There used to be a time when secure email management was simple. "Managing"
meant sorting through your email messages, putting them into appropriate folders.
Secure email back them meant using a simple password for email access. However,
today, with email being a business critical application, more threats against
email than ever before, government regulatory concerns, secure email management
takes on a whole different meaning. Viruses, spam, worms, and other malicious
attacks and non-malicious events can bring email infrastructures to their knees.
With recent government legislation in countries such as the U.S., email confidentiality
has become a growing concern. One of the more common access to email today is
via web browser and web based email access. What security issues should be kept
in mind when developing or designing web mail systems?
The Basics of Web Mail
Most web mail systems are designed using a multi-tiered architecture. Usually,
a web server serves as a reverse proxy to a backend email server that actually
services the users mail requests. Most web mail systems use a separate database
to store the mail versus the user authentication information.
User Authentication can be done using authentication protocols native to the
mail server O/S or 3rd party authentication methods such RADIUS or SecureID.
Using a set of stored procedures and scripts, the web server formats the user
HTML requests so that the back end email server can serve up mail. The usual
backend mail server includes Microsoft Exchange, Netware Mail or Lotus Notes.
Each of these systems includes a web mail service that uses default ports of
80 for HTTP and 443 for HTTP/SSL. Most web mail policies require the use of
HTTP over an encrypted channel such as Secure Sockets Layer (SSL) or Secure
Shell protocol (SSH). In rare cases, the IP security (IPSec) is used as the
secure communication channel for web mail systems.
Web Mail Security Approaches
There are three ways that web mail security can be done:
- Development In-house
- Deploy a web mail Security technology/product
- Outsource to 3rd party
Many businesses refuse to deploy web mail due to concerns over security issues
inherent to web based access to mail. However, there are countermeasures that
can be applied to mitigate most of the security issues. One such countermeasure
is application knowledge. Having security minded development staffs who are
properly trained in secure software development principles could minimize poor
programming habits that introduce vulnerabilities into the web mail application.
A resource to organization who are establishing secure programming standards
, or online training available from the International Webmasters Association
Also, a well-written guide in secure application development can be found at
web site. These resources can be used to establish a baseline of secure programming
ideas within an organization.
The second approach is the use of security technology. Technology is available
now that be immediately deployed as a protective layer around a web mail infrastructure.
Most of these products are based on the idea of a reverse proxy. The difference
in products is the technology being used to implement the reverse proxy functionality.
For example, IronMail
email security appliance from CipherTrust
uses hardened version of Apache as the reverse proxy. The IronMail appliance
features a protocol anomaly- based intrusion detection system built in to the
secure web mail application on the appliance. The IDS can detect several hundred
known exploits unique to web mail. In addition, classes of exploits such as
buffer overflow, directory traversal, path obfuscation, and malformed HTTP requests.
As an all-in-one approach to web mail security there are few such products that
do the job as well.
Outsourced Web Mail service
A third approach to web mail security is via out-sourced or hosted web mail
service. Yahoo and MSN provide a webmail access. However, very few people using
their services would rate such services as 'secure'. Thus the need for business
class level of secure web mail access provided by managed security service providers
The Co-Mail secure mail service, offered by Ireland based NR Lab LTD, provides
a web based secure email service with a user interface that can be used by anyone.
Co-Mail security architecture allows this service to be a good choice for any
size organization. Co-Mail allows a company to use its own or a Co-Mail registered
domain for mail routing. This mail service provides mail confidentiality and
is cryptography based on OpenPGP and SSL. Other security features of this on
line email service include, rudimentary anti spam, file encryption, strong user
authentication via (optional) Rainbow iKey support.
Through an administrative web interface an admin can register for the service,
set up new users among other housekeeping tasks. From the admin interface can
be viewed organizational email statistics such as near-immediate or historical
user account activity. The administrator can customize the look and feel for
end user by uploading company logo's, modifying the background header, and selecting
header text color. In addition, a company can use its own domain name or become
a sub domain to the Co-Mail service.
End user account creation can be done the admin or the actual end user. In
either case, there is the same 3 step process of 1) register the user name,
2)random mouse movement to generate the asymmetric keys, and 3) create a passphrase,
Done. The security minded may find this process very simple, yet behind the
scene is a server-based implementation of OpenPGP. In the case of end user registration,
the admin interface provides for sending a customizable message to the end user
with URL pointing to registration site.
Co-Mail can integrate into the end user's current email environment via a downloadable
proxy software called Co-Mail Express. Co-Mail Express is a light weight-software
application that resides on the end users desktop tray. Its job is to intercept
mail directed to port 25 in order to encrypt/decrypt a mail message. Although
this feature is not mandatory, some may find helpful if web based mail interfaces
are not your cup of tea.
Once an end user logs into the service, the user can perform the usual email
tasks such sending and receiving mail. In addition, the user can encrypt/decrypt
files for secure storage (S-Disk) on the users computer, manage the address
book export the address book, turn on/off antispam, set up auto reply texts
and so on.
Although, very easy to use for small to medium user communities, traditional
large enterprises may be hesitant to outsource their entire email service to
a third party. ISPs in particular may want to think seriously about this service
value to their customers. This service is worth a look due to potential cost
savings in up front setup, and ongoing maintenance. Lower cost and implementation
speed are two reasons a large may want to outsource its email system Co-Mail.
However, the strength of the security employed by the service provider is also
a central concern. Technical details for Co-Mail are available on line at: http://www.co-mail.com/data.html
Email management use to be simpler, but the threats against email have grown
more complex. With products like Co-Mail, that provides a relatively good level
of service availability and security, email users around the world can take
advantage of strong security with simple administration.