53

The title says it all, really. I'm Alice, and I want to login to Gmail's web interface through my browser. Ike, the internet service provider, and Adam, the local network administrator, would like to know what my Gmail email address (username) is. Is there any conceivable way for things to happen so that either one of them could possibly learn it?

David
  • 15,814
  • 3
  • 48
  • 73
Anon
  • 541
  • 4
  • 4
  • 4
    Does your administrator Adam have control over your machine? Does Adam have local admin rights on your computer, the ability to install software on your computer, the ability to install new root certs on your computer, etc.? The answer to these questions will determine whether Adam can learn your gmail email address. – D.W. Jun 16 '14 at 22:26

5 Answers5

53

For your average home user, services like GMail (that are run over TLS) would not leak information like the username to the ISP or network administrator.

If you're using a machine that is also administered by the LAN administrator (e.g., a work computer attached to a domain run by the company), then you have to assume they can read anything you do on it. They could have software to log your activity (browsing and/or keystrokes), they could have installed extra SSL certificates that allow them to MITM your connection to GMail (or any other site).

If you believe your computer has not been tampered with and is not under the control of someone you don't trust (i.e., the LAN admin doesn't control your machine), then you can connect to GMail over https. (At this point, the LAN admin is equivalent to an attacker on the internet.) Ensure that you connect to https://mail.google.com with a valid certificate, and then all your traffic between your computer and the GMail servers are encrypted. This would include all information about your account, including the username with which you are logged in.

David
  • 15,814
  • 3
  • 48
  • 73
  • 4
    I can see this for someone with local admin rights, not someone who is only administering the *network* (although maybe in practice there's rarely someone who fits that description). Such an attacker is not (AFAIK) so different from any intermediary on the Internet, and SSL (AFAIK) protects against attackers there. – Tim S. Jun 15 '14 at 19:24
  • Yes, but many people use the term "local network administrator" to refer to someone who has various privileges, e.g., domain admin access. A domain admin on a joined PC also has local admin, of course, and thus can see what the user is doing. I wanted to cover all the bases. – David Jun 15 '14 at 20:26
  • But the question doesn't state that Adam (the network administrator) has control over the user's (Alice's) machine. So this answer is assuming a premise that is not in evidence. – D.W. Jun 16 '14 at 22:26
  • I stated the premise because the term "LAN administrator" can mean many things. – David Jun 16 '14 at 23:14
  • Perhaps "domain controller" would be a better term? – Dan Henderson Aug 18 '15 at 18:48
32

To complement @David's and @Steve's answers:

  • If the attacker ("Adam", in your case) has administrative access to your machine, then he can learn all your secrets. Installing an extra root CA, under his control, to run routine MitM interception on your SSL connections is a popular tools for honest (but nosy) sysadmins: it is a one-time installation which won't be jeopardized by software updates, and won't incur compatibility issues with other software such as antivirus. However, a nosier sysadmin who wants his spying to remain discreet has a lot of other options, such as installing keyloggers, screen capture tools, and generally plundering the data right from the RAM of the machine.

  • If the attacker does not have access to your machine's innards, then he should be kept out of your SSL exchanges. He will still be able to notice when you connect to Gmail, and can observe the exact size of the data elements exchanged with Gmail. He can probably work out the length (in characters) of your Gmail address.

    As @Steve observes, a Gmail address is not designed to be a secret, and will leak in many places. In any case, as an email address, it is necessarily shared with other people (those who send emails to you), and therefore cannot be considered truly secret.

    If you use Google+ (indexed by your email address), the evil sysadmin will notice your activity, and may correlate it with visible activity on some candidate Google+ accounts. After all, if he is after you, then he is interested in you, and may as well show some dedication and track you competently.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • If they have administrative access to the machine they can also keylog. – Cruncher Jun 16 '14 at 13:52
  • This doesn't really answer the interesting question, though, of what happens if (a) the admin Adam doesn't have local administrative access to Alice's machine, and (b) Alice doesn't use her Gmail address to send email to anyone else at her company. You say it "will leak in many places", but can you give examples of how it would leak, to Adam (i.e., to someone with the ability to eavesdrop on network traffic)? It might be prudent to assume it *might* leak (just to be on the safe side), but that's different from saying it *will* leak or that there definitely is a mechanism by which it'll leak. – D.W. Jun 16 '14 at 22:29
  • 1
    @Tom, Couldn't you just remove the extra root CA and problem settled? – Pacerier Jan 16 '15 at 11:14
19

As David says, the provider of your network usually can't see data passed over https connections.

However, your Gmail address is not necessarily passed only over https connections. For example, if you log into StackExchange using your secret Gmail account and visit the http (not https) version of your user profile page, then your Gmail address is sent to you unsecured in the contents of that page. The provider of your network connection could then see it. The same may be true of other sites that use https for OAuth login but not for all traffic.

Also, as user49372 points out, if Adam is willing to mount an active man-in-the-middle attack, and if you log into StackExchange using your secret Gmail address, he could inject stuff into your normal http traffic that would redirect your browser to the http version of your StackExchange profile page.

So yes, there are conceivable ways Adam or Ike could learn it even assuming that they can't interfere with your machine or otherwise overcome the security provided by https.

Community
  • 1
Steve Jessop
  • 2,008
  • 10
  • 14
  • 1
    This is the best answer, as it shows a way that the addressed could be leaked **without even using Gmail**. That is a security concern (regarding Oauth) that I had not considered before. I wonder if the OP actually does use that weird Stack-something site, though. What is it for? – dotancohen Jun 17 '14 at 10:07
  • @dotancohen: not clear, seems to be intended as background information for an online politics game called "meta". With OAuth, when you click the button saying "yes, I want StackExchange to be able to see my email address", that's your first and only notification that StackExchange is now able to leak it to anyone, any way it likes ;-) – Steve Jessop Jun 17 '14 at 16:57
  • Right on both counts! – dotancohen Jun 17 '14 at 18:52
6

Using Steve Jessops idea, your provider could inject iframes or redirects in your normal http traffic, which will load your profile on stackexchange unsecured with http or any other page that does the same.

user49372
  • 61
  • 1
  • I switched off the "HTTPS Everywhere" rule for StackExchange in my browser some time ago, because it broke login for some SE sites. I wonder if it works now. It would block at least some such attacks, since the browser would cunningly refuse to retrieve the page over http. – Steve Jessop Jun 17 '14 at 17:01
5

The one answer I haven't seen given here is one that relates to corporate environments, like mine, where the corporate machines access the 'net through a filter/proxy, which allows the "administrators" to inspect SSL traffic, by forcing client machines to trust the webfilter/webproxy's SSL certificate. The webfilter/webproxy then impersonates the client machine to Google (or any other online service), downloads the content, and then passes it back to the client machine by impersonating Google (or any other online service) to the client.

This is, in effect, a MITM attack, but it's common enough that I think it bears mentioning, specifically.

If you access the 'net through a proxy or filter that's setup to inspect SSL traffic, then to your administrators, anything done over https is viewable as if it was sent in plaintext.

HopelessN00b
  • 3,385
  • 19
  • 27