What security level for your email?

TenFour · 16 Mar 2024, 10:46 PM

I'm curious what security level you use on your email accounts? I do not use desktop apps, though I do use an email app on my Android phone. For my main account I use the typical username and password (long and unique), plus I have 2-factor authentication via a physical security key. For Gmail I could be using Passkeys instead, but not 100% sure I want to go there yet. I'm wary of using IMAP and POP on accounts since they seem to be possible security problems. Still, despite any security I use at my end, it all comes down to how well the company is implementing security at their end. For example, what type of password recovery or account recovery security do they use? Do they store your passwords securely? Or, maybe the better philosophy is just to delete your emails fairly often so there is little there worth finding, though once they have control of an email address they might be able to access other accounts like banks and investments.

JeremyNicoll · 17 Mar 2024, 02:18 AM

What do you mean by

"I'm wary of using IMAP and POP on accounts since they seem to be possible security problems."

How else can you access mail on a server? (Maybe you meam you login to some webmail system ... but surely it then has to access the server by POP (unlikely) or IMAP (or its successor)?)

TenFour · 17 Mar 2024, 05:37 AM

Quote:

How else can you access mail on a server? (Maybe you meam you login to some webmail system ... but surely it then has to access the server by POP (unlikely) or IMAP (or its successor)?)

I don't use a separate email app to access my email. In other words, to access my Gmail I login to the Gmail website, and I use the Gmail app on my phone. If you instead access Gmail via Thunderbird or Outlook on your desktop or via the FairEmail app on your phone you need to use another login via POP or IMAP to do so.

JeremyNicoll · 17 Mar 2024, 07:18 AM

So ... IIUC you're saying that an https: connection to a webmail session (which internally uses IMAP to talk to the backend servers) is "secure" but an external client talking directly to the server over a secured (TLS or whatever) connection isn't?

Why do you think that?

What /specifically/ are the "possible security problems"?

hadaso · 17 Mar 2024, 04:17 PM

Quote:

Originally Posted by JeremyNicoll

So ... IIUC you're saying that an https: connection to a webmail session (which internally uses IMAP to talk to the backend servers) is "secure" but an external client talking directly to the server over a secured (TLS or whatever) connection isn't?

Why do you think that?

What /specifically/ are the "possible security problems"?

A webmail client implemented correctly as an IMAP client would communicate with the IMAP server either over an internal network, or else over a secure connection. Of course you have to trust whoever runs the service.

Folio · 17 Mar 2024, 08:07 PM

Thunderbird supports OAuth2. Both Gmail and Fastmail use that when you connect to your account using Thunderbird. Presumably that authentication is just as secure as logging into the web site.

Still, it looks like you may be making a somewhat different point. I take it that you disable POP and IMAP access in your Gmail settings to reduce the number of attack surfaces exposed by your account. So, if I understand correctly, the question is, just how secure can one make one's account? That's a question I think about myself. With respect to a Gmail account, I can't think of anything you are not already doing (apart from making the move to Passkeys, as you noted).

To your last point, Troy Hunt (Have I Been Pwned) once characterized email addresses as the skeleton key to one's life. If somebody gets access to your email account, they get everything: your bank account, your health records, etc. So, you obviously want to be very careful about where your email account is hosted. Setting aside the privacy concerns associated with Google, Gmail may be about as secure as you can get.

TenFour · 17 Mar 2024, 08:53 PM

Quote:

So ... IIUC you're saying that an https: connection to a webmail session (which internally uses IMAP to talk to the backend servers) is "secure" but an external client talking directly to the server over a secured (TLS or whatever) connection isn't?

Why do you think that?

What /specifically/ are the "possible security problems"?

Actually, I'm not sure and that's why I asked the question! First, I'm not certain that Gmail's web interface uses IMAP--I've read that it doesn't, but uncertain. Second, as pointed out by Folio, OAuth should be a secure way to sign in from third-party IMAP applications, but still you add another party, another interface. The more links in the chain between you and your email the more potential points of security failure. You have to put a level of trust into any app you are using.

Even OAuth has its vulnerabilities.

Quote:

One of the other key issues with OAuth is the general lack of built-in security features. The security relies almost entirely on developers using the right combination of configuration options and implementing their own additional security measures on top, such as robust input validation. As you've probably gathered, there's a lot to take in and this is quite easy to get wrong if you're inexperienced with OAuth.

Depending on the grant type, highly sensitive data is also sent via the browser, which presents various opportunities for an attacker to intercept it.

https://portswigger.net/web-security/oauth

Quote:

I take it that you disable POP and IMAP access in your Gmail settings to reduce the number of attack surfaces exposed by your account.

And with Gmail you can disable them, which I imagine eliminates those possible failure points. Not sure if they still exist, but until fairly recently I encountered apps that didn't use OAuth, but instead required app passwords that seem inherently less safe.

JeremyNicoll · 19 Mar 2024, 02:22 AM

OK, I understand better now.

When you say "an email app" on your phone ... that strikes me (depending on where it came from) as maybe a potential security hole. I think I'd trust a generic webmail system running on a mail provider's servers & a stable browser more.

There's also a risk if you lose the phone especially if it was unlocked at the time.

janusz · 19 Mar 2024, 02:56 AM

Quote:

Originally Posted by JeremyNicoll

There's also a risk if you lose the phone especially if it was unlocked at the time.

This can be mitigated (but not completely removed) by setting a short "relock" time. Yes, I know this is a nuisance for the legitimate user

TenFour · 19 Mar 2024, 03:25 AM

Quote:

When you say "an email app" on your phone ... that strikes me (depending on where it came from) as maybe a potential security hole. I think I'd trust a generic webmail system running on a mail provider's servers & a stable browser more.

There's also a risk if you lose the phone especially if it was unlocked at the time.

In my case, the email app on my phone is also the Gmail one. Me losing or someone stealing the phone is always a possibility, so I do use various locks and timeouts. OTOH, you can remotely lock your phone and account, at least with Google. From what I read the #1 security problem is phishing via email and text messages. Someone gets you to click on a malicious link and steals your login information, but I believe it is blocked by using a security key and/or passkeys.

16 Mar 2024, 10:46 PM	#1
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,734	What security level for your email? I'm curious what security level you use on your email accounts? I do not use desktop apps, though I do use an email app on my Android phone. For my main account I use the typical username and password (long and unique), plus I have 2-factor authentication via a physical security key. For Gmail I could be using Passkeys instead, but not 100% sure I want to go there yet. I'm wary of using IMAP and POP on accounts since they seem to be possible security problems. Still, despite any security I use at my end, it all comes down to how well the company is implementing security at their end. For example, what type of password recovery or account recovery security do they use? Do they store your passwords securely? Or, maybe the better philosophy is just to delete your emails fairly often so there is little there worth finding, though once they have control of an email address they might be able to access other accounts like banks and investments.

17 Mar 2024, 02:18 AM	#2
JeremyNicoll Essential Contributor Join Date: Dec 2017 Location: Scotland Posts: 487	What do you mean by "I'm wary of using IMAP and POP on accounts since they seem to be possible security problems." How else can you access mail on a server? (Maybe you meam you login to some webmail system ... but surely it then has to access the server by POP (unlikely) or IMAP (or its successor)?)

17 Mar 2024, 07:18 AM	#4
JeremyNicoll Essential Contributor Join Date: Dec 2017 Location: Scotland Posts: 487	So ... IIUC you're saying that an https: connection to a webmail session (which internally uses IMAP to talk to the backend servers) is "secure" but an external client talking directly to the server over a secured (TLS or whatever) connection isn't? Why do you think that? What /specifically/ are the "possible security problems"?

17 Mar 2024, 08:07 PM	#6
Folio Member Join Date: Jul 2014 Posts: 77	Thunderbird supports OAuth2. Both Gmail and Fastmail use that when you connect to your account using Thunderbird. Presumably that authentication is just as secure as logging into the web site. Still, it looks like you may be making a somewhat different point. I take it that you disable POP and IMAP access in your Gmail settings to reduce the number of attack surfaces exposed by your account. So, if I understand correctly, the question is, just how secure can one make one's account? That's a question I think about myself. With respect to a Gmail account, I can't think of anything you are not already doing (apart from making the move to Passkeys, as you noted). To your last point, Troy Hunt (Have I Been Pwned) once characterized email addresses as the skeleton key to one's life. If somebody gets access to your email account, they get everything: your bank account, your health records, etc. So, you obviously want to be very careful about where your email account is hosted. Setting aside the privacy concerns associated with Google, Gmail may be about as secure as you can get.

19 Mar 2024, 02:22 AM	#8
JeremyNicoll Essential Contributor Join Date: Dec 2017 Location: Scotland Posts: 487	OK, I understand better now. When you say "an email app" on your phone ... that strikes me (depending on where it came from) as maybe a potential security hole. I think I'd trust a generic webmail system running on a mail provider's servers & a stable browser more. There's also a risk if you lose the phone especially if it was unlocked at the time.