Solved

Intercept Email Subjects in a Secure Connection via a Web Browser

Posted on 2009-04-13
14
699 Views
Last Modified: 2012-05-06
Is it possible for a company or a hacker to be able to intercept email subjects (at the least) when sending/receiving emails (like gmail) via a web browser using an https connection?  

Thank you.
0
Comment
Question by:jsvkav
  • 4
  • 4
  • 2
  • +3
14 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24141566
no, that isn't possible. webmail, along with the encrypted forms of pop3, smtp and imap that google supports, is protected by encryption impractical to break by simple interception - all known ways to break out of TLS involve active interception or (in the case of internet explorer, but not firefox) access to the Secret Key installed on the server that matches the public key in the certificate.

of course, there *are* active attacks against tls, but those go far beyond simple sniffing of traffic, you have to actively proxy the connection, faking a certificate and hoping/arranging that the client doesn't notice.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24141570
No - if it is an SSL connection everything is encrypted.

With gmail, you may get a warning box about mixed content (SSL & non-SSL) due to some of their ads or something.  I always select 'no' (only do SSL, not mixed).

Some other providers, only encrypt their logon page (if you bother to select the secure logon option...) after that everything may revert to clear text again.  I know hotmail used to do this, I think they may have finally cleaned up their act in the last year or two tho, but I'm not positive offhand.

That being said...
For companies especially, and in some cases very nosey hackers, may have other methods around the SSL session, such as a remote viewing tool.  This is relatively common in the workplace - there are many programs to do this, for example Microsoft SMS has a remote view/control tool, and there are many others.  Some companies will have it set to interactive where they can control your mouse, etc., others may just just view - some will require that the user be prompted/notified, most do not.

Not common in the workplace, but hackers and malware programs might have popped a keylogger onto your system, so they may have caught what you typed for a subject, or gotten your username/password and just logged in to see it.

So... if you sent something or received something inappropriate to your gmail that you checked at work - they still might know by the subject line if you never opened it.  Usually if you receive something and DON'T OPEN IT most companies won't have an issue unless it appears to be illegal - you don't have control over who sends you what (especially if a piece of spam gets through).
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24141610
lol almost forgot one of the more common ones - if you forgot to lock your workstation then its no-holds-barred at many places!  So if there was an email you were reading/writing/whatever when you got up to take a break or something then whomever happened to walk by could access whatever they like.  

Working in IT, it is common when a co-worker does this that we mess with each other a little bit in a good natured way by sending out a prank email to a small group of people in the dept. or change their browser homepage to something annoying but clean, reconfigure their mouse, etc.
0
 
LVL 1

Expert Comment

by:RyanFX
ID: 24141646
Yes, it is quite possible.  There are some professional equipment such as:

 http://www.bluecoat.com/products/sg

that are essentially "legal" man-in-the-middle attacks on your browser.  Your company sets up their SSL proxy as a trusted authority on your companies computer and no matter what site you go to they can read the information being sent just as if it was in plain text.

Hackers can also perform these same attacks but you will receive browser warnings letting you know that certificates do not match up.

If you can verify that the certificate is actually from the site you are trying to get to and not from your company (such as the one service previously mentioned)  It is impossible to read over the network.  (unless your company uses a keylogger / screen cap program)
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 24141655
Of the top of my head, there are a two possible attacks against https. These are generic for all information sent via SSL, not only email.

The first one is through malware at the client side. If  an attacker has access to the PC and is able to install screen capture tools, keyloggers, etc... he has access to that information. SSL or not.

The second one is a man in the middle attack: sslstrip. See: http://www.thoughtcrime.org/software/sslstrip/
It actually counts on the fact that most people don't verify if the lock icon is present.

kr, J.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24141779
sslstrip isn't actually a ssl attack - instead, its an indirection attack, which relies on being able to update links in the login page to redirect the login.

bluecoat (and ironport proxy) are true man in the middle attacks, and for that reason run foul of the security features of ssl that are designed to prevent that - the fact that you need to have a site certificate signed by an authority, and that authority recognised by the browser. For Internet Explorer, in a company, that is not really that hard - you can push out new authority certificates by registry key or group policy - but for firefox its harder, and if you chose to use firefox portable (or something else not under corporate control) then its near impossible. However, that only shows you that they *have* intercepted the traffic, it doesn't prevent the interception.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 24142049
Dave,

I assume that the asker wants to know if the information or data can be intercepted when accessing such a system. So from an attacker standpoint my two points are correct. I may have missed the point you are making though.
BTW, the only defence against sslstrip is user education.

kr, J.
 
 
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:jsvkav
ID: 24144031
Thank you all for the great comments.  A friend says that his company captures and logs the subject line in emails so I wanted to know if they could capture and read the subject line when connected via https - I guess the answer is that it cannot be read.   But of course there are the other 'things' to consider as mentioned by all the experts above (ie, keyloggers, screen capture programs, etc).
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24145712
PowerIT: the only defense against ANY social engineering attack is training.

Experience has shown that users don't care what the message says, just which button makes it go away (and optionally, which checkbox means it won't bug them again)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24145840
yes, it is possible.
If the web site is vulnerable to XSS (or some other vulnerabilities). This make the use of SSL completely useless to protect against attacks.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24148926
Dave, I need to buy you a beer some day...

jsvkav - This is just in reference to browser based emails where the message is being received over SSL (or anything else sent over SSL).  Keeping in mind that your corporate email will have a whole bunch of monitoring tools - encrypted emails will still have the header information (subject, sender, date, etc.) in the clear, just the message is protected.  POP3/SMTP can be configured to have a secured transfer, but this is rarely done from what I've seen.
0
 
LVL 1

Author Comment

by:jsvkav
ID: 24165301
Paranormastic,

It isn't corporate email system.  It's just gmail access via a web browser and it is set to https (under settings).  So just to reiterate the body and any attachments in an email is encrypted but the header info, like sender/date including the subject line, is in clear text.... and that answers my question.

Thank you to all!!!



0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 200 total points
ID: 24165451
Ah, I think I understand the confusion now.

No, while that is true of *encrypted* email using the s/mime or OpenPGP encryption methods, it is *not* true of mail accessed using https, pop3s or imaps

Mail accessed via a -s protocol is fully encrypted, including header info.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 50 total points
ID: 24169300
I know, I was just tossing that in as an 'extra'... :)

So just to reiterate the body and any attachments in an email is encrypted but the header info, like sender/date including the subject line, is in clear text....

-- were you just restating the original question?  When done through corporate (i.e. downloaded to outlook) this is true, but when done through web page https (careful that after logging in that the page doesn't go back to http!, but google maintains https....) then everything from the subject, attachments, etc. are all encrypted within the SSL session.  It includes everything on the page - the email, the menu, the advertisements, whatever.  If it is https then you are set.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now