How secure is web-based email?
HOME
PAGE
MEMBER RESOURCES
ABOUT US
FORUMS
PARTNERS
PRODUCTS & SERVICES
FREE RESOURCES
LOGIN
HERE
JOIN
NOW!
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

The Streetwise Security Zone Discussion Forums are a great way to see what other managers are doing about security and what problems they have faced. You can find a lot of helpful hints and tips that could save you time and money.

You must join The Streetwise Security Zone (click HERE) in order to reply or post new items in the forums.
Author Message

ScottWright
Group Administrator

Subject: How secure is web-based email?
Explanations
posted by ScottWright on Sunday, August 31st 2008 @ 11:44 PM

Web-based email, or "webmail" is offered by many free and paid services, and can even be operated privately within your own business. The most secure webmail systems are usually those that use a "secure web session" technology, called "Secure Sockets Layer" or "Transport Layer Security". I say usually, because some have different features for protecting content that work better than others.

Here's a bit of a technical explanation.

Most businesses use email systems that run on their own servers, and which provide the highest performance within the office's private network. Because the networks are usually protected by firewalls from the outside, there has not been much need to secure the traffic inside. This is changing, however, with the mobility of the workforce to home offices and wireless hotspots that can expose email traffic to hackers who can use tools for "sniffing" the content of messages, including user names and passwords.

Webmail systems that use SSL are much better suited to these environments, as they use encryption to encode the traffic in a way that others on the outside network can't easily observe.

So, why not use webmail for all email? In many cases, the performance of webmail systems can be much slower than the native email programs, depending on the quality of the hardware and software being used. Higher performance systems will be more expensive.

Large providers of free email systems have invested a lot of money in high performance systems, but not all are very secure. In fact, most do not use SSL at all. Some, such as Yahoo Mail or Google's Gmail will use SSL to protect logins where user names and passwords are sent across the network. However, the rest of the traffic is not secured. (Note: in some cases, such as with Gmail, you can explicitly turn on SSL for the entire email session, but this is not usually done automatically.)

So, webmail can be secure, and is sometimes even preferable, if a reputable system with "secure web session" such as SSL is used. Many businesses now have normal email access within the office, but have an SSL protected webmail server that can be reached from the Internet. This can provide a good balance, but it is important to make sure that the system is configured securely, and that staff are trained on good email security practices.

________________________________
Scott Wright
The Streetwise Security Coach

Would your organization be interested in obtaining the right to use my lessons or articles in your enterprise security awareness program? Please email me at the address below...

Email: scott@streetwise-security-zone.com
Twitter: http://www.twitter.com/streetsec
Phone: 613-693-0997
Podcast: http://www.streetwise-security-zone.com/podcast.html


Copyright 2012. Security Perspectives Inc. All Rights Reserved.