Are email clients more secure then web email?

Discussion in 'privacy general' started by SuperSapien, Jan 31, 2020.

  1. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    230
    I was told that email clients are suppose to be more secure than viewing your email through your browser if over WiFi Hotspots. Is this true?
    Also the emails in question are encrypted through HTTPS/SSL.
     
  2. kaljukass

    kaljukass Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    250
    Wow, wonderful question.
    This is such a funny question that it immediately takes completely speechless.
    But you could suggest to the person who told you such a fairy tale to talk in feature about things he or she at least understands even if he/she doesnt know anything.
    You probably have a big black hole in this place, where usually is knowledge base about sending information over the internet.
    And https/SSL have nothing to do with it. It is at all another fairy tale or another story.
    Everything that protects you in this wicked world at all, is always (and only) between the two ears.
     
  3. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    230
    So I'm guessing that's a no that email clients are not more secure compared to viewing them in your web browser?
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,892
    Location:
    Slovenia, EU
    Well you can set your email client to read all your mails in plaintext. That could improve your security.
    For privacy (and probably security also) you can also set it not to download pictures automatically.

    Of course both of these don't improve your security about accessing your email over WiFi hotspots...
     
  5. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,119
    Location:
    Hawaii
    IMO, post #2 is pointless blather

    MY IT friends all advise me that using an email client is the more secure way to go.

    I set my email client (PopPeeper) to receive in plain text only, & to download headers only. When I see an email I want to read, one click will download the entire message & a second click will convert it to HTML or rich text, if desired & applicable. My email client never downloads pictures or attachments without first asking me. When I receive suspected spoof mail from usually trusted senders, my email client lets me quickly review the message source code & text, where address spoofs & link spoofs are easily spotted.
     
  6. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    462
    There are other advantages besides security. Filters likely work better, no ads, better privacy, saving the e-mails as files works better, etc. On the road I use webmail but at home use a client (Outlook).
     
  7. 142395

    142395 Guest

    Whether it's more secure or not on hotspot totally depends on how the email service and the client app implement TLS but if everything is fine there should be no difference (and yes, it's only between the email server and you, not E2E). However, in more general sense one reason it can be more secure is XSS/CSRF. I guess many people click a link on message regardless on web or on client. In case of web browser, it can be game over if there's a vulnerability in the email service and the link is a trap, but on email client usually any link is opened by default browser so unless you're already logged in to the service on the browser you're safe. You can avoid it on browser by not clicking a link and instead copy the URL and paste it into another browser or profile, which I wonder how many people do.

    Most major email services offer source view and image blocking for the web too, but plaintext view is rare while plaintext writing is common. As to spoof, it's not always easy, are you sure what on the header can be trusted and what not? It's a kind of trust chain, you shouldn't regard all of them to be true. It requires some knowledge and experience but sure most of spam mails can be easily spotted.
     
  8. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    230
    OK so email clients can be more secure? Also the email client in question is Thunderbird and three of the emails are using TLS with OAuth2 and the other email is TLS with normal authentication. And I never click on links in my email client instead I copy and paste the link to my browser. Note this all running on Linux with UFW enabled.

    @ bellgamin

    Somebody at the Geeksquad told that email clients are safer than using your web browser to view emails.
     
    Last edited: Feb 1, 2020
  9. longshots

    longshots Registered Member

    Joined:
    Oct 20, 2017
    Posts:
    605
    Location:
    Australia
    Probably off topic, but I like to use the same software for all my devices, and Pop Peeper is one of the main progz I miss with Linux.
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Although email clients have been improved, generally they're not sandboxed the same way that browsers are, though there are solutions on both Windows and Linux to add sandboxes (Sandboxie, Firejail and Apparmor). Or you can run the whole thing in a VM.

    Web browser webmail can be secured via forms of 2FA (TOTP or U2F or Fido2) in ways that the API client key cannot. This means that if the client access key is compromised, the account is compromised. Against that, you need to be sure that the webmail client has not be subverted by Mitm or mitb.
     
  11. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,119
    Location:
    Hawaii
    Yes! To that list I would add Shadow Defender & MBAE. Also, some AVs (such as Webroot Secure Anywhere) enable sandboxing specified apps.
     
  12. 142395

    142395 Guest

    What matter are e.g. how they treat certificate transparency, if they use only modern secure protocols, if DANE is supported, etc. Well, but on email client HSTS will be irrelevant, as it's configured to only use TLS, so for some bad email services which don't implement HTST, email client can be more secure. But ofc it can be less secure if you didn't use reputable clients like Thunderbird, as this incidnet suggests for example.

    You may have interest in these well-known testing tools (the last two are just TLS tests, enter your sending/receiving domains set up on the client but sometimes you'll get an error), tho the results need to be interpreted w/ caution.
    https://www.emailprivacytester.com/
    https://www.ssllabs.com/ssltest/
    https://www.immuniweb.com/ssl/

    Off-topic and probably you know, but UFW is not a "Turn on and you're more secure" staff, it's just a GUI front end of iptables.
    Nice point! Currently sandbox is applied only on smartphones and a few UWP email apps. TOTP is supported on many email clients and services but I'm not aware of any client supporting U2F.

    [EDIT] Corrected to prevent to be interpreted as if I said Thunderbird is not a reputable client. These English grammar often confuses me.
     
    Last edited by a moderator: Feb 2, 2020
  13. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    One other feature of webmail is that some services support full mailbox encryption performed in browser or app (Tutantoa and ProtonMail) - the service never gets to see the content, other from external sources. Clients using pop3 will have an inbox on the local filesystem and can be deleted off the provider (potentially a good thing), but typically these are not encrypted unless by FDE (which you should probably be using anyway if you care at all). Clients using IMAP are dependent on the practices of the service, although increasingly they are using FDE on the servers too, and hopefully have good physical security.

    In the case of people using the mailbox as a great big history & information store (mea culpa) - clients are probably superior and there are tools which can index them properly for fast search. Tutanota at least has recently provided encrypted search, but this will be more difficult to scale & communicate for very large mailbox stores.

    I think many have concluded that email is not really redeemable if you want strong security and privacy (if nothing else, your correspondents are typically hopelessly insecure and it traverses the infrastructure in clear unless you go through painful additional steps), and for secure communications, one might consider things like Signal or Riot etc. Or course, you can form closed groups on Tutanota or ProtonMail.
     
  14. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    230
    Well I should say that I'm using GUFW and its blocking incoming and allow outgoing. Though I'm not sure how secure that might be after all nothings bullet proof.
     
  15. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    Probably no.

    Take into account this.

    Web browsers follow a rapid development model, never a fan of such models, but the one clear advantage they do have is security updates get rolled out quickly.
    There is lots of software to harden web browsers.
    There is many ways to harden web browsers within their settings.

    Whilst email clients are kind of the opposite, much more likely to be using older ssl protocols, not all a/v even supports email clients anymore, less rapid development.

    In the internet community, web security has had a lot of attention and focus, so e.g. now if you browse a web page in chrome that doesnt have encryption, it will make sure you know, especially if that page is asking you to authenticate.

    Do the same thing in a client, and the same alertness isnt offered, and I expect many email client users dont use encryption, due to the fact its easier and less troublesome to run with it off. This is just one example.
     
  16. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,127
    Location:
    Member state of European Union
    Thunderbird uses the same TLS libraries Firefox is using. Actually I hardened TLS settings in Thunderbird much better than in web browser, because hardening web browser TLS settings broken connections to some sites.

    Just take e-mail client configuration seriously and it will make sure you always will be on secured connection. Website may provide login screen by https and then redirect to non-https site at some point. Provided HSTS is not used on server or user visits site for the first time and doesn't type https prefix then user is susceptible to MitM downgrade attack.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,634
    Location:
    U.S.A.
  18. 142395

    142395 Guest

    That's the default state of most distro, so probably your security level hasn't changed before and after installing it, but more talk should be done on another thread. Note there are already many articles about Linux firewalling on this forum and other places on internet such as Archwiki.

    That rapid release is not necessarily good-only for security, it also brings many new bugs and leaves less severe vuln unfixed. OpenBSD, for example, only updates twice a year but it's one of the most secure OS.

    And for the rest, besides what reasonablePrivacy already argued, it's rather email providers' responsibility to provide easy introduction of secure config. If they don't, maybe their websites are also not very secure. And Mozilla incorporates a different set of trusted cert store for Thunderbird/email from Firefox/browser by default, meaning it's more restricted in terms of trust circle. Personally I've disabled many CA on Firefox.

    [EDIT] Another point: modern web browser come w/ tons of new APIs; WebBluethooth, WebUSB, WebSpeech, WebSomthing, ... which are nothing more than added attack surface for those of us not using them. Email clients don't need to support all of them. Less need for hardening by less attack surface is not a disadvantage.
     
    Last edited by a moderator: Feb 3, 2020
  19. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,127
    Location:
    Member state of European Union
    To be fair OpenBSD has -current branch which is in-fact rolling release branch.
     
  20. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Yeh, if browsers were simple browsers rather than little moles burrowing into your machine, that'd be sufficient for webmail. So you have to spend loads of time attempting to get them to be a browser again.
     
  21. 142395

    142395 Guest

    Thanks, I haven't used OpenBSD so I shouldn't have spoken about it too much.
    Indeed!
     
  22. Soft Life

    Soft Life Registered Member

    Joined:
    Aug 10, 2018
    Posts:
    94
    Location:
    United States
    Unless the sender and receiver of the email are using encryption then the email is not secure whether through the browser or client. Think about it, you are sending an email across the internet un-encrypted. People can intercept it.

    Don't say anything stupid in an email you may regret.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.