Secure Web Based Mail Services
by Keith Pasley - CISSP - Tuesday, 27 January 2004.
After a web mail user is positively identified and authorized the next step is to initiate retrieval of that users' email. Using a set of stored procedures and scripts, the web server formats the user HTML requests so that the back end email server can serve up mail. The usual backend mail server includes Microsoft Exchange, Netware Mail or Lotus Notes. Each of these systems includes a web mail service that uses default ports of 80 for HTTP and 443 for HTTP/SSL. Most web mail policies require the use of HTTP over an encrypted channel such as Secure Sockets Layer (SSL) or Secure Shell protocol (SSH). In rare cases, the IP security (IPSec) is used as the secure communication channel for web mail systems. After the user has finished sending / receiving and viewing mail the user will either log out or simply close the web browser. What happens next is dependent on the specific session management design of the web mail solution.

The Cookie Problem

The issue with web mail session management is centered around how session cookies are managed. Session cookies are files containing information about the state of the session. The web mail server records this information in a text file and stores this file on the web mail user's hard drive (web browser). The session cookie sometimes contains authentication information along with the usual information about such things as the last URL (page) that the user viewed. By design this makes it easier for the user to move from one page of mail to the next without having to re-authenticate for page change.

The problem comes though when the user "logs off". If the web mail system does not erase the session cookie stored on the users computer and if the user does not close their browser, an attacker can easily re-log in to the web mail system while impersonating the authorized user. Why does this happen? Because the session cookie, which contains in some cases the authentication information, is still cached in the browser. This is a major security flaw in the design of several web mail systems. How does this happen? 1. The attacker presses the "back" browser button, 2. The attacker is presented with the web mail logon dialog screen (if using standard HTTP authentication) 3. Attacker simply presses the "OK" button - Voila! The attacker is now logged in as the authorized user.

This vulnerability alone is enough for many security conscious organization to not allow web mail access unless some countermeasure to the "log off" problem is deployed. Small wonder why web mail access requests are greeted with suspicion. Fortunately, there are countermeasures that are available to reduce risk of such attacks on web mail systems.

Web Mail Security Approaches

There are three ways that web mail security can be done:

1. Development In-house

2. Deploy a web mail Security technology/product

3. Outsource to 3rd party

Many businesses refuse to deploy web mail due to concerns over security issues inherent to web based access to mail. Figure 1 highlights some of the issues that are, in fact, valid concerns. However, there are countermeasures that can be applied to mitigate most of the security issues. One such countermeasure is application knowledge. Having security minded development staffs who are properly trained in secure software development principles could minimize poor programming habits that introduce vulnerabilities into the web mail application. A resource to organization who are establishing secure programming standards include: Foundstone, or online training available from the International Webmasters Association IWA-HWG. Also, a well-written guide in secure application development can be found here. These resources can be used to establish a baseline of secure programming ideas within an organization.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th