July 25th, 2007

As long as the Internet has been around....and still no secure e-mail?

Posted by David Berlind @ 6:45 am

Categories: General, IT Management, Security, Software Infrastructure, Web technology

Tags: Password, LAN, Internet, Network, Server, E-mail, David Berlind

I finally had a chance today to go back and check the comments on my post about how vulnerable the password recovery schemes of many supposedly secure Web sites are. See Are you sure you’re the only one with access to that password you recovered? Think again. I asked readers (and you’re free to still answer the request) to let me know if they know of Web sites that, via e-mail, will send you your actual password after you click the “I forgot my password” link (or something like it).
The technology exists. It’s just not found in every e-mail client nor are businesses prepared to alter their processes to handle this approach.
One reader commented that Amazon.com does this. But when I tested Amazon’s password recovery process, I found that the e-commerce giant actually does the right thing by sending you a link to a Web page where you can reset your password. The link is an HTTPS link (instead of the standard HTTP) which means that transmissions between you and the Web page are encrypted. In other words, your password isn’t crossing a network in clear text where it’s available to prying eyes.

Another reader made a good point about how, compared to the old days of single-bus networks, it isn’t that easy sniff password traffic off a local area network (LAN). That’s because most LANs use network switches instead of the old network hubs as a means of connecting servers and workstations to the LAN, and eventually the Internet. With the old 10Base-T twisted pair Ethernet hubs and the coaxial cabling that preceded them, it didn’t matter what port or part of the coax a workstation or server was connected to. Every port acted as a passthru for pretty much all LAN traffic.

With the Ethernet switching hardware found in most wiring closets today, each port is like a private LAN that only passes traffic going to and from the server or workstation that’s connected to it. In other words, it can see password traffic that addressed to some other destination. The reader points out that it’s not a perfect solution because network administrators (some of whom may harbor malicious intent) may still have access to unswitched ports or areas of the LAN where all traffic is consolidated. But at least the pool of people that have that kind of access is limited in size.

Perhaps the most interesting response however, came from “pradecki” who titled his/her comment with Hence, secure email is way overdue. Wrote pradecki:

It still boggles me why servers don’t do a public key cryptographic handshake/connection encryption when they transmit email. It doesn’t take any new technology than what already exists. when user a logs into server A to send message to user b using email server B if they are concerned about security will use a secure connection between themself and their email server. However the security hole exists in the communication between the two email servers. if the two servers used a secure connection to transfer the email messages then the entire problem of forget password script emailing out plain text password would be mitigated.

Bingo.

The part about the technology already existing is what really drives pradecki’s point home.

What’s mind boggling to me is that the world of engineers is off solving some new problems with new technologies instead of addressing the nagging problems that still hound us: problems that are easily addressable with existing technology that needs no invention.

Regarding secure e-mail, here are the two biggest problems that need solving now. First, with any e-mail client, the option to send e-mail securely should exist. When you or I pick that option, the recipient’s e-mail client should be able to automagically decrypt it. The technologies for doing this exist and, in fact, there are some e-mail systems that behave in this way. But they’re not interoperable with all other e-mail systems. For this to work right, it has to work for everybody much the same way non-secure e-mail works for everybody today. It needs to be as simple as the sender pressing a “send-secure” button and the recipient(s) being able to open it on their end just as though they were opening any e-mail. No hoops to go through.

The second problem that needs solving — a variant on the first — is a standard fully interoperable way of applying digital signatures to e-mails. One that not only works technically, but is accepted in a business context as well. If it weren’t for this one glaring hole in the e-mail system, I wonder if fax machines would even exist. The only time I need a fax machine these days is to fax a document with my signature on it to someone. In dealing with technology vendors, before they’ll pre-disclose me on some news, I have to sign an non disclosure agreement. But here’s the rub. They get to do the easy thing: they get to send me the NDA as an attachment to an e-mail. On my end however, I have to detach the attachment, open it up, print it out, sign and date it, and finally, find a fax machine so that I can send it back. Talk about productivity killers! This has to be one of the biggest ones. When agreements come in the e-mail like that, I should be able to digitally sign them and send them back without ever leaving my desk.

Again, the technology for doing this exists. It’s just not found in every e-mail client nor are businesses prepared to alter their processes to handle this approach.

Pradecki is 100 percent right. Secure e-mail is long overdue. Looooooong overdue.