSL, you need to upgrade or move to another email program that does.

Email clients unable to use anything higher than SSL 1.0 were unable to retrieve new mail when servers upgraded their security.

Configuring Email Clients

Secure SSL/TLS settings are recommended using dedicated ports:

Use Non-SSL settings on regular ports only if secure settings are unavailable to you:

ISP Settings Differ

Your ISP and/or email provider will have documentation on which of these protocols are available to you.

Use the most secure protocol supported by the server and your email program.

Use HTTPS for Webmail

Using HTTPS is strongly recommended for your webmail service.

This is particularly important if you're sharing public WiFi like in a coffee shop.

STARTTLS Everywhere

The Electronic Frontier Foundation has started STARTTLS Everywhere, a program that help improve the security of email. Check to see if your email could be secured.

Learning More

These sites have more detailed information about security protocols:

Return to top

Related Resources

On this site:

Found this resource useful?
Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/safer-email.html
Updated: May 7, 2023

Copyright © 1996– | Privacy | Navigation | RHC Design