1

Email Security

08/14/2021
 Overview
• How email really works
• What are the real security issues?
• What solutions exist?
• How you can avoid security risks.

08/14/2021 2
 What is an email

• Electronic mail (email or e-mail) – is a method of

exchanging digital messages from an author to one or
more recipients across the internet or other computer
networks.
• Email can be web-based e.g. Gmail, yahoo or machine-
based e.g. MS Outlook
• Made up of 3 components; the envelope, the header(s),
and the body of the message.
08/14/2021 3
 What is an email contd…
• Made up of 3 components; the envelope, the header(s), and the body
of the message.
• The envelope is something that an email user will never see since it is
part of the internal process by which an email is routed.
• The header identifies particular routing information of the message,
including the sender, recipient, date and subject.
• Some headers are mandatory, such as the FROM, TO and DATE
headers
• The body is the part that we always see as it is the actual content of
the message contained in the email.

08/14/2021 4
 Sending an Email Message - Process

•Sending an email message is like sending a postal

letter whereby it is transferred from one post office to
another until it reaches its destination
•Computers are like “post offices”, and the SMTP
protocol (Simple Mail Transport Protocol) is the
“procedure” which an “email post office” uses to figure
out where to send the letter next (e.g. the “next hop”).
•Any program that sends an email message uses SMTP
to deliver that message to the next “post office” for
“relaying” it to its final destination.

08/14/2021 5
 Email Security characteristics

•Authentication
•Confidentiality
•Non-repudiation

08/14/2021 6
 Email Fundamentals
• Typical path of an email message:

Mail Server
Client
Mail Server

Mail Server Client

 Main issues in sending email

•Most email servers communicate with each other

using SMTP
•You never know how long it will take an email
message to get from sender to recipient because
you don’t know how busy the servers are, how much
traffic there is on the Internet, what machines are
down for maintenance, etc.
•Your messages may sit in queues on any number of
servers for any amount of time.
08/14/2021 8
 The Lack of Security in Email

Email is inherently insecure. Below is the insecurity in

the email delivery pathway :
a) Webmail:
• If the connection to your WebMail server is
“insecure” (i.e. the address is http:// and NOT
https://), then all information including your
username and password is not encrypted as it
passes between the Webmail server and your
computer.
• HTTPS means -All communication between your
browser and the website are encrypted.
08/14/2021 9
08/14/2021 10
 The Lack of Security in Email contd…

b) SMTP
• SMTP does not encrypt messages (unless the servers in
question support opportunistic TLS encryption). 
• Communications between SMTP servers may send your
messages in plain text for any eavesdropper to see.
• Additionally, if your email server requests that you send your
username and password to “login” to the SMTP server in
order to relay messages to other servers, then these are also
sent in plain text, subject to eavesdropping.
• Finally, messages sent via SMTP include information about
which computer they were sent from and what email program
was used. This information, if available to all recipients, may
be a privacy concern.

08/14/2021 11
 The Lack of Security in Email contd:..
:

• Email program such a MS Outlook is a client

application.
• It needs to interact with an email server which
uses the protocols below:
– Post Office Protocol (POP)
– Internet Message Access Protocol (IMAP)
– Microsoft’s Mail API (MAPI)
- Simple Mail Transfer Protocol (SMTP)
For relaying messages between servers. Easy, but
can be spoofed easily.
 The Lack of Security in Email contd…

c) POP and IMAP

• The POP and IMAP protocols require that you
send your username and password to login;
these credentials are not encrypted.
• So, your messages and credentials can be read
by any eavesdropper listening to the flow of
information between your personal computer
and your email service provider’s computer.

08/14/2021 13
 The Lack of Security in Email contd…

d) BACKUPS
• Email messages are generally stored on SMTP
servers in plain, unencrypted text.
• Backups of the data on these servers may be
made at any time and administrators can read
any of the data on these machines.
• The email messages you send may be saved
unexpectedly and indefinitely and may be read
by unknown persons as a result.

08/14/2021 14
 Security threats for email communication

a) Eavesdropping

b) Identity Theft:
• If someone can obtain the username and password
that you use to access your email servers, they can
read your email and send false email messages as
you.
• Very often, these credentials can be obtained by
eavesdropping on SMTP, POP, IMAP, or Webmail
connections, by reading email messages in which
you include this information.
08/14/2021 15
Security threats for email communication cont.

c) Message Modification
• Anyone who has system administrator
permission on any of the SMTP Servers that
your message visits, can read, delete or alter
the message before it continues on to its
destination.
• Your recipient has no way to tell if the email
message that you sent has been altered!
• If the message was merely deleted they
wouldn’t even know it had been sent.
08/14/2021 16
 Security threats for email communication cont..

d) False Messages
• It is very easy to construct messages that
appear to be sent by someone else.
• Many viruses take advantage of this situation to
propagate themselves.
• In general, there is no way to be sure that the
apparent sender of a message is the true
sender – the sender’s name could have been
easily fabricated

08/14/2021 17
Security threats for email communication cont..

e) Message Replay
• Just as a message can be modified, messages can
be saved, modified, and re-sent later!
•You could receive a valid original message, but
then receive subsequent faked messages that
appear to be valid.

08/14/2021 18
Security threats for email communication cont..

f) Unprotected Backups
• Messages are usually stored in plain text on
SMTP Servers.
• Thus, backups of these servers’ disks usually
contains plain text copies of your messages.
• As backups may be kept for years and can be
read by anyone with access to them, your
messages could still be exposed in insecure
places even after you think that all copies have
been “deleted”.
08/14/2021 19
Security threats for email communication contd.

g) Repudiation
• Because normal email messages can be forged,
there is no way for you to prove that someone
sent you a particular message.
• This means that even if someone DID send you
a message, they can successfully deny it.
• This has implications with regards to using
email for contracts, business communications,
electronic commerce
08/14/2021 20
 Solution - Encryption
Asymmetric encryption lets you do the following:
i. Send an Encrypted Message
•To send a secure message to someone, all you have
to do is encrypt it with their public key!
•Only the intended recipient who has the matching
private key will be able to decrypt and read the
message.
•This solves the problem of eavesdropping and the
problem of sending secret keys that is inherent in
symmetric key encryption.
08/14/2021 21
 Solution – Encryption contd …
ii. Prove You Sent A Message
• To prove to someone that you sent a message,
you can encrypt the message (or just a piece of
it) with your private key.
• Then, anyone can decrypt it with your public
key and read the contents.
• The fact that your public key decrypts the
message proves that only you could have sent it
(or someone who has your private key).

08/14/2021 22
 Solution – Encryption contd ...
iii. Sign a Message
•A message signature proves that you sent the
message AND allows the recipient to determine if
the message was altered in transit.
•This is done by using your private key to encrypt a
digest of a message at the time of sending.
•The recipient can decrypt this digest and compare
it to a digest of the received message.
• If they match, then the message is unaltered and
was sent by you.
08/14/2021 23
 Solution – Encryption contd ...
iv. Encrypted, Signed Messages:
• The most secure form of communication is to
first add a signature to the message and then to
encrypt the message plus signature with the
recipient’s public key.
• This combines all of the benefits of all of the
techniques: security against eavesdropping and
unexpected storage, proof of sender, and proof
on message integrity.

08/14/2021 24
 Securing Your Email With SSL or TLS

•The easiest way of securing your email it to use an

email provider that supports SSL for their Webmail,
POP, IMAP, and SMTP servers.
•SSL is a combination of asymmetric and symmetric
key encryption mechanisms.
• If you connect to a server using SSL, the following
things happen (roughly)

08/14/2021 25
 Securing Your Email With SSL or TLS contd…

•The server uses its private key to prove to you that it is in

fact the server that you are trying to connect to.
• This lets you know that you are not connecting to a
“middleman” that is trying to intercept your
communications.
•You send the server your public key.
•The server generates a “secret key” and sends it to you
encrypted using your public key.
•You and the server then communicate using symmetric
key encryption using this shared secret key. (Symmetric
key encryption is faster than asymmetric key encryption).

08/14/2021 26
 Benefits of SSL
The benefits of SSL are twofold:
1. You can determine if you are connecting to the
right server
2. You and the server can communicate securely.

08/14/2021 27
 Security offered by SSL
•If you get any warning messages when connecting to a server using
SSL, you should think twice about ignoring them.
•The warnings can be due to a small technical problem or an
indication that your communications are being intercepted.
•These warnings usually indicate one of the following:
i. The server’s SSL “certificate” (i.e. public/private key pair) has
expired.
ii. Some of the information in the certificate doesn’t match the
information you expect — i.e. the certificate was issued for a
different server name than the one you are trying to connect to.
(You could be inadvertently connecting to the wrong server.)
iii. The certificate was issued by an un-trusted agency.

08/14/2021 28
 Security offered by SSL
•If you get any warning messages when connecting to a server using
SSL, you should think twice about ignoring them.
•The warnings can be due to a small technical problem or an
indication that your communications are being intercepted.
•These warnings usually indicate one of the following:
i. The server’s SSL “certificate” (i.e. public/private key pair) has
expired.
ii. Some of the information in the certificate doesn’t match the
information you expect — i.e. the certificate was issued for a
different server name than the one you are trying to connect to.
(You could be inadvertently connecting to the wrong server.)
iii. The certificate was issued by an un-trusted agency.

08/14/2021 29
 SSL + Asymmetric key encryption
•Asymmetric key encryption should be used in combination with SSL
•SSL only protects the message path between you and your SMTP
Server and stops there.
•Asymmetric key encryption provides message signatures and/or
encryption. This completely solves the issues of:
i. Eavesdropping (everything is always encrypted)
ii. Message modification (message digests are used)
iii. Message replay (you can include a timestamp in the
signature)
iv. Repudiation (signatures allow proof of who sent the
message)
v. Unprotected backups (everything is always encrypted)

08/14/2021 30
 Email threats and countermeasures

Threats Countermeasures
Viruses Antivirus software,
Hoaxes User education
Email Educating users,
Spoofing
Phishing Firewalls,
Spams Spam filters, user education

08/14/2021 31
 Questions
1) How does the speed of virus/worm transmission
impact things?
2) Do you think spam is a fixable problem?
3) When can we send attachments securely?
4) Suggest solutions to the problem of identity
spoofing
5) Can we detect spam and delete it before it
gets to the user?

08/14/2021 32
 Spam
Write notes

08/14/2021 33