Organization
Mission
Green IT
ITSC Digest
Announcements
System Availability
LAN Admin Resources (Intranet Only)
Student User Consultation Committee
Video Tour
Posters and Wallpapers
Locations
Opening Hours
Contact Us
My Accounts
Change Password
Change E-mail Alias and Drop Box
Apply for Additional Disk Quota and Computing Account Extension
Apply Accounts for
:: Alumni
:: Department
:: Project
:: Student Organization
:: Visiting Guest
:: E-mail Service for Retiree
Accounts Policies
Services
:: Email
:: Mass Mail
:: CU Net-TV
:: More..
Campus Backbone Network
ResNet(Student Hostel)
IP Phone and Data Port
VPN
WiFi
WiFi Hotspot Partnership Programme
Self-Service Printing
External Network Connectivity
Alerts, News and Events
:: E-mail Fraud (Phishing) Alert
:: More...
Good Practices for
:: General Users
:: Technical Professionals (Intranet Only)
LAN Admin Resources (Intranet Only)
Information Security Policies (Intranet Only)
Useful Tools and Links
:: Anti-virus Software - Kaspersky
:: Certificate Authority
:: Central Authentication and Directory Service
:: More...
FAQ
Glossary
Report IS Incidents
Using Computers
Facilities (Datalocker, Training and Discussion Rooms)
Services (Printing, Scanning and HelpDesk)
Lost and Found
Locations
Opening Hours
Conditions of Use
eLearning
Learning Commons
High-performance Computing
iHome Server
Logic Server
Maintenance Schedule
Computer Equipment Acquisition (Intranet Only)
Software Licensing
Software Standards
Services to Department
University Administration Systems
AMSD Forms
MyCUHK
CUSIS
CU Link
CUHK Mobile
Add Value to Print Account
Print Account Management System
e-Card
e-Survey
e-Ticketing
ITSC Training Courses
Training Room Booking
Student View Knowledgebase
ITSC The Chinese University of Hong Kong Information Technology Services Centre 資訊科技服務處 香港中文大學 Information Technology Services Centre User Areas Network Services Research and Teaching Computing Computer Accounts About ITSC Application Systems Departmental IT Support Contact ITSC Policies and Guidelines Site Index ITSC Information Security Quick Links for Student Quick Links for Staff
About Us Accounts Department IT Research & Teaching Information Security Network Services Applications User Area
Services
Email
point Mass Mailing
CU Net-TV
More..
button Campus Backbone Network
button ResNet(Student Hostel)
button IP Phone and Data Port
button VPN
button WiFi
button WiFi Hotspot Partnership Programme
button Self-Service Printing
External Network Connectivity
   
Security Issues and Solutions in Internet E-mail

Background

Today, e-mail has become the most widely used means in daily communication on the net. It is quick, inexpensive and convenient. Web-based e-mail services such as Hotmail and Yahoo! even allow you send or receive e-mails at any place where there is a web browser.

However, despite its convenience, you may not fully aware that there are a number of security issues in e-mail communication including:

  • Secrecy issue
  • Content integrity issue and identify integrity issue

Since e-mail has become an integral part of our daily life, it is important for you to understand the problems and potential risks in these security issues so that you can take corresponding actions to protect your interests.

This article focuses on the potential security problems and corresponding possible remedial solution of Internet e-mail communication, i.e. SMTP, POP and IMAP.

An overview of Internet E-mail

Before the security issues in Internet e-mail are discussed, let us take a glance at how e-mail communication works in the Internet.

Below is a simplified diagram (Figure 1) showing a typical e-mail transmission over the Internet.



Figure 1. How e-mails are transmitted over the Internet

In this figure, Aaron (a CU student) sent an e-mail from his PC to Flora (a MIT student) through the Internet.

Path 1 - The e-mail is first transmitted to the e-mail server of CUHK.
Path 2 - The e-mail server of CUHK forwards the e-mail to other Internet mail servers (called Mail Relays)
Path 3 - The e-mail is finally forwarded to the e-mail server of MIT. Flora uses her e-mail program to check the e-mail from the e-mail server of MIT.

From the diagram, one can easily understand that a complete e-mail communication involves sending/ transferring and receiving. In Internet e-mail communication, some standard methods (protocols) are used for sending/transferring and receiving e-mail so that involving software can understand each other.

In Internet e-mail communication, the standard/protocol used for sending/transferring e-mail is SMTP (Simple Mail Transfer Protocol), while the standards/protocols used for receiving e-mail are POP (Post Office Protocol) and IMAP (Internet Message Access Protocol).

In the Figure 1, Aaron sent e-mail from his PC, the e-mail server of CUHK, the mail relays and the e-mail server of MIT use the SMTP protocol to send/transfer Aaron's e-mail. Flora, being the recipient, can use either POP or IMAP to receive/retrieve the e-mail from Aaron from MIT's e-mail server.

Security Issues in Internet E-mail

Just like any information systems, there are always security issues, there is no exception in Internet e-mail communication.

The security issues in Internet e-mail include secrecy, content integrity and identity integrity.

Secrecy

As demonstrated in Figure 2, the content of e-mails transmitted in the Internet are in plain text format. They are also stored in plain text in your mailboxes.

Hence, e-mail can easily be revealed if:

  • one can get access to your mailbox
  • one knows how to tap to a network connection and assembles the information flow through the network.



Figure 2. Plain text by dafault during e-mail transfer

Integrity

The e-mail is stored and transmitted in plain text. As there is no mechanism to maintain the integrity of the content of the e-mail, if one can tap the connection during e-mail transfer, one may be able to change the contents of the e-mail without being noticed by the sender or the recipient.

Integrity issue happens in the contents of e-mail as well as in the identity of the sender. Since the identity of an e-mail sender is not required to be authenticated before he/she sends an e-mail, anyone can forge an e-mail claiming that it is written by someone. In other words, if you receive an e-mail from someone, you cannot be sure the e-mail is really written by that person.


Solutions for Security Problems in Internet E-mail Provided by ITSC

Secrecy

Many popular e-mail programs today (like Netscape Mail and Outlook Express) support the use of more secure Internet protocols, called secure IMAP and secure POP, for checking e-mails.

These protocols enhance content secrecy by encrypting the content of an e-mail before they are transmitted from a mail server to a user over the Internet. The data encryption process is transparent to the sender and receiver. (Figure 3)



Figure 3. Encryption of mail content using secure IMAP or secure POP

The Campus-wide E-mail (Mailserv) system provides the secure IMAP and the secure POP. The following table summarizes the support of secure IMAP/POP for some popular e-mail programs:

  Support Secure IMAP? Support Secure POP?
Netscape 6 or above Yes No
Outlook Express 5.0 or above Yes Yes
Netscape 4.7 No No
Eudora 5.1 No No

Setting up Netscape 6 to use secure IMAP

  1. Start Netscape, and then select the item Mail under the Tasks menu or click the "Mail" icon as below



  2. Then select Edit -> Mail/News Account Settings in Netscape Mail as shown below:



  3. In the "Accounts Settings" windows, click the Server under the Mail section; then check the item Use secure connection (SSL) as shown below:



  4. Click the OK button to save the change.
  5. When you check e-mail for the first time using secure IMAP, Netscape will prompt you to accept the digital certificate issued from the mail server. Click the Next button to confirm the step 1 as below:



  6. Then you may select to accept this certificate each time, or to accept it until it expires. In this example, we choose to accept this certificate until it expires.



  7. Then you can start using Netscape Mail with the secure IMAP protocol receive your e-mails. The data transmission between your PC and the Campus wide E-mail (mailserv) system will be encrypted automatically.

Setting up Outlook Express 5.x to use secure POP/IMAP

  1. Start your Outlook Express, select Tools -> Accounts as below



  2. Under the Mail tab, highlight an e-mail account (e.g. a107700) and click the Properties button;



  3. If you are using IMAP to check e-mails, click the Advance tab and check the option "This server requires secure connection - SSL" under the item Incoming Mail Server - IMAP;



  4. If you are using POP3 to check e-mails, click the Advance tab and check the option "This server requires secure connection - SSL" under the item Incoming Mail Server - POP3;



  5. Click the OK button to save the change.
  6. Then you can use either secure IMAP protocol or secure POP protocol to enhance security in your e-mail activities. Then all data transmission between your PC and mailserv will be encrypted automatically. Unlike those in Netscape, Outlook will not ask you to accept the digital certificate for the first time you check e-mails.

Integrity

The problems in content integrity and user identity integrity in e-mail communication can be solved by using digital certificate can provide encryption of the content of an e-mail and signing of an e-mail. The use of digital certificate for encrypting an e-mail and signing an e-mail has been documented at http://www.cuhk.edu.hk/ca/.

While there're many e-mail programs support digital signature and digital certificates, ITSC recommends two of them:

  • Netscape Messenger 4.5 (comes with Netscape Communicator 4.5) or above and,
  • Microsoft Outlook Express 4.0 (comes with Microsoft Internet Explorer 4.0) or above.
 
  

Need Help?
For comments and enquiries about this service, please write to the ITSC Electronic HelpDesk at
http://helpdesk.itsc.cuhk.edu.hk

footer