Webmail Offensive and defensive combat (8)

Web browser vulnerabilities and malicious scripting programs cause the disclosure of cookie information, unlike cookie information leaks, URL session information is leaked, and is completely out of the HTTP protocol, unless the HTTP protocol is modified. Although RFC2616 points out that the Referer domain is sensitive (sensitive information), it is recommended that browsers provide a friendly interface for users to allow or disable the transmission of sensitive information domains, although no browser has yet provided such a functional interface.

Visible, whether it is cookie session tracking or URL session tracking, there are a lot of security issues, so webmail system need to take measures to enhance session security:

(1) Flexible use of session tracking technology: When the client supports cookies, use relatively secure temporary cookie session tracking mechanism, otherwise, using URL session tracking, JSP and other development programs can easily do this.

(2) combined with a variety of session tracking technology: At the same time with cookies, URL session tracking technology for session tracking, greatly increasing the difficulty of attackers.

(3) With the client IP address combination: 21cn.com, qmail sqwebmail and other webmail system, is the current session and the client IP address combined to enhance security.

(4) Reasonable set session timeout: The client does not have a connection request for a certain period of time, and the session timeout (timeout) is considered. Too short to bring inconvenience to the user; it's too long to bring convenience to the attackers.

Vii. Webmail Other security

If the user set up an automatic reply in the webmail, the attacker can use this and set up an automatic reply in another mailbox, and a message to the user, the mail will soon fill the user's mailbox, forcing the user to cancel the automatic reply, so A good automatic response strategy should be that a second message from the same email address should not be automatically replied to within a certain period of time.

Attackers will also be in the mail attachment virus, trojans and other malicious programs to attack the user's computer, and even to steal webmail password, so, for the unknown mail, users do not expect that is the rose and love letter, in the attachment to the virus killing, do not easily open its attachment.

To prevent spam, webmail system should be good anti-spam functions, one is the system-level spam filtering, some are complained about and included in the Anti-Spam organization blacklist e-mail address filtering, and second, user-level spam filtering, so that webmail users can customize their own mail filtering rules, Reject unwanted emails that are not bothered by spam.

With some olfactory visitation procedures, attackers can easily sniff the user's webmail password, email content, and so on without even having a very sophisticated knowledge. There is a hacker program called "Password Listener", which can almost monitor the password of all the free mailboxes in China. Therefore, it is necessary for the webmail system to support SSI to encrypt the data transmitted between the browser and the server to prevent the sniffer from being heard.

Some webmail systems support digital signatures and digital encryption, in the webmail can be imported based on public key encryption mechanism (such as CA Certification Center issued digital certificate) generated by public and private key pair, can effectively guarantee the confidentiality, integrity and non-repudiation of the message, however, In view of other security issues in webmail, once an attacker invades a user's webmail, the user gains more than it can and even causes the private key to leak.

Webmail System program Vulnerabilities are also noteworthy, such as IMHO webmail remote account hijacking vulnerabilities, Basilix Webmail remote arbitrary file disclosure vulnerabilities, W3mail webmail execute arbitrary command vulnerabilities, Even 21cn.com have had important path leaks.

From the above we can see that the security of webmail is not optimistic, if you want to better solve it, on the one hand to enhance the security of webmail system, on the other hand, rely on the user of the correct use of webmail, these are discussed above, this is not to repeat. If users still have security problems after using webmail correctly, then the rest is to choose a good mail service provider, or mail client software to send and receive mail, but the use of mail client software such as Outlook can cause other security problems, such as love worms, A virus such as a cover letter is the use of Outlook vulnerabilities to spread and harm users.