Latest news
Secure Web Based Mail Services
by Keith Pasley - CISSP - Tuesday, 27 January 2004.
Data integrity has to do with protection from unauthorized modification of email. Data integrity can be preserved by cryptographic techniques such as hashing and signing of messages. PGP and S/MIME provide the facility of digitally signing messages in such a way that tampering with the data will result in missed matched message hash results.
Availability involves ensuring that the web mail system is as accessible as possible. The use of redundant servers, load balancing and fail over, and server clustering are all common ways to increase the probability that the web mail system will be available at the right time. An added plus to redundancy is continuous availability even during maintenance windows.
After a web mail user is positively identified and authorized the next step is to initiate retrieval of that users' email. Using a set of stored procedures and scripts, the web server formats the user HTML requests so that the back end email server can serve up mail. The usual backend mail server includes Microsoft Exchange, Netware Mail or Lotus Notes. Each of these systems includes a web mail service that uses default ports of 80 for HTTP and 443 for HTTP/SSL. Most web mail policies require the use of HTTP over an encrypted channel such as Secure Sockets Layer (SSL) or Secure Shell protocol (SSH). In rare cases, the IP security (IPSec) is used as the secure communication channel for web mail systems. After the user has finished sending / receiving and viewing mail the user will either log out or simply close the web browser. What happens next is dependent on the specific session management design of the web mail solution.
The Cookie Problem
The issue with web mail session management is centered around how session cookies are managed. Session cookies are files containing information about the state of the session. The web mail server records this information in a text file and stores this file on the web mail user's hard drive (web browser). The session cookie sometimes contains authentication information along with the usual information about such things as the last URL (page) that the user viewed. By design this makes it easier for the user to move from one page of mail to the next without having to re-authenticate for page change.
The problem comes though when the user "logs off". If the web mail system does not erase the session cookie stored on the users computer and if the user does not close their browser, an attacker can easily re-log in to the web mail system while impersonating the authorized user. Why does this happen? Because the session cookie, which contains in some cases the authentication information, is still cached in the browser. This is a major security flaw in the design of several web mail systems. How does this happen? 1. The attacker presses the "back" browser button, 2. The attacker is presented with the web mail logon dialog screen (if using standard HTTP authentication) 3. Attacker simply presses the "OK" button - Voila! The attacker is now logged in as the authorized user.
Availability involves ensuring that the web mail system is as accessible as possible. The use of redundant servers, load balancing and fail over, and server clustering are all common ways to increase the probability that the web mail system will be available at the right time. An added plus to redundancy is continuous availability even during maintenance windows.
After a web mail user is positively identified and authorized the next step is to initiate retrieval of that users' email. Using a set of stored procedures and scripts, the web server formats the user HTML requests so that the back end email server can serve up mail. The usual backend mail server includes Microsoft Exchange, Netware Mail or Lotus Notes. Each of these systems includes a web mail service that uses default ports of 80 for HTTP and 443 for HTTP/SSL. Most web mail policies require the use of HTTP over an encrypted channel such as Secure Sockets Layer (SSL) or Secure Shell protocol (SSH). In rare cases, the IP security (IPSec) is used as the secure communication channel for web mail systems. After the user has finished sending / receiving and viewing mail the user will either log out or simply close the web browser. What happens next is dependent on the specific session management design of the web mail solution.
The Cookie Problem
The issue with web mail session management is centered around how session cookies are managed. Session cookies are files containing information about the state of the session. The web mail server records this information in a text file and stores this file on the web mail user's hard drive (web browser). The session cookie sometimes contains authentication information along with the usual information about such things as the last URL (page) that the user viewed. By design this makes it easier for the user to move from one page of mail to the next without having to re-authenticate for page change.
The problem comes though when the user "logs off". If the web mail system does not erase the session cookie stored on the users computer and if the user does not close their browser, an attacker can easily re-log in to the web mail system while impersonating the authorized user. Why does this happen? Because the session cookie, which contains in some cases the authentication information, is still cached in the browser. This is a major security flaw in the design of several web mail systems. How does this happen? 1. The attacker presses the "back" browser button, 2. The attacker is presented with the web mail logon dialog screen (if using standard HTTP authentication) 3. Attacker simply presses the "OK" button - Voila! The attacker is now logged in as the authorized user.
Spotlight
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
To hack back or not to hack back?
Posted on 12 June 2013. | If you think of cyberspace as a new resource for you and your organization, it makes sense to protect your part of it as best you can. But is it a good idea?
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
