The problem of sending login data by mail
From time to time I get asked to send sensitive data like login names and passwords by email in a »secure« way. A common way of doing this is sending data splitted into two mails for security reasons.
Everybody who already knows that this is some kind of a bad idea, may stop reading at this point. Everybody else, please read carefuly.
How sending/receiving of email works
First a short introduction into how email works without going into to much details.
After writing and pushing the send button inside the mail client or the webmail user interface, the mail is transferred to a mail server. This is often done by the Simple Mail Transport Protocol, SMTP. The mail server takes the mail and tries to deliver the mail recipient's mail server also by using the SMTP protocol. Recipient's mail server is accepting and providing the mail to the end user again by transferring data using the internet.
Possible points of attack
We have to get know how an attack can be performed to understand the problem:
1. At sender's or recipient's PC
This is the most dangerous scenario. At that point a third person got access to sender's or recipient's PC, there is no real possibility to prevent data from getting public. Splitting of mails doesn't make any difference. Even encrypted data might be in danger.
2. At mailserver
Mailservers that are handling your mail are usually storing them into queues or inboxes in plain text. Because of that you have to trust your and the recipient's system administrator that he is not reading or even manipulating your mails.
In most cases everyone who got access to one of the involved mail servers and got also a tea cup full of knowledge is able to read your mails or set up forwarding rules for mails that contains special words like »Sex« or »password«.
This means theoretical every mail is read by the nerds that are maintaining the mailserver. Splitting mails into more than one mail increase the difficulty and security by a low 0.5 rate since the reader needs to figure out which mails are belonging together. Fortunately, between first and second mail there is not much time passing by.
3. During transferring of email
Mails are sent over the internet between
- Sender's PC and mail server
- Mailserver and recipient's PC
When using unencrypted connections everyone who is able to access a router or switch that is located at the path package is sending got the chance to dump all packages and recompose the original message.
In case of a mailserver is using the same path for both of the splitted mails, it becomes clear that information is not safe just because they are splitted. Even though the internet is based on dynamic routing, if a mailserver is connected to just one subnet at least a small part of the package path is identical.
...lesson we should learn
To make it short: As shown above, sending mails for security reasons splitted into x mails (with x > 1) doesn't make sense at all. It only makes communication more complicated and increases number of mails that might get lost.
Things that can be done to make sending mails more secure:
- Usage of SSL/TLS while transferring mail to and from mailservers by using the secure version of protocol like HTTPS, IMAPS, POPS ...
- Encrypt mails by using OpenPGP standard (e.g. GnuPG or PGP), X.509 etc.
- Enabling SSL/TLS support on mailserver to use encrypted connection for transferring emails from mail server to mail server over WWW
- Use /dev/brain and think before you send sensitive data by email.
BTW: This makes some sense in general
- If you need to send logon data, try to send a one-time-login token