Over the past few years, a rapid increase has been seen in the number of people choosing web-based email services over conventional email software such as Microsoft Outlook. Web-based email is truly cross platform, in that it can be accessed on any internet enabled device, be it a Windows or Mac computer, or a mobile device.  In today’s society, we are continually prompted to enter our Username(s) and Password(s), on every website that holds personal information about us, or provides us with some sort of service.  But just what happens when we log on to one of these email services, or indeed any online service that prompts us to authenticate ourselves ?

 

When we go log on to a website such as Facebook for example, we enter our Username and Password into some text boxes, click the “Login” button, and we are authenticated. Most login facilities on websites, are simply an HTML Form, with 2 text boxes and a “Login” button. When we click the “Login” button, the web browser generates a POST message, and our credentials are sent to the website’s server to be authenticated. For most security-savvy web developers, this process is carried out via the protection of SSL, but as countless Penetration Tests have shown – many times it is not ! User’s details are often sent in plain text, which allows any undesirable hacker or criminal to capture your Username and Password as you log into a website. 

 

SSL to the rescue !

SSL (or Secure Socket Layer), is the technology that exists to prevent anybody listening (or sniffing) the traffic between your Internet browser, and the web server to which you are connected. When the website you are on is connected securely (via SSL), you will notice several things about the appearance of your browser, that will reassure you that our connection is secure.

1. The website address you are visiting will have HTTPS:// at the beginning of it.
2. There will often be a small padlock icon displayed, either next to the URL bar, or in one of the corners of the browser window.
3. In some cases, the URL bar itself will turn green when you are connected securely.

 

So what does that mean to me ?

When you are connected securely to a website, all the information that you send to the website is done in a secure manner. The data is not just secure from your computer (as many people wrongly believe), but is in fact secure and encrypted, from the browser, right through to the web server. Encryption from the browser is an important thing to note, as it makes it more difficult for a potential hacker to monitor the traffic sent to your computer’s network connection.

 

Like comedy - Timing is everything !

When the login takes place over a secure connection, it is important to note how the browser behaves during this time. It is quite common, for websites to display the login area over an insecure (HTTP) connection, and it is not until the user clicks the “Login” button that a secure connection is obtained.

On occasion, I have seen websites that will do the opposite, in that the login page is displayed over a secure connection, but the user’s details are sent in plain text. This is sometimes the case, when a 3^rd party web app is used for some parts of the web page, or perhaps the login script was set up to use an insecure connection during the development phase of the website, and was not correctly updated when the site was put into public use.

 

You're just trying to scare me ! 

You may think that the risk of somebody listening (or sniffing) the traffic going from your computer is not that great, however there are many malicious hackers,who will quietly sit in public WiFi Hotspots in airports and coffee shops, and monitor network traffic to see what is of interest to them. There may be somebody in your workplace or organisation, with an unhealthy interest in reading your email.  

Many computer users have a very insecure manner in which they use their passwords. Many users will use easily guessable passwords, which are used for their email, banking, social networking etc etc. It is therefore possible for somebody, to capture the login details for your webmail service, and for these credentials to allow access to a multitude of other sites.

While the issue of insecure login’s can affect potentially any website not designed with security in mind, the research in this article concentrates on Web-based Email Providers.  When we log onto our email websites, we are assuming that it is done in a secure manner, and that nobody else can access it without our knowing.  Sadly many providers have either no provision for a secure SSL login, or logging in securely as an option. It is beyond belief WHY they would make security an option on their service, as logging in insecurely is hardly a positive in my opinion.

 

So what can I do ?

When providing your username and password to any website, it is important to be cautious. Not only should you make sure it is done securely, but also that the website requesting the information from you, IS the website you intended to visit. Phishing scams are sadly on a rising incline, whereby criminals will dupe their victims into visiting a website that looks identical to a genuine site, in order to siphon off user credentials as they login. 

Below is a simple list of 5 things you can do when logging into your webmail or other online site that requires user authentication.

1. Check that the website address is the one you intended to visit.
2. Check that the website address is prefixed with HTTPS://
3. Check that the secure padlock icon is displayed, or URL bar is green (browser dependant).
4. Check that when you click the “Login” button, you are taken to a secure web address (HTTPS).
5. Avoid visiting web links directly from emails. Instead type the organisations address into your browser manually. It is common for phishing emails to have the name of a website as a hyperlink, that when clicked on will take you to the phony web page. Typing the address in manually, ensures that you are visiting the genuine website.