Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 746
  • Last Modified:

Intercept Email Subjects in a Secure Connection via a Web Browser

Is it possible for a company or a hacker to be able to intercept email subjects (at the least) when sending/receiving emails (like gmail) via a web browser using an https connection?  

Thank you.
0
jsvkav
Asked:
jsvkav
  • 4
  • 4
  • 2
  • +3
2 Solutions
 
Dave HoweCommented:
no, that isn't possible. webmail, along with the encrypted forms of pop3, smtp and imap that google supports, is protected by encryption impractical to break by simple interception - all known ways to break out of TLS involve active interception or (in the case of internet explorer, but not firefox) access to the Secret Key installed on the server that matches the public key in the certificate.

of course, there *are* active attacks against tls, but those go far beyond simple sniffing of traffic, you have to actively proxy the connection, faking a certificate and hoping/arranging that the client doesn't notice.
0
 
ParanormasticCryptographic EngineerCommented:
No - if it is an SSL connection everything is encrypted.

With gmail, you may get a warning box about mixed content (SSL & non-SSL) due to some of their ads or something.  I always select 'no' (only do SSL, not mixed).

Some other providers, only encrypt their logon page (if you bother to select the secure logon option...) after that everything may revert to clear text again.  I know hotmail used to do this, I think they may have finally cleaned up their act in the last year or two tho, but I'm not positive offhand.

That being said...
For companies especially, and in some cases very nosey hackers, may have other methods around the SSL session, such as a remote viewing tool.  This is relatively common in the workplace - there are many programs to do this, for example Microsoft SMS has a remote view/control tool, and there are many others.  Some companies will have it set to interactive where they can control your mouse, etc., others may just just view - some will require that the user be prompted/notified, most do not.

Not common in the workplace, but hackers and malware programs might have popped a keylogger onto your system, so they may have caught what you typed for a subject, or gotten your username/password and just logged in to see it.

So... if you sent something or received something inappropriate to your gmail that you checked at work - they still might know by the subject line if you never opened it.  Usually if you receive something and DON'T OPEN IT most companies won't have an issue unless it appears to be illegal - you don't have control over who sends you what (especially if a piece of spam gets through).
0
 
ParanormasticCryptographic EngineerCommented:
lol almost forgot one of the more common ones - if you forgot to lock your workstation then its no-holds-barred at many places!  So if there was an email you were reading/writing/whatever when you got up to take a break or something then whomever happened to walk by could access whatever they like.  

Working in IT, it is common when a co-worker does this that we mess with each other a little bit in a good natured way by sending out a prank email to a small group of people in the dept. or change their browser homepage to something annoying but clean, reconfigure their mouse, etc.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
RyanFXCommented:
Yes, it is quite possible.  There are some professional equipment such as:

 http://www.bluecoat.com/products/sg

that are essentially "legal" man-in-the-middle attacks on your browser.  Your company sets up their SSL proxy as a trusted authority on your companies computer and no matter what site you go to they can read the information being sent just as if it was in plain text.

Hackers can also perform these same attacks but you will receive browser warnings letting you know that certificates do not match up.

If you can verify that the certificate is actually from the site you are trying to get to and not from your company (such as the one service previously mentioned)  It is impossible to read over the network.  (unless your company uses a keylogger / screen cap program)
0
 
PowerITCommented:
Of the top of my head, there are a two possible attacks against https. These are generic for all information sent via SSL, not only email.

The first one is through malware at the client side. If  an attacker has access to the PC and is able to install screen capture tools, keyloggers, etc... he has access to that information. SSL or not.

The second one is a man in the middle attack: sslstrip. See: http://www.thoughtcrime.org/software/sslstrip/
It actually counts on the fact that most people don't verify if the lock icon is present.

kr, J.
0
 
Dave HoweCommented:
sslstrip isn't actually a ssl attack - instead, its an indirection attack, which relies on being able to update links in the login page to redirect the login.

bluecoat (and ironport proxy) are true man in the middle attacks, and for that reason run foul of the security features of ssl that are designed to prevent that - the fact that you need to have a site certificate signed by an authority, and that authority recognised by the browser. For Internet Explorer, in a company, that is not really that hard - you can push out new authority certificates by registry key or group policy - but for firefox its harder, and if you chose to use firefox portable (or something else not under corporate control) then its near impossible. However, that only shows you that they *have* intercepted the traffic, it doesn't prevent the interception.
0
 
PowerITCommented:
Dave,

I assume that the asker wants to know if the information or data can be intercepted when accessing such a system. So from an attacker standpoint my two points are correct. I may have missed the point you are making though.
BTW, the only defence against sslstrip is user education.

kr, J.
 
 
0
 
jsvkavAuthor Commented:
Thank you all for the great comments.  A friend says that his company captures and logs the subject line in emails so I wanted to know if they could capture and read the subject line when connected via https - I guess the answer is that it cannot be read.   But of course there are the other 'things' to consider as mentioned by all the experts above (ie, keyloggers, screen capture programs, etc).
0
 
Dave HoweCommented:
PowerIT: the only defense against ANY social engineering attack is training.

Experience has shown that users don't care what the message says, just which button makes it go away (and optionally, which checkbox means it won't bug them again)
0
 
ahoffmannCommented:
yes, it is possible.
If the web site is vulnerable to XSS (or some other vulnerabilities). This make the use of SSL completely useless to protect against attacks.
0
 
ParanormasticCryptographic EngineerCommented:
Dave, I need to buy you a beer some day...

jsvkav - This is just in reference to browser based emails where the message is being received over SSL (or anything else sent over SSL).  Keeping in mind that your corporate email will have a whole bunch of monitoring tools - encrypted emails will still have the header information (subject, sender, date, etc.) in the clear, just the message is protected.  POP3/SMTP can be configured to have a secured transfer, but this is rarely done from what I've seen.
0
 
jsvkavAuthor Commented:
Paranormastic,

It isn't corporate email system.  It's just gmail access via a web browser and it is set to https (under settings).  So just to reiterate the body and any attachments in an email is encrypted but the header info, like sender/date including the subject line, is in clear text.... and that answers my question.

Thank you to all!!!



0
 
Dave HoweCommented:
Ah, I think I understand the confusion now.

No, while that is true of *encrypted* email using the s/mime or OpenPGP encryption methods, it is *not* true of mail accessed using https, pop3s or imaps

Mail accessed via a -s protocol is fully encrypted, including header info.
0
 
ParanormasticCryptographic EngineerCommented:
I know, I was just tossing that in as an 'extra'... :)

So just to reiterate the body and any attachments in an email is encrypted but the header info, like sender/date including the subject line, is in clear text....

-- were you just restating the original question?  When done through corporate (i.e. downloaded to outlook) this is true, but when done through web page https (careful that after logging in that the page doesn't go back to http!, but google maintains https....) then everything from the subject, attachments, etc. are all encrypted within the SSL session.  It includes everything on the page - the email, the menu, the advertisements, whatever.  If it is https then you are set.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 4
  • 4
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now