Why is webmail not secure?
Everyone knows that email is not a secure medium. There are no guarantees of confidentiality or privacy, nor any authentication mechanisms. It’s just somebody typing away at their keyboard. Nevertheless, unless you have delusions about your level of online secrecy, webmail is actually much safer than you might expect…
The first thing to consider is whether the security risks of webmail are inherent in the technology, or simply due to a failure on our part:
Security problems with webmail stem from implementation. [False] The dangers that we face when using webmail originate in the fact that websites and servers hosting email accounts do not work together to solve common problems such as sender authentication and message confidentiality. [False]
The truth is that webmail and email servers and software generally do not work well together. Therefore, the security problems with webmail stem from flaws in the technology:
Most registration and authentication mechanisms on websites are broken or poorly implemented. This makes it possible for an attacker to register a new account on your website of choice, then use that account to start sending messages. This is known as phishing, or sometimes spear phishing when it’s directed against a specific user.
A password manager was used to securely login into the website, but an attacker obtained access to the database where all users’ passwords are stored. The attacker now has your username and password for every website you use. Having this information makes it possible to intercept your keystrokes as you type them, or alternately capture data that is sent by your device when it makes contact with the server (e.g., passwords, session cookies).