32

Sometimes I receive email messages from organisations I'm involved with saying something like:

Alice at AnyCo has sent you a secure message

Along with a link to access said message. Sometimes I'm then asked to create an account. The last one even decided to use "2FA" and send me a code to the same email address before I could log in. The companies which provide this service (for example Kiteworks) seem to act like it's the responsible way to send documents.

My impression is that this amounts to "security theatre" and does nothing to prevent unauthorised access to the file by third parties, or tampering with the contents of the file, compared with simply sending an attachment. That is usually what is implied by these services.

James Bradbury
  • 2,017
  • 19
  • 27
  • 11
    If the sender of such a message controls the server that provides the actual message after login it is easy to track what IP addresses have access the message. So it may not provide much security but it allows to track who is accessing the message (which is not possible in a reliable way on a regular e-mail). – Robert Jun 10 '22 at 08:05
  • 4
    "does nothing to prevent unauthorised access" -- *all* unauthorised access? You sure? How is "tampering" an issue or a risk? I think that if you broke down the risks and the controls this process provides, you can see that there are obvious benefits. But not if you lump all risks together and consider this process a silver bullet. – schroeder Jun 10 '22 at 08:43
  • 1
    Engineers working in those service providers surely benefit from job security :) – dungarian Jun 10 '22 at 19:35
  • "from organisations I'm involved with....Sometimes I'm then asked to create an account" If you are already 'involved' with them, wouldn't you already have an account? – jjanes Jun 11 '22 at 15:31
  • 3
    ""does nothing to prevent unauthorised access" -- all unauthorised access? You sure?" - Surely anyone who has that link from the unencrypted email can access the document. Or do you mean that only the FIRST person to click the link can access it, so that's better? – James Bradbury Jun 11 '22 at 20:38
  • 1
    @jjanes "wouldn't you already have an account?". Often this is the first electronic communication from the organisation. I'm not even 100% sure it is from the organisation in question. – James Bradbury Jun 11 '22 at 20:41

5 Answers5

48

It provides some benefits in that the sensitive contents are stored on the server, rather than in the body of the email. This means that the link can be revoked to block access (for example, if the email was sent to the incorrect address) - whereas once an email has been sent, there's no reliable way to recall it.

It also allows the file sharing platform to implement some additional security controls (such as IP restrictions, or only allowing federate authentication) - so the link by itself might not have any value if an attacker can't reach or authenticate on the site.

But in a lot of cases, it is just security theatre (especially if the "secure" platform doesn't enforce conditional access, MFA, risky login detection, and all the other security features that the email system does). It also trains users to click links in emails and then enter their credentials, which is obviously a very bad habit to get into. A lot of the time, these "secure" platforms are used for compliance reasons, rather than because they're addressing a realistic threat.

Community
  • 1
Gh0stFish
  • 4,664
  • 14
  • 15
  • 14
    Compliance is indeed a huge driver of this, especially in cases where you have personal/medical/financial information that by law can only be shared with certain people. Also, cases where you need a paper trail showing that someone definitely received a copy of something (not merely that you sent it). – bta Jun 10 '22 at 17:18
  • 5
    In particular if you make the links expire than the window of opertunity for an attacker is much narrower than if the file sits in a users mailbox forever. – Peter Green Jun 12 '22 at 03:04
13

The SMTP protocol is intended to exchange data in clear text over possibly a number of relays. In addition to the common data interception attacks, each and every relay could examine the message (and if found important keep a copy of it). Furthermore, many end users do not own their own mail server, so the message is kept (still in clear text) on their mail provider server.

And all those attacks cannot be detected, either by the sender of by the receiver.

In contrast when only a link is sent, the message is only kept on the sender server, and is (normally) downloaded through HTTPS and because of that cannot be easily intercepted.

That being said, as the link is sent in a simple mail, the link itself can be intercepted and an attacker could use it to steal the sensitive data. But at least if the real user also uses the link, the sender could detect 2 different connections and be aware of the attack.

The correct way would be to securely identify the recipient before a message is sent there. This is commonly used by banks: they send a rather innocent message with that simple information: a message is available. Then the user has to use its account (along with a secure connection way) to download the message.

BTW, the really secure way would be to use X509 certificates. That way S/MIME allows to send a signed and encrypted message that only the real recipients will be able to decrypt. But unfortunately, X509 certificates are seldom used outside closed organizations...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • 8
    SMTP has been running over TLS for years (decades?) now and no mail server would use random relays unless you configure it to do so (presumably with relays you trust), so saying SMTP is "cleartext" is a big stretch. – Dmitry Grigoryev Jun 10 '22 at 18:58
  • Note that the interceptor would have to find the corresponding email, the one with the code. Yes, it's also openly readable, but buried within a gazillion other emails, so it takes some conscious effort to identify. – Aganju Jun 10 '22 at 23:42
  • 1
    If I use my a@gmail.com address to send mail to my friend b@web.de, then both gmail and web.de can read my mail, period. The fact that my connection to gmail, gmails connection to web.de, and web.de's connection to my friend are secured by TLS doesn't change that. Only S/MIME prevents the mail providers from reading, or even tampering with, the emails. – Guntram Blohm Jun 11 '22 at 05:48
  • 5
    @GuntramBlohm: And when you use a "secure document" platform, that platform provider can read the contents of your document. That's even worse, being that they're more sketchy and have less of an obligation not to. – R.. GitHub STOP HELPING ICE Jun 11 '22 at 15:17
  • 2
    As @DmitryGrigoryev noted, SMTP has been using (albeit opportunistic) TLS for a long time, and can be made non-opportunistic from the receiver side by proper use of DANE. Moreover, [RFC 8689](https://datatracker.ietf.org/doc/html/rfc8689) defines a mechanism by which a sender can arrange to fail further attempts at forwarding/delivery if any stage of the delivery cannot be continued securely. This is the mechanism any sender aiming for secure document delivery should be using. – R.. GitHub STOP HELPING ICE Jun 11 '22 at 15:20
  • 2
    Further, in practice, pretty much all recipients are using one of a tiny number of big providers like Gmail or Outlook, and the delivery will happen as a single encrypted hop from the outgoing mail system the sender is using to the recipient's mail provider. The idea of a bunch of sketchy forwarding hops is a historical curiosity not how the modern internet mail system works. All the party sending documents needs to do is run their own outgoing or outsource to a trusted party for secure document handling (rather than a "trusted" sketchy web service). – R.. GitHub STOP HELPING ICE Jun 11 '22 at 15:23
  • Plenty ot companies don't use the big providers, and even when a company does use a big provider they may well not route the mail directly to it. – Peter Green Jun 12 '22 at 02:57
  • @PeterGreen: at least medium to large companies have an internal mail server. That means that for the last hop the clear text message is on an internal server and not on their provider one. – Serge Ballesta Jun 12 '22 at 07:40
  • 1
    @PeterGreen: Even if you don't use one of the big providers, the concept of having sketchy intermediaries you forward mail through because you don't have a direct network link to the final recipient is a historical curiosity. The only SMTP hops nowadays are either ones the sender wants to use (which you as the sender control, or have a direct business relationship with someone who controls) or ones the recipient domain wants to use (for load balancing, service uptime, malware scanning, or whatever) and trusts to handle their mail privacy, which is not sender's business. – R.. GitHub STOP HELPING ICE Jun 12 '22 at 21:38
9

Not only do these things lack any significant security benefit. One thing that's underappreciated is the strong security disadvantage and imbalance of power it creates against the recipient. They have no means of ensuring the document behind the "secure link" is the same as it was at the moment the email arrived and that it has not been alterred by the sender or some third party with access to the "secure document" platform between the time the email was sent and when they read (or later re-read) it. If the document were included as an attachment, the recipeint would possess a permanent copy from the moment of receipt, and depending on how DKIM was used, possibly even a cryptographic signature establishing authenticity/non-repudiation of the document.

As noted by bta in the comments, another way these things harm the recipient's security is by bypassing any scanning for malware, etc. that would be done for direct attachments but not for off-site links. And as ThoriumBR seems to have suggested, these kinds of "secure links" may train recipients to get phished - by normalizing following links to documents and possibly entering private information or performing authentication processes with the site.

R.. GitHub STOP HELPING ICE
  • 7,813
  • 1
  • 23
  • 34
  • 7
    This is a good point. With the amount of phishing attacks, emailing a secure link to users will make easier to attackers to send the same kind of email and end up succeeding. – ThoriumBR Jun 10 '22 at 17:05
  • 7
    Not only tampering, but you're bypassing much of the security on the recipient's side. Emails and their attachments get scanned for malware on the server, but hiding the message on an external server means it's up to the (generally weaker) software on the recipient's local machine to detect any security issues. – bta Jun 10 '22 at 17:13
  • 2
    Updated with additional things from the comments. Thanks! – R.. GitHub STOP HELPING ICE Jun 10 '22 at 17:37
  • Of course, the points in this answer could mostly be fixed easily by also mailing an ordinary mail containing the sha256sum of the file, and the recipient double-checking that on the linked file before doing anything else with the file. – leftaroundabout Jun 13 '22 at 13:54
  • @leftaroundabout: That only provides integrity, not possession. If you need to review the file a year later for legal/financial/tax/whatever purposes and the document platform no longer has it or no longer exists, you're out of luck - because it was never delivered to you, only an invitation to view it was (possibly without even a download method made accessible to non-technical users, but even if download was an option, it necessitates storage separate from mail and somehow managing the link between them which is above most users' level of expertise). The phishing/safety points apply too. – R.. GitHub STOP HELPING ICE Jun 13 '22 at 14:18
  • @R..GitHubSTOPHELPINGICE for documents that may be important for whatever purposes one should **always** keep independent backups, regardless of whether you wrote them in the first place or they lie on the e-mail provider or have come via some file-sharing system. Users who don't understand this also have no business worrying about security, and shouldn't be trusted with important files (at least not outside of a company intranet or other kind of safety net). – leftaroundabout Jun 13 '22 at 15:44
  • @leftaroundabout: In a business setting, email *already has* the needed backup and retention policies and needs to for legal reasons. But these kinds of "secure document link" shenanigans have the most negative impact on normal individuals interacting with businesses that insist on using them, not on businesses receiving them. – R.. GitHub STOP HELPING ICE Jun 13 '22 at 16:24
  • And normal people, even not very technically informed ones, **do understand the difference**. There's an easy to internalize knowledge that something in your mail is there until you delete it, that you can open it in your mail any time you like and see that it's there without leaving your mail software. And conversely there's an easy to internalize (from bad experience) knowledge that links are always breaking and that it feels "out of control" whether you'll be able to get back to something or not. – R.. GitHub STOP HELPING ICE Jun 13 '22 at 16:27
  • @R..GitHubSTOPHELPINGICE but something in your mail is _not_ “there until you delete it”. It's there until it gets moved or deleted by any of a number of interactions that the user may carry out either deliberately or accidentally (e.g space cleanup), or the provider may apply in a misguided attempt at improving performance or security (à la junk filters), or by some company policy, or simply buried under so many other mail that the user isn't able to find it anymore. – leftaroundabout Jun 13 '22 at 16:39
  • ...Sure, business mail is generally set up in such a way that some ninja can be asked to regex through the backups, but precisely _normal individuals_ don't have that option, and therefore should always keep backups of the important files somewhere else (also simply as a good habit). I've heard numerous times people say something like “you sent it by email? Oh, I don't think I'll be able to find that... why didn't you use WhatsApp...” ...facepalm – leftaroundabout Jun 13 '22 at 16:40
0

As weak as it is, you need to consider that the intended recipients are in majority layman with little security or computer knowledge. You cannot expect them to install and use PGP or similar more secure interactions; they are already stretched by a link with a code in a second email.
Under the circumstances, those companies try to do the best possible within these limitations. Is it secure? No. But better than a single email.

Aganju
  • 351
  • 2
  • 7
  • 2
    Is it actually better, though? I'm sorry, but it seems you failed to address the actual question. – Frax Jun 13 '22 at 10:04
-1

Another factor here--this approach greatly reduces the risk of casual discovery of the information.

If my doctor sends a message saying "you have a message on the portal" someone who picks up my phone can't read the actual medical info. There are times I wish they would permit us to turn down the security a bit--please include the merchant in credit card transaction e-mails!--but the idea is sound.

Also, in the real world the technically literate sometimes end up seeing mailboxes of their illiterate friends. Yeah, in a perfect world they would always do their own logins, a tech would never mess with their equipment. We don't live in a perfect world.

Loren Pechtel
  • 763
  • 4
  • 9
  • 1
    Huh? Surely the person who already has your phone and sees the notification can also click on the link to view the document? – csstudent1418 Jun 13 '22 at 11:54
  • @csstudent1418 I get the notification but there's a password to actually get to the document. – Loren Pechtel Jun 13 '22 at 15:09
  • 1
    @LorenPechtel I specifically mention in the question that this email sometimes asks me to create an account. I don't already have a password. An attacker could create that account pretending to be me. – James Bradbury Jun 16 '22 at 17:40