Atwood Drops the Ball on Email Security
I'm a huge fan of Jeff Atwood, guru of software development and all things Web, and his Coding Horror blog. However, in a recent post entitled "Make Your Email Hacker Proof," he makes some harrowingly false claims about email security.
Burried deep in this post, which is specific to GMail only, is this confession:
The upside is that once you enable [two-factor authentication for GMail], your email becomes extremely secure, to the point that you can (and I regularly do) email yourself highly sensitive data like passwords and logins to other sites you visit so you can easily retrieve them later.
Wrong, wrong, WRONG!
Two-factor authentication makes accessing your email account by normal authentication vastly more difficult[*]. That is, it takes more than knowing your email address and obtaining (or guessing) your password to gain access by logging into your account the same way you do. Using a secure connection (HTTPS), which Atwood fails to mention until backpedaling in the comments, removes an additional attack vector.
However, the email is transmitted in the clear, and stored unencrypted on the servers. DO NOT email yourself or anyone else passwords or other sensitive information, ever.
If you must store sensitive information in the cloud, use an encrypted file. Doing so is easy in LibreOffice and Microsoft Office. (To send us sensitive information, use our secure contact form.)
Notes:
[*] Using the word "proof" after "hacker" was mistake #1.
Comments:
By zu on Apr 30 2012
yep 'cause storing passwords and logins and highly sensitive data on Google's server is such an awesome, awesome tip lol.
By yossi on Apr 30 2012
actually, gmail has been https for everything for quite some time now. at no point is your email sent over the wire in the clear.
so the only people who can see your email are you and everyone at google.
By Anonymous on Apr 30 2012
Why do you believe that GMail stores emails unencrypted on the servers?
By john jones on Apr 30 2012
Hi there,
3 things
first off gmail has used SSL for a long time and yes this depends on the method i.e. TLS over HTPP/IMAP/SMTP they all have the option
secondly MOST email clients use SMTP and TLS on this stream and gmail uses HTTPS in its apps etc
thirdly trying to encrypt things in Microsoft office is a bit of joke compared to hacking SSL its trivial with many tools designed to do just that
so in summary YES the article was pretty much garbage and boils down to using good passwords and changing them regularly... it does not go over plaintext unless you really really try...
regards
John Jones
By James Manning on Apr 30 2012
WRT "email is transmitted in the clear", hasn't gmail defaulted to https for awhile now? I agree with your post, just curious. :)
By bocode on Apr 30 2012
Insightful comments!
By jurgle blug on Apr 30 2012
Not to mention that GMail doesn't actually implement two-factor authentication but two-channel authentication, with software that is much more easily cloned than a hardware token, which is what it's being compared to. Of course, Google Apps has long supported external authenticators, including true two-factor authentication.
By Fernando Correia on Apr 30 2012
For secure password storage I recommend products such as Password Safe, KeePass, Password Gorilla and many others.
By Dan on Apr 30 2012
How does your secure contact form keep information safe? Does it encrypt it with Sendinc or something?
By chris on Apr 30 2012
@Dan—the information submitted via the contact form on this site never leaves the server. Only notifications are sent by email.
@Anonymous—I suppose it's possible that GMail encrypts all the email messages sitting on its servers. Still, most email hosts don't, and it's not a good idea.
To those saying that logging into GMail with an SSL connection means that the email is not transmitted in the clear: If you send an email from your email client (say Thunderbird or Outlook or Hotmail) to a GMail account,under normal circumstances, it is transmitted in the clear at that point.
To those saying that sending an email from a GMail account to the same GMail account does not transmit the email in the clear: This may be true. (I wonder, due to the CDN-like setup Google aparently has...) but this is a good point. However it's still a bad idea to email yourself passwords in plain text, which is something I try in vain to communicate to clients. (BTW, I thought of this while writing the post, then thought, "So what? Exactly no one is reading my blog.")
By Josh Peters on Apr 30 2012
For everyone asking about HTTPS, that only protects the GMail application. What the OP is talking about is encryption at the SMTP layer, which can use SSL, but you as a user have no way to verify independently that the whole of the message was communicated via SMTP + SSL.
By Chris on Apr 30 2012
I don't even think it transmits the email on the Internet. If you look at the gmail message headers when sending yourself a message, your message does not leave RFC1918 space. (10.0.0.0/8)
By Phil on Apr 30 2012
@yossi: It's not a direct transaction, there are several intermediary steps in which the email and its contents is likely transmitted or even stored in plain text.
By Dmitriy Likhten on Apr 30 2012
If google stored my data unencrypted, I would be highly worried as basically any google employee with sufficient privileges has the ability to pretty much impersonate me and thwart any attempt I make to prevent it.
Secondly https on gmail.
Thirdly he was mentioning that since you need a password to access email, two factor auth + SSL is the only truly secure and viable solution today. And it's pretty good.
By Jeff Blaine on Apr 30 2012
Google most definitely does not encrypt your email "at rest" / on its disks. Anyone with sufficient access to Google's servers can read any of your messages.
Honest.
Really.
By email security on Dec 1 2012
I feel insecure about the email security. As it contain large number of confidential data. Thanks for sharing such golden security tips.