76

In many services, email can be used to reset the password, or do something that is sensitive. Sensitive data is also quite often sent to you by email, e.g. long links that enable access to your account or similar.

However for most people, their email service provider can read all their emails, can see what is being sent, and can send email themselves as "you". So doesn't that give your email service provider basically full access to your accounts? This seems like the incorrect medium to send such information via.

I don't really know if this matters, however you never really see these email services sending you "encrypted" email with your pgp key.

Also, it is well known that email is inherently insecure, or not designed with privacy or security in mind.

However it keeps being used for these purposes.

deep64blue
  • 103
  • 3
Teipekpohkl
  • 973
  • 1
  • 3
  • 7
  • 8
    +1. In addition to the vulnerabilities that you describe, certificate authorities often use email verification to validate domain ownership when issuing SSL certificates. See https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-email.html. So, a rogue email provider could easily get a fake CA-signed certificate for your site. – mti2935 Jan 01 '21 at 13:43
  • 86
    "So doesn't that give your email service provider basically full access to your accounts" - you mean like your bank can steal all your money? At some point you have to trust someone else with your stuff if you want to live in modern society. – NotThatGuy Jan 01 '21 at 22:05
  • 8
    @NotThatGuy Or, a bit closer to home: your domain registrar could steal your domain, and with it your website/email/etc. – marcelm Jan 01 '21 at 22:15
  • @NotThatGuy +1, that's a good point. That's why Satoshi Nakamoto invented the blockchain. – mti2935 Jan 01 '21 at 23:28
  • This is why I avoid providing email or cell phone information to businesses. The only issue is should I not setup any online account, then someone else may, using my name. I actually don't have any cellular phone plan of any sort today, which seems to freak people out. As for email, I just say that I'm uncomfortable providing that information and they stop asking. If they insist, I give them no-reply@{my-domain} which many business email systems know to not use or so it seems. If we have a business relationship, they know my name and address, that's sufficient. – JohnP Jan 02 '21 at 01:48
  • 24
    @mti2935 You still have to trust 51% of the blockchain miners. And you still have to trust other people to accept the cryptocurrency. You can not live in a society with other people without *trusting somebody, at some point*. Otherwise, your only chance is to become a hermit. – Polygnome Jan 02 '21 at 11:47
  • 1
    Most people do not understand blockchain enough to know why it is secure. With blockchain, you need to secure the infrastructure, and not just "one device". As @Polygnome mentioned 51% attacks, there is also 34% attack. Due to how blockchain works, they are more secure, but compromised systems are also harder to restore, and you may not be able to directly fix bad data written by malicious attacks. – Nelson Jan 04 '21 at 04:18
  • 5
    @Polygnome and only a few thousand people control 51% of BTC mining, most of them in China. It would be fairly trivial for the Chinese government to take over Bitcoin entirely if they wanted to or at least damage it significantly to erode public trust. – JonathanReez Jan 04 '21 at 06:36
  • 2
    The largest email provider in the world used to promise they wouldn't be evil, so I'm sure we have nothing to worry about. – corsiKa Jan 04 '21 at 09:51
  • @JohnP Even then you have to trust the Post Office – jrw32982 Jan 13 '21 at 16:08
  • People use SSN for account identifiers? I remember that coming up in a meeting once (for constructing/contracting software) and discovering that you *couldn't* use SSN as an identifier—because it's not unique! Many, many employees of a contractor might in fact have the same SSN. – user3810626 Jan 14 '21 at 22:08
  • https://www.computerworld.com/article/2552992/not-so-unique.html – oligofren Jan 15 '21 at 09:30
  • `However for most people, their email service provider can read all their emails, can see what is being sent, and can send email themselves as "you".` That is why the only way is to have an own email server rather than using external email service. Then, to have own IT infrastructure for electronic communications. It is not so difficult today owing to computing performance. Even then, you have to trust to hardware and software developer and rely on cross-verification of code and hardware. – Aleksey F. Jan 15 '21 at 23:39

8 Answers8

76

This seems like a very wrong medium to send such information via.

Email is used for the same reasons Social Security Numbers get re-used as account identifiers in the US: Ubiquity.

Not everyone has a Facebook account. Not everyone has a Twitter account. But almost certainly, anyone with Internet access has an email account. It is a reasonable expectation that customers can provide an email contact for businesses to use.

And I don't really know if this matters, however you never really see these email services sending you "encrypted" email with your pgp key.

Because pitifully few people have a PGP key, and even fewer are set up with an email client that integrates encrypted email.

I once wished to purchase software, and the vendor would only sell to people who communicated with them via PGP email. I tried sending the PGP-encrypted blob as an attachment, I tried inlining it, and I tried add-on software that integrated PGP email into my mail client - none of them passed muster with the vendor. I never purchased the software. PGP email is neither ubiquitous nor, it seems, trivially interoperable.

Also, quite often it is mentioned that email is inherently insecure, or not designed with privacy or security in mind.

However it keeps being used for that.

And it will keep being used for that until something better comes along and something better is available to everyone to use, trivially.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 12
    An additional point of interest here: the reason SMS two-factor authentication and mobile app two-factor authentication have caught on is that almost everyone has access to a phone that can receive those messages, and most people in the developed world have a phone that can run a 2FA app like Google Authenticator. There wasn't really any publicly accessible 2FA service in the early 2000s or before because not enough people owned cellphones. – Polynomial Jan 01 '21 at 23:55
  • S/MIME has been supported by all your favorite email programs for about 20 years. The design is an IETF standard and is built on the PKCS-7 standards developed at RSA (official inventors of public key cryptography that PGP also uses). – Ram Jan 02 '21 at 03:38
  • 3
    @Ram: What about Gmail, Outlook (the web version), and Hotmail? Many people would consider one of those their "favorite email program." – Kevin Jan 02 '21 at 08:46
  • 6
    @Polynomial but then, many supposedly 2FA really require only one factor : access to the phone. – Eric Duminil Jan 02 '21 at 08:57
  • SMS 2FA can be used with a landline number (at least in the UK): the system reads the message when the phone is answered. It's a bit more difficult to misplace a landline. – Andrew Leach Jan 02 '21 at 16:26
  • well, part of this is recursive: why is it more likely for people to have an email account than a Facebook account - because Facebook uses email as primary account identifier...^^ Otherwise the percentages may change^^ The other important factor though is that email is a company independent format, Facebook accounts are not. – Frank Hopkins Jan 02 '21 at 18:46
  • 6
    @EricDuminil The other factor is your password, or access to the email account. But that's really missing the point of what I said - ubiquity drives usage. – Polynomial Jan 02 '21 at 19:34
  • @AndrewLeach This is true, but that service wasn't available until after mobile phones became commonplace anyway. Some cursory searching indicates that BT Text (the service that first provided this feature) was implemented somewhere around 2003. It's also a moot point, since most people don't know that this feature exists, and even fewer use it in practice. The point of my comment was that the ubiquity of mobile phones led to 2FA being commonly accessible for home users. – Polynomial Jan 02 '21 at 19:36
  • 8
    @Ram Theoretical capability often does not translate to practical usability. I can attest that gowenfawr's anecdote about struggling to establish PGP communications with a third party is an unfortunately common pattern, regardless of how standardised S/MIME is. Another fun anecdote: some implementations of S/MIME PGP in mail clients (iirc Thunderbird with OpenPGP on macOS is one) encode encrypted attachments as base64 inline with the message, which can completely lock up receiving clients as they try to render 40MB of base64. – Polynomial Jan 02 '21 at 19:44
  • 7
    One piece is missing: ***email is federated, standard protocol***. If a service chooses Facebook or Twitter or Google for authentication you have no recourse should they decide to deactivate your account, hand it over to someone else, use your authentications to snoop on you, or you just don't want to do business with them. ***They are monopolies***. In contrast, you choose your email provider. You can change email providers and have them forward your email. Or if you control your domain name, you can change providers and retain your email address. ***Email is a marketplace***. – Schwern Jan 02 '21 at 23:52
27

While you correctly identified problems with e-mail, a mail based verification is still considered sufficiently secure for many cases. While there are alternatives like SMS based verification, automated phone call or even snail mail, these are not as easy and cheap to use as e-mail.

The optimal security measures are usually a balance between usability (i.e. ease of use), deployability and costs vs the security provided by the measure. If more security is required, it usually means that it gets more expensive to deploy and/or harder to use. E-Mail is a good trade-off for many cases.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 2
    "While there are alternatives like SMS based verification, automated phone call or even snail mail, these are not as easy and cheap to use as e-mail." – They also assume that the user has a mobile phone, phone, or address, respectively, which is not universally true. – Jörg W Mittag Jan 01 '21 at 15:23
  • With snail mail, how would you propose to avoid the security holes caused by the chain of people physically handling it? Any organization that is generating thousands of identical-looking snail mails per day is an obvious target for someone skimming off say 0.01% of them as "lost in the post". – alephzero Jan 02 '21 at 05:03
  • @alephzero: I'm not claiming that snail mail is perfectly secure - but neither is SMS or a phone call or an e-mail. I'm only saying that these are different options with different trade-offs regarding usability, costs and security. – Steffen Ullrich Jan 02 '21 at 06:44
  • @alephzero The recipient *knows* when they don't get the mail after some time. Or if somebody has opened the letter in transit. Especially the latter isn't true for digital communication. – Polygnome Jan 02 '21 at 11:49
  • 1
    @JörgWMittag By that logic, it is not universally true that everyone has an email address either, so your line of reasoning doesn't help to distinguish between any of the methods. I know several people (mostly older) who have a mobile phone, phone, and address, but no email address. – Jon Bentley Jan 02 '21 at 22:03
  • 1
    @JonBentley: But we are talking about accounts on web sites here. It is reasonable to assume that someone who has an account on a web site will also have access to some sort of means of receiving email, e.g. a gratis webmail provider. For example, homeless people who can briefly use a shared web terminal in a shelter. They will not be able to receive snail mail because they don't have an address. At least in some countries, they will not be able to have a SIM card for the same reason. They will, however, be able to access webmail at least during those times where they can access the web. – Jörg W Mittag Jan 02 '21 at 23:48
  • @JörgWMittag I don't think that "snail-mail verification will block access for all our homeless customers" is a thought that played a role in business decisions – Hagen von Eitzen Jan 03 '21 at 13:56
  • @ Jörg W Mittag In many countries, a poste restante service is available, where you don't have your mail delivered to an address. Instead, you register a post office, and are expected to go there regularly to pick up your mail. – AndrejaKo Jan 03 '21 at 15:16
  • I wonder if there would be any difficulty standardizing an email header that would request that an email server discard most of a message if the present account did not exist on a particular date [the server could deliver a notice indicating that a message was discarded and indicating the date in a message]. While this would be "on the honor system" for the email provider, a promise to treat messages that way in future could be seen as desirable for the present clients of an email service (knowing that if the email address gets reissued but the service honors the promise, the new owner... – supercat Jan 04 '21 at 16:47
  • ...of the address won't be able to use it to receive 2FA emails intended for the old one. – supercat Jan 04 '21 at 16:48
14

Email is the least worst option.

It's not just the ubiquity of email. Email is federated, standard protocol. No one entity controls email. Email is a marketplace. You choose your email provider. Don't trust them? Take your business elsewhere. There's thousands and, from an authentication perspective, they are all equivalent. You can even run your own service, though server reputation has made this more difficult. Because of this mobility, an email provider has strong incentives to retain your trust and not read your email.

In contrast, private single-sign on services like Facebook or Twitter or Google are monopolies and have monopoly power. You have no recourse should they decide to deactivate your account, hand it over to someone else, use your authentications to snoop on you, or you just don't want to do business with them. This goes for both the users and the site which chooses to use them for sign-on. If a private single sign-on provider decides they don't like your service, country, or industry, or maybe they decide you're the competition, they can yank all your users. Unless you're rich enough to hire lawyers, or popular enough to mount a social media campaign, there isn't much you can do.

Email is the only service which meets all of being both globally ubiquitous, federated, and acceptably secure. Phone numbers take a close second, but because phone numbers cost money they are not as ubiquitous as email. Software OTP is federated and secure, but not ubiquitous.

Schwern
  • 1,549
  • 8
  • 17
6

It is a simple method for low(/medium) security services with no obvious better alternative. IMHO it may be in many cases a reasonable compromise between usability and security without advertising identity of your "tracking device" (cellular phone number).

AnFi
  • 223
  • 1
  • 4
  • I told my bank I regard it as less secure as not doing it. Hint: my phone was stolen, where you do think that email went? – Joshua Jan 04 '21 at 03:15
  • @Joshua I assume your bank account processes enough money to make it above "low(/medium) security" :-) – AnFi Jan 04 '21 at 06:51
  • @Joshua I sure hope no bank in the world lets people reset their account by email alone! I've never had a bank that would send anything by email except "there is a message in your account" (which is borderline already) or general information. – gerrit Jan 04 '21 at 09:11
  • @gerrit the problem isn't the bank, it's the phone. Banking by phone, banking by text message, banking by app, banking by browser. Whatever new channels you add, customers will figure out how to make them available on their phones, small portable devices that are easily stolen. Banks can't force customers to use desktop computers. And since typing strong passwords on a phone is a huge pain, people either use simple passwords or save them on the phone. – barbecue Jan 04 '21 at 14:22
  • @barbecue Sure, but access by password alone would be single factor authorisation so not appropriate for online banking. And people should use password managers on their smartphone (I use keepass2android). – gerrit Jan 04 '21 at 17:54
  • @gerrit I use keepass too, and I have email addresses that I never check from my phone. But realistically, we're a small minority of users. A password and a text message, or a password and an authenticator app, or an email and a password, etc., all come through one device, which most people want to be as convenient (thereby insecure) as possible. – barbecue Jan 04 '21 at 17:57
  • I guess my point is that if you have lots of security features, but they can all be unlocked with a 4 digit pin, then effectively you only have a 4 digit pin. – barbecue Jan 04 '21 at 17:59
2

Everyone has an E-mail address and is willing to use it to register on some website. And you can easily create disposable addresses. So it is convenient for users - and cheap. On the other hand not everyone is willing to share a phone number and even SMS is not considered secure these days.

Not long ago, I had to register for an auction and the credentials were sent by snail mail. That is an option but it's slow and not as cheap as E-mail.

I completely share your concerns therefore I host my own mail for security and privacy reasons. I also wish more service providers would provide PGP as an option, either for 2FA login or regular correspondence.

Kate
  • 6,967
  • 20
  • 23
2

The notion is that you have an alternate channel. Most of the time a web account was created then verified by email.

You registered originally giving your email address. Now what does it take for a Black Hat to steal your account:

  • He has to know your login and your email address. (Often the same.) With these he can send a request to change your password.
  • Now he has to be able to intercept the password change request to your email. And this usually has to be done in a short period of time.
0

As highlighted in many of these answers and comments, trust relations always depend in the end of some 'person' to 'person' relationship of trust. That is, you must trust facebook can manage your account securely, you must trust blockchain miners and algorithm designers, or you must trust that your email provider is secure. These issues are generic in federated trust communities. Examples are where a service accepts validation of your identify from a third party. If you think about it, this is almost always the case: your driver's license or birth certificate are third party validation of your identity - you are who you say you are.

This is why websites that say you can create an account or login using your Google or Facebook credentials are probably more secure than ones that accept any generic email provider because service providers have more confidence in facebook and google than less well known identity providers.

So to recap, your question does identify the requirement for a trust relationship between you, your chosen identity provider and the service provider. There is no way to avoid this: someone must vouch for you.

  • I cannot recall a website which requires google or facebook only (and I would have noticed since I do not have a facebook account and don't use google as my email provider). Do you have an example? – jrw32982 Jan 13 '21 at 16:31
  • You are correct I didn't mean to imply 'only' Google or Facebook. But by using something like them or another identity provider, it is generally more secure. Consider when services that get hacked and a lot of email addresses and passwords are stolen. That can't happen with an identity provider because the password is never supplied to the service. Now if you are really religious about never reusing passwords you are better off, but an IDP does that for you. – mostlyWright Jan 28 '21 at 02:03
0

Email is a ubiquitous common denominator that most people online have access to and it allows a secondary method of verification to decrease the likelihood of spam, scams, and transient accounts. It's not fool proof by any means, and can certainly be circumvented but it increases the barrier to entry.

In addition, for verification purposes it can serve as a very rudimentary multi-factor authentication routine that allows a platform to verify that you are who you say you are to a certain degree.

Jason
  • 1