Solved

Is is safe to pass sensitive data in "mailto:"

Posted on 2014-03-31
10
368 Views
Last Modified: 2014-04-08
Hi,

I have a website running on HTTPS. There is a page on the site containing user details and I want to transfer the user details onto the local email client such as Outlook on my PC when I click a link. How safe is it send these details in a a body parameter in "mailto:" ?
Example: <a href="mailto:?body=name:ABC%0D%0AAddress:%0D%0A">Click here</a>

I've never done this before so I don't know if it's secured on not. Is it possible for a middle man to steal this data when they are transferred to my Outlook.

Thanks.
0
Comment
Question by:Herci
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39968057
Only transfer data via email that you would other wise feel comfortable posting here.  Email is not safe to transmit sensitive data.   If you feel an address is not sensitive, then by all means. But customers would be angry and you may open yourself to legal problems if you release personal data like this.
0
 

Author Comment

by:Herci
ID: 39968076
Actual emails are transferred via TLS. What I want to know is if someone can knick the data when I click the link and load them on to the mail software. I believe the "mailto:" action happens only within the local PC?
0
 
LVL 53

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 75 total points
ID: 39968181
I am not a super security expert by any means, but when you have TLS enabled and I click your mailto link, can you guarantee how  mail transfers from my computer, via the isp to your server?

mailto is typically opening up the users mail client.  Chrome browser allows you to set mailto to open up gmail.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 200 total points
ID: 39968182
Yes, the "mailto:" action is a local operation.  The only way someone could get it is if they had a virus or key-logger already running on that machine.

However you are putting a lot of trust in the idea that the user is using the 'correct' email client and server and that the email isn't being forwarded to someone outside.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 39968261
To our colleagues answering this question, you might want to ask the author to explain the earlier grades.  There are community standards at Experts-Exchange and we all want to understand and share in them.
http://www.experts-exchange.com/memberQuestionHistory.jsp?mid=3844192
0
 

Author Comment

by:Herci
ID: 39968711
Ray,
Thank you for your effort on helping me to find a solution. There is a reason I gave a B and that's because I've not found a 100% solution from the answers. Please look at the way I've rewarded points in the past. As far as I can see I've not been unreasonable in the way I've given points.
To answer the question why it took me a while to respond- well that's because I've been involved in other matters. Get some fresh air man. Hope you have a good day.
0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 75 total points
ID: 39969198
Really, it's worth understanding the community standards.
http://support.experts-exchange.com/customer/portal/articles/481419

There are some questions that do not have 100% "solutions" because the very nature of the question is ambiguous or depends on some foundational understanding that is out of balance.  For example, in this question we're looking at the idea of sending an email message and we're considering ways of securing the message in transit.  This is almost as strange as sending cash to a vendor by armored truck, and leaving the cash on the front porch.  We just don't do that.  In the question about character encoding you were asking how to write invalid UTF-8 characters.  The correct answer, to both questions, is "don't do that."
0
 
LVL 35

Assisted Solution

by:gr8gonzo
gr8gonzo earned 150 total points
ID: 39969299
1. The mailto link itself is just like any other part of the web page. That said, would you feel comfortable putting that content in some visible place on the page?

2. When clicked, the mailto link just launches the default email client. If malware was intercepting the clicks (unlikely, but possible), it would have access to that information.

3. The biggest problem is simply that TLS is up to the mail servers to use, and there's no guarantee that someone's mail server uses it, which would mean that the data would transmit through the standard, non-encrypted protocol.

Overall, it's NEVER a good idea to put ANY sensitive information into an email if it can be avoided. If it cannot be avoided, don't rely on TLS security for anything. Put sensitive information into an encrypted ZIP file with a strong password that is transmitted separately (e.g. displayed on the web page), and then attach the ZIP file to an email.

If you're trying to GATHER secure information, use secured web forms instead.
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 39969300
1. The mailto link itself is just like any other part of the web page. That said, would you feel comfortable putting that content in some visible place on the page?

2. When clicked, the mailto link just launches the default email client. If malware was intercepting the clicks (unlikely, but possible), it would have access to that information.

Actual emails are transferred via TLS.
3. The biggest problem is simply that TLS is up to -BOTH- mail servers to use. Just having TLS on your mail server will not guarantee anything. There's no guarantee that someone else's mail server uses it, which would mean that the data would transmit through the standard, non-encrypted protocol.

Overall, it's NEVER a good idea to put ANY sensitive information into an email if it can be avoided. If it cannot be avoided, don't rely on TLS security for anything. Put sensitive information into an encrypted ZIP file with a strong password that is transmitted separately (e.g. displayed on the web page), and then attach the ZIP file to an email.

If you're trying to GATHER secure information, use secured web forms instead.
0
 

Author Closing Comment

by:Herci
ID: 39979998
Thank you for all the answers.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question