7

Recently I came across a gmail extension for Chrome browsers which claims to send self destructive emails. I tested by sending self destructive emails to my email account and it works fine

Now my questions are few:

  • Is there any way to determine if the email I receive is an self destructive email?
  • Is there any way to prevent it from self destruction?
WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
BlueBerry - Vignesh4303
  • 5,107
  • 13
  • 34
  • 63
  • 5
    The fact that the extension is not free makes it look like a scam. This should at first sight not really be possible. The only way to delete mails like that would be 1°) the extension needs to be installed to delete any mail, pretty uselesss 2°) you need to activate javascript or such on the mail & they managed to abuse something on gmail 3°) gmail has a very stupid hidden function. I'd vote for a scam just deleting mails if you actually have the extension installed. – Dillinur May 29 '15 at 12:58
  • @Dillinur: Sorry, but this do not seem scam at all. Just type "email self destruction" and you will find tons of company already offering such service. It just happen that this one provides a Chrome plugin dedicated to Gmail accounts to simplify the usage, while the other usually require the recipient email address to be modified in order to act as a relay (for instance `recipient@example.com` would become `recipient@example.com.relay-company.com`) which may be less practical. This is neither something new nor suspicious. – WhiteWinterWolf May 29 '15 at 13:23
  • 7
    @WhiteWinterWolf there is absolutely nothing in any mail protocol that allow you to do that, so unless you explicitly use a mail client that can delete your mails without your consent, it's just not possible. I'll be happy to read any technical details about how it's supposed to work, but otherwise I'd just say that it's not possible. (or feel free to send me a mail that is supposed to self-destruct..) – Dillinur May 29 '15 at 13:34
  • @Dillinur: ***Self destructing emails are not self deleting email!*** Here the email does never delete himself (we agree this is impossible on general basis), but its content is destructed (which is possible). – WhiteWinterWolf May 29 '15 at 18:01
  • 4
    The only way to do what you say is if the email message loads its content from a remote server which then destroys it after a certain amount of time. This provides the illusion of self-deleting emails but can be easily thwarted by anyone with minimal technical knowledge. But again, if you are able to send us an email that's supposed to self-destruct we'd be very interested in having a look at it. – dr_ May 29 '15 at 19:39
  • 1
    @dr01: I you want to test how such service looks like, just do ahead and test it, I do not see why you need me. Grab a throwable email address, select one of the dozen companies proposing a free demo offer of this service, and check how it works. It just takes 5 minutes and will provide you a better understanding of the advantages and limitations of such service. – WhiteWinterWolf May 30 '15 at 07:02

5 Answers5

18

It is not possible to create a digital communication that will self-destruct after a certain amount of time (or upon sender's command). This because of the nature of the message, which once reaches the recipient' machine can be copied at will. This applies to email as well as instant messages.

Therefore any service promising you messages that self-destruct after some time (e.g. Snapchat) simply do not work.

The golden rule to remember in digital communications is that once you send a message, you have no control over it.

> any way to prevent it from self destruction?

Simply copy the message text, with full headers, and paste it into another window. (Or forward the message to another email address you control. Or start a reply quoting the original message, and save the draft. I don't know how this Gmail extension works, but if it allows this, it's dumber than I thought.)

dr_
  • 5,060
  • 4
  • 19
  • 30
  • 1
    That's why self destructing email do not contain the actual message, but only a reference (an image or a link for instance) toward it and this message always stays stored in the service provider server. So copying the email content, forwarding it, replying to it, etc.: none of these measures will ever work since they will only copy the reference and not the actual message. Usually they also contain protection against copy-pasting, saving to local disk, printing, etc. – WhiteWinterWolf May 29 '15 at 17:59
  • 3
    Then it's the third party content what is being "destructed" (by that third party), not the email. What you need is to keep a copy on first download. For example, if it provides an embedded image, instead of loading email images you could copy the image location, open in browser and save the image locally. – Ángel May 29 '15 at 18:21
  • 3
    "Usually they also contain protection against copy-pasting, saving to local disk, printing, etc." Seriously? This is impossible to accomplish without having full administrator access on the client's computer. I would really like to see a proof-of-concept for that. – dr_ May 29 '15 at 19:22
  • 2
    @dr01 It only works if the client reading the "protected" mail goes along with it. Needless to say, most of them don't. – Shadur Jun 01 '15 at 09:03
10

Self-destructing emails, like email read receipts and mail services which tell you they can tell you which recipients have read your message and which have not, are at best misleading and at worse a con perpetrated on ignorant managers, executives and users who don't understand how email works.

In general, all of these schemes rely on the recipient buying into the whole process and not doing anything to subvert it. Self-destructing email either uses client extensions, where both the sender and recipient use the extension, or they rely on a 3rd party server which acts as a type of relay.

In the extension scenario, the message has additional meta-data which tells the recipient's extension to delete the message after a certain period or after it has been opened once. It will normally be necessary for the recipient to agree to allow the extension to do this. The recipient can always remove the extension or turn off this functionality, in which case the message will not be deleted unless the user explicitly tells their client to do so.

With the server scenario, the 3rd party relay will normally send a new message to the recipient which requires some sort of interaction with the 3rd party server for the recipient's client to render the contents. It could be as simple as downloading an image from the server, or requiring a request to the server to get a key to decrypt and display the message, or something more complicated. The objective is to force the recipient to use the server in order to access the message. The server can then remove either the message or access to the message based on some criteria specified by the sender.

However, the underlying problem with all of this is that if you can read the message, you can copy the message. If you can copy the message, you don't need the original and what happens to the original is irrelevant.

The issue here is that calling something like this self-destructing or self-destroying is misleading. When people hear it, they immediately picture scenes from Mission Impossible and are given the false impression that their email will no longer exist. Unfortunately, SnapChat users found out how false this assumption is the hard way when "sensitive" photos they had sent and thought would be destroyed began to show up on other web sites.

We are in the digital age and in the digital age, copies are as good as the originals. Once upon a time, copies meant reduced quality — the more something was copied, the less the quality. This is not true with digital data — the copy is as good as the original (and contrary to all those TV shows, you cannot improve the quality either — you might be able to enhance it, but you cannot improve it).

The basic protocol underlying email is very simple. It does not yet include advanced features like read receipts, self destruction, etc. Extensions for things like read receipts have been proposed and some "unofficial" support exists in some clients such as Outlook and Apple Mail. However, these are unofficial and generally, can be turned off by the recipient. If someone is not using a mail client which supports the extension, nothing will happen.

Same goes for many of those schemes that claim they can tell you when your email has been read by a recipient. Most of those solutions rely on things like clear glyph images being embedded inside the message — the glyph is actually an image with a remote URL. The remote URL is coded to identify the message it was embedded in. If the server receives a request for that URL, it is a safe bet that someone has tried to read the message. However, this completely fails if the user does not use an HTML based mail client or has disabled the automatic loading of images — many people do so for security reasons. It may also fail if the message is read off-line. It can also give false positives depending on the client. Some clients might try to improve performance by pre-fetching data, in which case the client will think the message has been read when it hasn't.

david
  • 711
  • 3
  • 11
Tim X
  • 3,242
  • 13
  • 13
  • Regarding "we are in the digital age and in the digital age, copies are as good as the originals"... consider https://xkcd.com/1683/ "Digital Data". If so-called "e-mail" is kept on a closed system that doesn't allow copy-and-paste, print, or "save as", the recipient's options for copying are taking a screenshot or a photograph of the screen... or a series of such pictures, if the e-mail won't fit on a single screen. – david Oct 04 '19 at 10:37
3

I think the goal of self-destructing email is not to erase the email, but to erase the information about who generates/sends the email. Under this idea:

  • Self-destructing email works if content of the email can be easily generated. If the email contains only text (e.g. "I love you!"), then the receiver can easily write it down or copy it. But with a self-destructing email, the recipient cannot tell other people that the sender has sent this message before, since the email server will have no trace of the email (unlike a normal email server). Of course the receiver can show the copied message, but other people can reply that it is too easy to fabricate by the receiver.

  • Self-destructing email might not work if the content of the email is hard to generate. For example, it might be hard to fabricate a photo. So when the receiver shows a photo of the sender, other people might be more likely to believe that the sender indeed has sent the photo before.

  • Self-destructing email will not work if the information content in the email is important by itself. For example, if you send your debit card PIN in the email, then self-destructing it makes no big difference...

ZillGate
  • 354
  • 4
  • 11
1

"Self-destructing" email does not and cannot work: the act of sending email involves copying the message repeatedly. I don't know the details of how this particular attempt works, but the basic techniques for defeating it are to either make a copy before performing any action that might trigger the "self-destruct mechanism", or make a copy while reading it (eg. through copy-and-paste).

Mark
  • 34,390
  • 9
  • 85
  • 134
1

Even if it may sound counter-intuitive, self-destructing email actually works.

The trick is that the email itself will actually not convey any useful data, but only something referencing the actual data to be shown which is safely stored in the service provider server.

For instance the most trivial transparent implementation would be to transform the email as an image, then include the appropriate IMG tag in the email to show this image while still hosted on the service provider system.

Some other providers of such service do not bother at all with transparency and the recipient simply receive a message telling to visit some URL hosted by this provider with his browser in order to access the email. Then, the service provider has got all Javascript / Flash / Java resources to control the way the actual email content is display.

Thanks to such system, the service provider keeps a full control when the actual email content is shown. It can delete it when needed, it knows when the email has been opened, by which IP, using which client software, etc. The service provider allows his customers to access this information depending on the offer they subscribed.

An easy way to detect such email is to ensure that no content from other source (in particular external images) are downloaded by your email client. You cannot retrieve an email content after it has been destructed, however while you can still view the email nothing prevents you from saving it on your disk (saving it in your email client or forward it to another email address will not work) but ensure to save also all attachments and images.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • 2
    Or simply take a screenshot... – zedman9991 May 29 '15 at 12:42
  • 3
    You're just adding a new layer onto the problem, if the user can access the information once, be it on the mail or on your server, you have lost all control about this information. By definition, if you transmitted the information, the receiver can store and copy it. – Dillinur May 29 '15 at 12:51
  • 1
    @Dillinur: I never needed such service personally, but I suppose that the one using it are more worried about issues like their email staying for an undetermined period stored on the potentially unsecure recipient mailbox (whether in the inbox or the trashcan). With such system, you can for instance determine that the email will become blank after a month. The recipient can save it, he is the recipient anyway so no trouble, but anyone else accessing the mailbox will not be able to read the mail anymore. – WhiteWinterWolf May 29 '15 at 13:01
  • Again, you've just added a layer (data saved by the receiver elsewhere instead of in the mailbox). But indeed, if your threat model is only "later compromising of the mailbox", removing the data from the mailbox solves the problem. I don't think that was what OP was asking though. – Dillinur May 29 '15 at 13:28
  • @Dillinur I just looked at the service provider for this plugin, they take as example one needing to send credit card information by email and explain that this plugin will allow the email to be automatically "destroyed" 5 minutes after the reader accessed it. The inner mechanisms of this plugin should therefore match my explanations. – WhiteWinterWolf May 29 '15 at 13:34
  • 1
    It's pretty misleading then, you'll get a mail with a link that'll be broken 5min after you read it, but 1°) nothing prevents your from saving this data 2°) the email in itself will still exists in the mailbox. It's basically a self-destructing website more than anything else. One can also wonders if it's a smart move to send such confidential data to a third party. – Dillinur May 29 '15 at 13:39
  • 1
    @Dillinur: I would hardly trust such service to send any banking information by mail too, I think we both agree on this ;). While I know that the mail tracking features are used for marketing purposes as legitimate use (and detect live email addresses as a less legitimate use), I actually wonder if there are really legitimate uses of self-destructing email (aside from the illegitimate ones like automatic evidence deletion...). – WhiteWinterWolf May 29 '15 at 13:51
  • After the original email self-destructs, you can't prove you ever received the email, because you can't prove you didn't fake the screenshot. – user253751 Aug 18 '15 at 10:40