S 5.96 The secure use of webmail

Initiation responsibility: Administrator, IT Security Officer

Implementation responsibility: User, Administrator

Not all organisations operate their own mail server, preferring to use mail hosting services offered by external providers. Webmail is a simple, user-friendly way of accessing mail services through providers' web servers. The term webmail covers all Internet-based e-mail services which can be accessed with only a web browser and an Internet connection. This includes for example services offered by German providers Web.de, Freenet.de or gmx.de. Web-based e-mail services allow users to access their e-mails regardless of geographic location and provider.

When setting up a webmail account, it is generally necessary to give the name and address of the user, the required e-mail address and an access password. Some providers require written confirmation of the registration. The chosen password is used for the purposes of authentication when the user subsequently logs on. The user then receives one or more e-mail addresses and a user account for receiving, processing, and sending e-mail.

There are numerous webmail service providers, many of whom even offer their services free of charge. It should be borne in mind that there is a significant variation in the range of functions offered by different providers (e.g. mailbox size, fax, SMS, spam filters, etc.) and - more importantly - in the level of security offered. In some cases there are serious security gaps.

A service provider should therefore be chosen with great care, with particular attention being paid to the following points:

• First, the terms and conditions should actually be available online and, second, they should be comprehensible and should not contain any unacceptable clauses. Unacceptable clauses may, for example, include an agreement allowing the provider to forward the customer's personal data to third parties, which may compromise data privacy and often results in a flood of advertising mail. The provider should also agree to notify customers in due time of any major changes in services and prices, so that customers can respond (e.g. by diverting incoming mail or backing up mailboxes).

• Frequent travellers attach importance to having worldwide access to their mailboxes. In general, it is also worth checking how long it takes to send or receive e-mails.

• Users should check how user-friendly the services are and should also enquire as to whether online help, FAQs or other documentation are available. Other aspects requiring investigation include the availability and expertise of the support team (by e-mail, telephone or fax).

• The evaluation of the security offered by the services should include the following technical and organisational security precautions:
  • It should be possible to access the user account via an encrypted connection, e.g. using SSL.
  • Message encryption and digital signatures should be supported.
  • It is worth checking whether the identity of new customers is verified or whether users could, for example, open an account under a false name or a false address or choose misleading e-mail addresses, such as support@... The provider should verify the customer’s identity by post.
  • Anyone can forget a password some time or other. If, however, new passwords are given out by the hotline without thorough verification of the caller’s identity, this should not be misinterpreted as user-friendly customer service. Effective security checks must be in place.
  • The user’s system should not be required to accept active content (Java, JavaScript, ActiveX) in order to gain access to the webmail services.
  • Incoming and outgoing e-mail should be checked for viruses as a matter of course.
  • Spam filtering should be possible.

There are also a number of points to bear in mind when using webmail services:

• The password for access to the webmail services should be long enough (at least eight characters) and complicated enough (containing numbers, letters and special characters). The password should be changed regularly and should never be stored or kept on the PC in any form. Further information on choosing passwords can be found in S 2.11 Provisions governing the use of passwords.
• SSL should be used for accessing the user account.
• E-mail should ideally be encrypted and digitally signed. This generally requires coordinating with the recipient as to which cryptographic procedures and programs are available at both ends.
• Even if a provider gives assurance of virus protection, it is still advisable to make independent virus checks on file attachments.

• Incoming e-mails should be read on a regular basis. Important e-mails should be saved locally. Mailboxes should also be cleared regularly, i.e. by deleting irrelevant e-mails and messages which have already been saved locally. The content of mailboxes should also be saved regularly on local data media and systematic backups made of e-mails which have been saved locally.
• Users should always quit the webmail service via the log-off button or a similar function so that other users cannot access the account from the local PC.

HTML-formatted e-mails can cause security problems (see T 5.103 Misuse of webmail). Users should avoid sending e-mails with HTML formatting or active content. Providers should offer the option of filtering out any active content which may be contained in incoming e-mail. It is also advisable to choose e-mail clients which alert the user to the existence of HTML-formatted e-mails before he/she opens them unintentionally.

Review questions:

• Are the terms and conditions of the webmail provider consistent with the organisation's requirements?
• Do the technical and organisational security safeguards offered by the webmail provider correspond with the organisation's requirements?
• Are the passwords used for the webmail services complex enough and are they changed regularly?
• Are there rules regulating the local storage of e-mails when using webmail services and the handling of the mailbox?
• Are there rules regarding the secure use of webmail services?