Russ Harvey Consulting - Computer and Internet Services

Safer Email

Security | Attachments | Vulnerabilities
Email Tracking | Privacy | Security Protocols

Safer email .

Choosing Your Email Program

Email has changed significantly over since it became an important communication tool for individuals.

Much like your choice of a web browser, your choice of an email program (or app) makes a difference.

The Internet only stays healthy if we trust it as a safe place — to explore, transact, connect, and create. Our privacy and security online is under constant threat. But there's something you can do about it: get informed, protect yourself, and make your voice heard. A healthy Internet depends on you. — Mozilla

Check your email program's privacy settings and disable automatic downloading of images where your program supports it.

Email Security Issues

Email remains one of the most important forms of communications today. It is convenient and is now available “on the go” via your smart phone.

However, you don't want to jeopardize your mail, your security or trade your privacy for ease-of-use. Don't use unsupported or obsolete software.

Understanding Encryption

I recommend that you read Encryption: Protecting Your Data on this site to understand the importance of encryption in protecting your privacy and avoiding identity theft.

EFAIL Encryption Issue

EFAIL allows someone to break email encryption under certain circumstances. At issue are email and encryption protocols in use and their aging status.

In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago. — Mozilla Thunderbird Blog

See the European EFAIL documentation includes details about the vulnerability and short-, medium- and long-term solutions.

Thunderbird, Outlook & AppleMail Vulnerable

Thunderbird, Outlook and AppleMail are vulnerable to the EFAIL encryption vulnerability if you're using S/MIME encryption or PGP encryption (through the Enigmail add-on in Thunderbird) giving the attacker access to your encrypted emails.

The Solution: Use External Encryption

The solution is to turn off internal encryption and disable HTML rendering in your email program. If you require encryption, use external encryption.

If you're worried about someone using this attack on your emails, disabling HTML rendering in your email client is a good way to mitigate risk. — Motherboard

The Cause and Potential Long-Term Solutions

Long term solutions will involve examining weaknesses in email.

Return to top

Attachments

It is very convenient to be able to attach documents, photos and much more to your email. However, this can be risky

Be careful with incoming messages containing attachments you don't expect.

Watch Out for Malicious Attachments

One of the most common methods of obtaining information necessary for identity theft is to use a phishing email.

These messages will either contain an infected document which appears to be an invoice or a notification about a prize, delivery or gift (legacy).

Malicious Microsoft Office attachments are more common than malicious batch scripts and PowerShell scripts. — Tech Republic

If you open the document, you will infect your computer or device.

Unless you're expecting such a document, DON'T open it, just delete it.

How to Verify Legitimacy

If you're unsure, verify the legitimacy of the document by calling the company using the contact information found on a recent invoice or statement.

  • NEVER use the contact information provided in the email.
  • NEVER click on links within the email (links can be faked).

Suspicious Links

Just because there are no attachments, doesn't mean the email is safe.

Links embedded within the email itself (or requests to open a Google Doc online) can also be sources of infection.

Sometimes you'll see short links (URLs) like bitly.com/16M0Io3.

While this technique is handy for avoiding long addresses that wrap in the email window (or on Twitter), it can also hide the destination of a malicious link.

Learn more about the various shortened URLs and how to deal with them.

Return to top

Email Vulnerabilities

Email programs have a number of recognized vulnerabilities which will depend upon the program and the platform (operating system) you are running it on. Those that wish to minimize spam (unsolicited junk email) should avoid software with these challenges.

Obsolete Programs Dangerous

Unsupported email programs like Windows Live Mail, Outlook Express or Eudora no longer receive security updates. Use only current software.

Internet Explorer Message Viewers

Some Windows email programs use Internet Explorer components for displaying images and HTML (styled) messages. These programs are subject to the same vulnerabilities that Internet Explorer has.

Internet Explorer isn't the default browser on many Windows systems, especially with the arrival of Edge in Windows 10. However, by embedding an Internet Explorer zero-day and delivering it through Word, an attacker can hit targets who don't have IE set by default. [M]any applications that were once exploited in the browser can also be accessed using a Word document. — Dark Reading

Remote Images

If a remote image (one not attached to the email, but downloaded from the sender's server) is automatically displayed you risk the fact that the sender might be tracking whether the image is downloaded to your computer.

Some spammers use an identifiable image to determine which users actually open the mail in order to verify whether an email address is valid and read.

Email programs such as The Bat! and Thunderbird disable the downloading of images by default to protect you from this risk.

Return to top

Email Tracking

Some email companies like Mailchimp and Constant Contact market the ability to tell the sender when a person has opened an email (or that a recipient hasn't open an email).

Superhuman has Creepy Features

A new product, Superhuman has the ability to track not only the first time you open it, but every time plus where it was opened. But that's not all:

We've built Undo Send right into Superhuman. Just click Undo, and it will be as if the email never sent.
Superhuman

The creepiness of these features has been challenged (read Mike Davidson's blog on the issue) but the clear lesson is that everyone should block external images in their email as well as return receipts.

[Y]ou can still see exactly when and how many times someone has opened your email, complete with multiple timestamps — you just can't see the location anymore. That, to me, is not sufficient. “A little less creepy” is still creepy. — Mike Industries

Return to top

Privacy

So many people have moved to using “free” cloud-based webmail programs that the market has virtually collapsed for independent stand-alone email programs.

Free Email Threatens Your Privacy

The biggest issue is privacy.

Services like Gmail, Yahoo! Mail and Outlook.com (formerly Hotmail) can sift through your emails to build a profile on you to sell advertising.

Even if companies claim not to use your emails for profiling, privacy policies can change in a heartbeat.

Running Google's free Gmail while surfing the Web (especially while using the Chrome browser) will provide even more information about yourself, helping to create a more accurate profile to serve ads to. Google never forgets!

Privacy Not a Priority

The Yahoo! data breach shows that your privacy was NOT a priority.

The company suggests the stolen information could include personal credentials such names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and even security questions and answers. — Mashable

Not only was that enough information to commit identity theft but Yahoo! took several years before telling anyone.

Security breaches are increasingly common, each revealing more about you to hackers and scammers.

Combining User Data

Google has become more powerful, purchasing existing companies with expertise in areas they traditionally didn't have access, then combining it with the users' data from all their companies to create powerful search and advertising profiles.

Don't Sign-in To Google

Chrome does this, in part, by keeping the user's data on their servers rather than on the user's computer so you have access to their data from any number of computers, phones and tablets.

More Effective Targeted Ads

This is convenient but eliminates your ability to fully control your own information. Google uses this information to serve more appealing ads based upon what you've viewed with Chrome.

Gmail

If you've had difficulty getting Gmail to work smoothly in your email program, you're not alone.

Google wants you to leave a browser window open with Gmail running. By knowing the sites you're visiting they can present “more relevant” ads (i.e. ads that you're more likely to click on based upon your surfing history). Of course, if you're running Chrome, they already know this.

StartMail Recommended

StartMail (US$59.95 per year) provides an alternative to ‘free’ email services that aren't free — you pay for them by sharing the most intimate details of your life with corporations and marketers. StartMail's privacy policy.

Everyone uses email, but sending regular email is like sending a postcard — it makes snooping very easy! That's why we built StartMail from scratch: a total solution for protecting your email privacy that includes features like extra-secure data storage, disposable email addresses, and an ownership that will resist unwarranted intrusion.

 

Security Protocols

Like the Internet upon which it depends, email started as an open system of scientists communicating with each other.

Security was unnecessary and those early roots mean that today's email is not as secure as it could be.

Simple Security

For a long time email programs logged onto unsecured ports using only the user name and password for security.

Email later evolved to use other security measures to ensure the safe access to email on the server, particularly when sending mail.

SSL/TLS Protocols

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. — Wikipedia

Secure TLS Recommended

TLS TLS 1.3 (established in 2018) or newer is recommended.

TLS encrypts data such as your username and password for delivery over the Internet to maintain security and privacy.

If TLS isn't supported by your email server, seek another ISP.

Secure SSL Obsolete

SSL, while providing better protection than using unsecured connections, is obsolete and should not be used.

Upgrade Unsupported Email Apps

If your email program doesn't support current versions of TSL, you need to upgrade or move to another email program that does.

Email clients unable to use anything higher than SSL 1.0 were unable to retrieve new mail when servers upgraded their security.

Configuring Email Clients

Secure SSL/TLS settings are recommended using dedicated ports:

  • IMAP on Port 993
  • POP3 on Port 995

Use Non-SSL settings on regular ports only if secure settings are unavailable to you:

  • IMAP on Port 143
  • POP3 on Port 110

ISP Settings Differ

Your ISP and/or email provider will have documentation on which of these protocols are available to you.

Use the most secure protocol supported by the server and your email program.

Use HTTPS for Webmail

Using HTTPS is strongly recommended for your webmail service.

This is particularly important if you're sharing public WiFi like in a coffee shop.

STARTTLS Everywhere

The Electronic Frontier Foundation has started STARTTLS Everywhere, a program that help improve the security of email. Check to see if your email could be secured.

Learning More

These sites have more detailed information about security protocols:

Return to top

Related Resources

Related resources on this site:

or check the resources index.


If these pages helped you,
buy me a coffee!


 

Return to top
RussHarvey.bc.ca/resources/safer-email.html
Updated: March 20, 2021