
Jeff Atwood's security blunder regarding email - lkrubner
http://fuscata.com/blog/atwood-drops-the-ball-on-email-security
======
oconnore
The assumption he implicitly makes is that Google is not going to do anything
malicious with his password, and has a secure enough network. If you take this
assumption to be true, then his practice of emailing himself private
information (over SSL, you can't access gmail without it), is reasonable.

Now if you want to take issue with his assumption, then go right ahead, but
this is not an instance of Jeff Atwood misunderstanding how [eg]mail works.

~~~
knewter
The only reason for this would be that gmail -> gmail email doesn't leave
their servers. However, I think it's irresponsible to suggest emailing oneself
private information without explaining the caveat, because others might, say,
do the same thing from their work email to their gmail account, and
consequently send private data in the clear through random mail servers.

~~~
sneak
The GMail smtp service supports STARTTLS for incoming mail. It could very well
be encrypted every single hop, from sending client to origin SMTP relay, from
SMTP relay to GMail, and then from GMail to receiving IMAPS client.

The situation is a lot better than it was a handful of years ago. It's not
quite the "don't ever do this!" it once was.

~~~
tantalor
It doesn't just support it, it requires it.

~~~
biafra
GMail does not require STARTTLS.

I am sure you can send email to GMail accounts with unencrypted SMTP. Just
look at the incoming "Received" headers. If they do not contain a "cipher="
section, the connection was not encrypted.

I think what you mean is that GMail requires you to use https for their web
interface.

~~~
zwp
> GMail does not require STARTTLS.
    
    
        $ telnet smtp.gmail.com 587
        Trying 173.194.67.108...
        Connected to gmail-smtp-msa.l.google.com.
        Escape character is '^]'.
        220 mx.google.com ESMTP ea6sm27303065wib.5
        HELO zwp
        250 mx.google.com at your service
        AUTH PLAIN [elided]
        530 5.7.0 Must issue a STARTTLS command first. ea6sm27303065wib.5
    
    
    
        $ telnet smtp.gmail.com 587 
        Trying 173.194.67.109...
        Connected to gmail-smtp-msa.l.google.com.
        Escape character is '^]'.
        220 mx.google.com ESMTP ff2sm43397967wib.9
        HELO zwp
        250 mx.google.com at your service
        MAIL FROM:<test@example.com>
        530 5.7.0 Must issue a STARTTLS command first. ff2sm43397967wib.9

~~~
quonn
This is outgoing SMTP. It does not require it for _incoming_ SMTP.

~~~
tantalor
Gmail recommends (or requires) SSL for both IMAP[1] and POP[2].

[1]
[http://support.google.com/mail/bin/answer.py?hl=en&answe...](http://support.google.com/mail/bin/answer.py?hl=en&answer=78799)
[2]
[https://support.google.com/mail/bin/answer.py?hl=en&answ...](https://support.google.com/mail/bin/answer.py?hl=en&answer=181714)

------
slavak
All due respect, I've been unable to take Atwood very seriously after I read
this[1], and, shortly afterwards, this[2].

[1] [http://www.codinghorror.com/blog/2009/07/software-
engineerin...](http://www.codinghorror.com/blog/2009/07/software-engineering-
dead.html) [2] [http://www.codinghorror.com/blog/2008/11/your-favorite-np-
co...](http://www.codinghorror.com/blog/2008/11/your-favorite-np-complete-
cheat.html)

~~~
Confusion
It's a serious problem that this is currently the topvoted comment. It means
that people are upvoting it because they agree with the sentiment, while not
realizing that neither their nor slavak's opinion of Atwood's writing should
be interesting to anyone. They shouldn't be interesting, because the opinion
is on the one hand _unsupported_ and is on the other hand based on the
fundamental attribution error [1].

I say unsupported, because if anyone actually read the supposed supporting
links, there would at least be a discussion concerning the first link in these
comments. At least, I don't see how the contents of that post disqualifies
Atwood. I don't think upvoters are actually reviewing the evidence to see if
they agree with _this_ reason for disliking Atwood.

Concerning the second link: if you write off Atwood based on occasional
mistakes, you are committing the fundamental attribution error [1]: thinking
that _someone_ , and therefore _all_ his writing, must be worthless, simply
because he _sometimes_ writes nonsense. Never forget that smart and
interesting people also make mistakes.

Atwood takes the time to air and explain his ideas about programming. He's not
a great writer or a deep thinker [2], but that doesn't matter: he _is_ one of
us thinking about what it means to be one of us. I find all of his thoughts
interesting, if only to see how someone can come to a different conclusion
based on the same premises. They are interesting even if I disagree and even
if he is wrong, because it shines a light on how colleagues may think about
things. For instance, the second link clearly warns me that I can never take
for granted that someone understands what NP-completeness means and have to
verify it. That makes even that post worthwhile.

[1] <http://en.wikipedia.org/wiki/Fundamental_attribution_error>

[2] Though certainly not a bad writer or a shallow thinker

~~~
gradstudent
You make a good point here but the fact remains that Jeff Atwood is a pseudo-
expert, not a serious authority. His opinion shouldn't be trusted. About
anything. Ever.

Each time I see some piece of writing from him, on a topic about which I am
reasonably knowledgeable, I find some error. As a consequence, I tend to
distrust anything from him on any topic about which I am not as familiar with.

~~~
mixmastamyk
Appeal to authority (or in this case the reverse) is a common logical fallacy.

~~~
slavak
Appeal to authority can be a perfectly valid inductive method when used as a
statistical syllogism. It is only a fallacy in the realm of formal logic,
where the truth or falsehood of a statement is independent of its source.

This is a common but quite annoying misconception. The following is a
perfectly valid deduction: 1\. Authority A is correct on matters in subject X
_p_ percect of the time. 2\. A claims Y regarding a matter in subject X. \-->
Therefore, Y is correct with probability p.

------
chime
Emailing yourself password-protected MS Office files isn't much secure either
(unless something has changed in 2010 version). I've routinely cracked
passwords for my users using freely available tools when they couldn't
remember the password to unprotect an Excel workbook.

~~~
tedunangst
Were their passwords more complex than "secret"?

There is a known flaw that Office uses (used? I believe it's unfixed) the same
RC4 stream for multiple versions of a document, which could be bad news if you
used the same password for them and an attacker has old revisions, but even
so, that may be hard to leverage if the doc in question is just a list of
passwords. [nm, it's been fixed for a while. thanks, nhebb.]

~~~
yuhong
There was two RC4 keystream reuse flaws in the Office binary formats. One
involved salt reuse on save (an implementation bug) and was fixed in Office
2007. But there is still another one that can't be fixed without changing the
file format. The original Office 2007 file formats used AES-ECB, but later
switched to CBC in SP2.

------
ceejayoz
In fairness, if you're e-mailing yourself, chances are it's not going out over
the public internet at any point. In Gmail, it's likely not even going
anywhere except straight into Google's database.

~~~
tedunangst
It's still stored unencrypted, which is not the ideal state for a password at
rest.

~~~
elchief
gmail has been revamped so that China, with a fuck-ton of resources and
desire, cannot get into it. they hired the NSA to help them. maybe it's no
longer secure from the NSA, but it is from everyone else.

~~~
javert
Source?

It's very hard for me to imagine truly trusting that China cannot get into
Gmail. Even if you have a great source. :-P

~~~
btilly
In late 2009, China tried to get into Gmail. According to the forensics done
at the time, they managed to compromise 2 accounts. And even then they only
managed to read subject lines but not email contents for those accounts.

Google detected them, locked them out, identified over 20 other companies that
had been compromised and notified all of them. Furthermore getting compromised
was a wake-up call - they immediately took a lot of steps to improve their own
security.

See <http://techcrunch.com/2010/01/12/google-china-attacks/> for verification
of some of this.

So China went after the easier target - users. Users are easy to compromise.

Therefore in 2011 Google notified hundreds of users (including many members of
the government) that their accounts had been compromised by China. See
[http://www.foxnews.com/scitech/2011/06/01/gmail-
compromised-...](http://www.foxnews.com/scitech/2011/06/01/gmail-compromised-
chinese-hackers-google-says/) for verification.

Note that this time Google's infrastructure was not targeted. Just end users
and still Google tracked it down and notified people.

No system is perfect. I guarantee that Google knows this. But Gmail has a far
better claim than any other email system I know of to claim to being able to
beat Chinese hackers. (That said, I'm sure that China has not given up.)

~~~
tedunangst
From TC link: "We are telling you this because we are committed to
transparency, accountability, and maintaining your trust."

You'd think, if that were true, Google would indicate somewhere that, yes
indeed, they do encrypt your email.

~~~
btilly
Have you thought of the operational costs of both encrypting email and still
being able to support efficient searching of said email?

It really makes more sense to store unencrypted, and then secure access. The
difficulty that motivated and well-prepared attackers have had in getting
access demonstrates that they have done a very good job of securing access.

------
twelvechairs
One thing nobody is commenting on here is that the easiest way to avoid your
passwords being stolen is actually just to ensure that nobody other than
yourself knows that that they are passwords. Develop an estoteric system
(don't use the word 'password' anywhere, don't store passwords with the full
name of what they access, don't repeatedly access the same encrypted document
[telling anyone looking for your secrets 'Decrypt this!']) and you are likely
to put off all but someone ridiculously determined to target you.

Even better - don't put it online and don't even save it digitally if you can
avoid it (is anyone that steals your wallet or burgles your house going to
really bother trying to figure out what a hand-scribbled series of characters
might mean?).

------
willvarfar
Jeff regularly "drops the ball" on most things. He blogs about what he is
learning about, and not what he has mastered.

Remember him getting his knickers in a twist over AES ECB? Or more recently
conflating secure hashes with hashes for other purposes? Or back-peddling on,
well, everything?!

I love his writing and read every blog entry. But I shudder if we hold him up
as an expert in recommending how to secure passwords and such!

------
trout
The 'recently closed tabs' feature in recent browsers also makes closing your
session more difficult. A few years ago it was considered good practice to
close your window after checking your account. Now it is just a click in the
browser to fully restore that window. Remember to 'Sign Out' all the time, 2
factor doesn't help in this case.

------
DanBC
Atwood's solution is flawed because law enforcement only need to give
correctly formed documents to Google to get all your passwords over a bunch of
services.

Imagine someone using Hushmail in the same way. It should be a lot more
secure. Hushmail uses strong encryption, but has in the past served specially
crafted Java applications to the customer because they were cooperating with
law enforcement.

Admittedly, if you have law enforcement after you then you need to start being
a lot more careful with everything.

------
zobzu
I hope you remember that Gmail scans your email for their stats and adverts
and that your email storage is in NO WAY private. Go read the TOS, or the
various websites explaining the TOS if it's easier. More than that, many
Google employees, for stats or project purposes may read them. More than that,
you'd think gmail has never been broken into? Public info != reality.

Emailing yourself sensitive data unencrypted is simply dumb.

------
AgentConundrum
I have to agree with this. I hadn't read Jeff's post yet since, really, I
haven't regularly read his stuff in probably two or three years, but I just
did.

The only mention of emailing things to yourself is wholly contained in the
following paragraph:

> _The upside is that once you enable this, your email becomes extremely
> secure, to the point that you can (and I regularly do) email yourself highly
> sensitive data like passwords and logins to other sites you visit so you can
> easily retrieve them later._

To me, that's really dangerous advice. It relies on the assumption that you're
only emailing things from your own gmail account, to your own gmail account.
This means that the only transfer happens between you and Google over a secure
HTTPS connection. Your data is transferred securely, stored on Google's
servers, and securely transferred back to you when you request it.

At no point is this specific assumption pointed out, nor are the problems with
it discussed.

First, although I can't think of a particular reason why gmail-to-gmail emails
would be routed outside of Google's servers, that doesn't mean it doesn't
happen. If someone could point a blog post discussing it, I would appreciate
it.

Second, All bets are off if you use a separate provider. One example might be
work email. If you're signed in to a work account already, you might be more
inclined to just use that to toss an email at yourself for later. I've
certainly done that before, even though I _could_ sign into gmail from work.
People could make the mistake of thinking he's saying "send an email to
yourself _from anywhere_ " which isn't correct. Incidentally, activating two-
factor auth makes it _more_ likely that someone would do work-to-home emailing
since there's now an extra barrier to just logging into gmail.

Finally, this seems to rely on the assumption that you're only using the web
client to access gmail. If you're using POP3 or IMAP to access your account,
you could still be at risk, since I think (though admittedly I'm unsure since
I only use the web interface) that these protocols aren't encrypted by
default.

~~~
tantalor
> At no point is this specific assumption pointed out, nor are the problems
> with it discussed.

To "email yourself" implies using the same service.

> If you're using POP3 or IMAP to access your account, you could still be at
> risk, since I think (though admittedly I'm unsure since I only use the web
> interface) that these protocols aren't encrypted by default.

Gmail IMAP requires SSL:
[http://support.google.com/mail/bin/answer.py?hl=en&answe...](http://support.google.com/mail/bin/answer.py?hl=en&answer=78799)

~~~
AgentConundrum
> _Gmail IMAP requires SSL_

Good to know. I did specify that I never used it, so my understanding could be
flawed.

> _To "email yourself" implies using the same service._

To you, but not necessarily to everyone. People do have multiple accounts
(gmail, personal domain, work, even Facebook gives you an email address you
can send things to), and it's really easy to conflate "email yourself" with
"send an email to your account", or even to abstract "sending an email to
yourself is secure" to "email is secure".

My point was simply that if you make an argument about something as important
as security, it's vital that you spell out the limitations to your advice.
"Email yourself" is ambiguous enough that it needs a proper disclaimer.

Admittedly, the audience for Coding Horror is mostly people who know this
stuff already, but it's certainly not limited to those people exclusively. I
started reading his blog midway through college, and it's amazing to me,
looking back now, just how naive I was about a lot of things back then.

------
ta12121
Atwood often makes blatant mistakes like this. I truly don't understand why
his blog is so popular.

------
Tichy
"Using a secure connection (HTTPS), which Atwood fails to mention"

Is it possible to use GMail without HTTPS? Somehow I can't imagine Google
would enable that?

~~~
Jach
I think it's required nowadays, or at least used by default, but less than a
couple years ago HTTPS was a setting you had to manually enable and before
that wasn't offered at all. Also HTTPS is only secure if you trust the cert
companies, which I don't after the multiple fake certs issued last year (with
at least one *.google.com presumably issued to Iran). The best way to secure
your sensitive emails has been the same since the 90s: PGP encryption. (The
tradeoffs have also been known.)

------
EGreg
This gives me an idea. A secure web notebook where you can record things that
only you can get out. They will be encrypted on the server basically, and your
password will be used to decrypt them. Also you will use SSL to post. Is there
any vault like this that's freely accessible?

~~~
duskwuff
The problem with such a service is that there's no practical way to figure out
whether they're reading your data on the sly. (Even if your data is
technically being encrypted on the client side, there's nothing to stop them
from slipping in some extra JS one day to start sending your encryption key to
their server.)

------
Locke1689
Data on the move -- TLS via OpenSSL. Data at rest -- GPG.

Don't trust anything else.

(OK, technically there are cases where you should trust other stuff, but if
you can recognize it you are probably a professional cryptographer).

~~~
sneak
Great idea in theory, however, I'd like to know how you search your emails on
your smartphone while traveling when all of your mails are GPG-encrypted on
the server.

Or do you carry your GPG key around on your smartphone?

This solution, while technically pure, does not work. Those of us that live in
the Real World send our regards.

~~~
Locke1689
My email is accessed over TLS. I have no idea what to tell you if yours isn't.

Oh, and my email isn't GPG encrypted. I just don't store sensitive data in my
email.

~~~
sneak
The argument could be made that if your email doesn't contain anything
sensitive, then you're not living life correctly. :)

------
zalew
if you are emailing yourself, you are doing it wrong

~~~
fsckin
I'm surprised more people don't email themselves.

Gmail indexes messages, which makes it incredibly fast to find a note that I
sent to myself. I also use it to remind myself about something important to
eventually remember, but I can't work on it right now.

~~~
treetrouble
I use Notational Velocity + Dropbox for this

------
Daniel_Newby
And for the next six weeks get stalked around the web by "Buy Tfk166acq at
Nextag.com".

