6

Which offers a higher level of safety: Webmail or using a POP3/IMAP client?

Assume the following for webmail:

  • Access via HTTPS
  • Rarely downloading any attachments, but in cases where it may be necessary, carefully verifying the integrity and authenticity of the attachment after it has been downloaded

Assume the following for POP3/IMAP client:

  • Always using the latest version of the client
  • Rarely opening attachments (the client will still download all of them), but in cases where it may be necessary, first carefully verifying the integrity and authenticity of the attachment

In both cases, assume the OS has the latest security patches applied.

RockPaperLz- Mask it or Casket
  • 3,114
  • 21
  • 50
  • The main difference here is the required open ports and protocols used. I suggest you also mention your thoughts on these. May significantly affect what you need to defend against. – Marcel Mar 31 '22 at 19:35

3 Answers3

3

I can't see difference if we are talking just about data transfer. If HTTPS, POP3S, IMAPS and SMTPS protocols are in use of course. Always use secured versions of protocols.

If we are talking about software - browser or the client, thats the same. Use patched software, all the time. The hole can be in both, web browser and mail client too.

Never opening attachments can't make the email more secure. It will make it useless. If you would state: never opening suspicious attachments it would sound better.

What I can see as a problem is user behavior. While POP3/IMAP client will be probably used only in user's device, it is highly probable that the web mail will be used from anywhere, even from a non-trusted PC. There is no possibility to guarantee "security" in this case. Traffic analyzers, key loggers, or whatever so can be installed there.

Edit: for somebody the added value of thick email client would be it is possible to install some kind of antivirus/antimalware plugin there. But in reality, this can't increase protection against malicious software so much.

Fis
  • 1,200
  • 7
  • 10
  • 1
    I agree with all @Fis has to say, but i'm still looking out for a more technical and detailed justification. – Adib N May 26 '17 at 16:30
  • Regarding attachments, differentiating between suspicious attachments and non-suspicious attachments is not trivial. Devices of business associates, colleagues, and friends can all be compromised, sending out malware disguised in what looks like legitimate emails. Quite a few of us only accept properly signed and encapsulated attachments so we can very the integrity and authenticity. I'll update the question to allow for this. – RockPaperLz- Mask it or Casket May 26 '17 at 16:42
  • I have a rule... don't execute anything from email.If it is document I have no problem to open it. If it requires scripting I am really suspicious about it and rather give a call to sender. But you are correct. I can imagine people who does not know what .exe is. But everybody should be somehow educated in basic computer security. – Fis May 26 '17 at 16:44
  • I don't recommend opening documents like that. It's often trivial to compromise a system using a malformed document. Also, don't forget that executables are not just .exe files! (I'm guessing you were just using that as an example.) – RockPaperLz- Mask it or Casket May 26 '17 at 16:47
  • Didn't happen to me for about 20 years ;) I am working with images, videos, words, excels, powerpoint... If the software used to open the document is fine, you are fine too. If you would open the .swf and give it all permissions to do whatever on your computer its much bigger problem. – Fis May 26 '17 at 16:49
  • In each and every case, the email client can't protect nobody against this. And it does not matter if it is web or thick one. It can only show the warning: Its executable, don't open it or it would burn you out. The thick one can have additionally some antivirus/antimalware plugin installed. But in case of new viruses this is useless anyway. – Fis May 26 '17 at 16:52
  • I say this only with good intentions: You don't think it's happened to you in about 20 years! :) But I receive emails containing malware from all sorts of people and companies who swear their systems are secure and without malware. They are simply unaware of what is actually running on their systems or being transmitted. – RockPaperLz- Mask it or Casket May 26 '17 at 16:55
  • Don't worry, me too :) I would say all of us :D – Fis May 26 '17 at 16:57
1

For protections against vulnerabilities, there are pros and cons to either platform. While both share the same core issue of the exploitation of an application vulnerability. Since either platform is effectively utilizing an application that permits access to read the parsed email text messages.

First and foremost which application, be it browser or email client, is the crux of determining exposure to vulnerabilities. Such as with ECMAScript in the case of the browser (Safari vs Internet Explorer vs FireFox) or parsing of mail headers in the case of an email client (Lotus Notes vs Outlook vs Firebird).

Email Client Applications

The biggest drawback of any email client, is that the entire email body and attachments are downloaded to the local machine prior to being parsed & viewed. This poses serious security concerns with the parsing methods, as this could lead to the email client executing a payload without user consent.
One example is the KAK virus that used Javascript which would execute without user interaction when the preview option was enabled (default) in Outlook Express, IE was used to render the preview, exploiting a safe-scripting policy between IE and Outlook Express.
Consistency within the application provides a unified display of the content, regardless of the email service provider, which can give a false sense of security as user account settings or emails/spam are not filtered identically across providers.

Email clients are also the most common avenue of spreading viruses from an infected system. Since the virus typically will have access to process and send emails to your contacts as if it were from your physical machine/network.

From a system admin perspective, the MBOX, PST (MS Disclaimer), or similar email archive file will be persisted and accessible as a local system file. Granting the ability for a malicious actor to obtain the archive of downloaded messages from the file, circumventing the requirement for email account owner credentials.

Webmail or Browser Based Email

Vulnerabilities within the browser, its addons/plugins/extensions and the webmail provider (Gmail, Outlook, Yahoo) are the main points of entry.
Unlike email client apps, most modern day browsers utilize sandboxing which isolates malicious activity to only be able to interact with the DOM, preventing any access to the local system files or the OS API. However, plugins installed in the browser can extend the scope of exploitation, leading to exposure to the local system files and OS API through the plugin. Major examples that were commonly exploited are IE with ActiveX/Silverlight and any browser using NPAPI (Netscape Plugin API) with Java or Flash - which has since been deprecated and should no longer be used.

On the webmail service provider's end, it would depend on whether images and scripts are allowed to be loaded/run when (pre)viewing the message/subject within the UI. The vast majority of email service providers remove these types elements from the UI asking for consent prior to allowing them. While others also use a proxy URL to the resources, reducing the exposure to advertisements and tracking techniques, allowing the provider to blacklist the original resource URL.

Attachments and External Links/Access

The common issues between webmail and email clients are the UI parsing and user-interaction of the email messages.
Opening an attachment or clicking on an external-link in a message would typically yield the same results in either the browser or email client app.

It is also important to note that NO ATTACHMENT (even images, word documents, videos, PDF, etc) should be considered "safe". All of them are susceptible to exploitation of vulnerabilities, even from trusted sources. Prime examples are the Melissa virus (contained in a Word Document) and the RCE buffer-overflow vulnerability (affected by JPEGs). Just because it hasn't happened yet doesn't mean it is not possible, that is not out in the wild, or that it happened and was unnoticed. Zero-day vulnerabilities, like the printer-spool exploit, are constantly being announced.

Account Hijacking/Unauthorized Access

Another shared cause for concern is user account hijacking. Since both require a username and password of an account holder to gain access, it exposes the potential for unauthorized access of a user's account, such as by compromised credentials, brute-force, or unattended system access.

Depending on the service provider, account access can be protected by implementing region-based security policies, forced logout periods, password expirations, strict password complexity requirements, and most notably Multi-Factor Authentication.

Take Away

Which is safest ultimately depends on necessity.

If it is imperative to limit browser access or have a set standardization for a global hub of signatures, contacts, calendars, and emails with shared inboxes that can be proceduralized. Then a standardized email client is easily deployable within an organization with group policies and automation. Features which are lacking from most webmail providers - though is slowly being improved upon.

If work is predominantly performed within a browser, there is no real benefit to force the usage of an email client over webmail. Since the end-user will be exposed to the same threats regardless.

Will B.
  • 111
  • 5
  • 1
    Thank you for finding my old question and providing such an excellent answer. I think one of your most important points is that today's web browsers use sandboxing techniques whereas email clients may not. – RockPaperLz- Mask it or Casket Feb 02 '22 at 00:42
  • I will add that IMAP allows to only download the headers (first). And that there are clients that are not graphical at all (like mutt) making any image based attack much harder. – LvB Feb 02 '22 at 09:40
0

I assume here that you only use TLS whatever the client and protocol. IMHO, the main difference is that when you use a IMAP/POP/SMTP client, the interface is controlled from your machine, so the provider cannot inject links.

When you use a HTTP Webmail, the interface is controled by the server, so he can add links to advertise his own add ons. This is not related to security but to user experience.

The other (more important difference) is that when you use IMAP/POP, you normally have all the mails in a local folder. It should not be a problem if you manage the security of your machine, but you should be aware of it.

My advice is:

  • use IMAP/POP if you want to keep archived mails localy and do eventually complex searches in the mailboxes. I have always used a full mail client for my professional mail for example
  • use a Webmail when you borrow a machine: when you visit a friend or a family member and you need to download/print something or you have no smartphone - but be cautious about the security of the borrowed machine: it depends on how you trust the person you borrow it from.

As I have already said, this is a matter of user experience, not of security - except of the security related to using a machine you do not own in case of webmail, but it is not this question...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84