0

I got an email that "supposedly" was secure. It had a link which said that to get secure message follow this link. They could have verified it was me by asking my bank or my smart card to authentication me but they did not.

Now since the link encoded a password in the URL as website (over https), how is this supposed to be more secure? Or is it a security feature of the sending agency (which is sort of a insurance company), as they can now revoke the message and I'm left out with nothing. example:

this is a secure mail please read it at:

https://agency.org/login.cgi?ywt786u2y18926uye8924uiyew89y6ry3y47832teyutew78832..

click link

And then the browser opens what amounts to the body text of the mail. The link itself is multi use and expires in 7 days.

What kind of security does his actually provide? As far as I understand they sent the link over unsecured channels so its just as prone to hijacking as plain email. Is this giving recipients false sense of security?

I am not asking if its secure as such just trying to understand what the mechanism might be.

Edity:

This is a sort of insurance agency although it is not a insurer in the common sense. Well I was half expecting the mail (in that i knew they would mail me at some point). Although to be honest the mail would have been nearly as informative if it had just said "Done"! Besides they sent me a copy over snail mail anyway (it arrived 3 hours later). But that does not mean they dont send sensitive information.

Edity 2:

Since this is apparently unclear the link is nothing spectacular just a link with a really long hash in the end. The only other thing i can think of is: That it validates the sender is who they say they are. (now I can validate the certificate of the website)

joojaa
  • 475
  • 4
  • 11
  • We may need a bit more information. Who was this secure email from? What was it for? Was it something you were expecting? – user1751825 Feb 17 '16 at 14:14

2 Answers2

1

Your question is very unclear but as far as I understood it, this agency sent you a link via email, and the link URL included your credentials, e.g.

https://agency.org/login.php?user=joojaa&password=abcd4321

Of course this is very insecure as URLs can be sniffed (HTTPS protects the content, not the identity of the URL being accessed) and in this case an eavesdropper would have access to your credentials.

Edit: as per OP's comment:

Yes this is basically how it worked. exept there was no user just a really long password

it appears that the URL contained just a GUID, probably a one-time token. It is difficult to say whether this is secure or not; if this was for the activation of the OP's account, there's probably not to worry. On the other hand, if that token alone allows to login to the OP's account, that's very bad.

Related discussion here: Are GUIDs safe for one-time tokens?

Community
  • 1
dr_
  • 5,060
  • 4
  • 19
  • 30
  • Yes this is basically how it worked. exept there was no user just a really long password – joojaa Feb 17 '16 at 14:26
  • Well this si what i speculated, but maybe they aren't trying to secure the communication with me but themselves? – joojaa Feb 17 '16 at 14:40
1

A link can be encrypted so that it cannot be decoded or altered, and it can (and should) be made to work only once.

As long as you're accessing your email over HTTPS, and your email account itself hasn't been compromised, then this should be relatively safe.

Making the link expire after a single use means you'll immediately know if someone has previously accessed it.

Depending on the nature of the content that's being sent, it could be made much more secure by adding 2 factor authentication, using SMS codes.

user1751825
  • 905
  • 4
  • 10
  • No the link wasn't really single use ive now been reading the link x times with 2 different devices and they say it expires in 7 days. – joojaa Feb 17 '16 at 14:28
  • @joojaa OK, then the secure email is pretty much just a gimmick. It's really not providing any additional security – user1751825 Feb 17 '16 at 14:33
  • What i was wondering rather is that maybe I'm not the one they are securing. Maybe they are securing themselves somehow. – joojaa Feb 17 '16 at 14:38
  • 1
    @joojaa One thing they would be able to do is track access to this secure content. This may provide some level of additional security to the content provider. They could, for example, implement geo-blocking, to prevent the content being access from outside some specific geographic area. – user1751825 Feb 18 '16 at 04:31