Another run in with the local council and the guys at Capita who manage the council tax left me amused. Everytime I contact the council tax guys by email, they insist on responding with some sort of email encryption system.
I'm entirely for email encryption. It's true that the security of email in transit cannot be guaranteed, so any point-to point encryption is an improvement on a pretty flawed system. My preference is for proper encryption such as PGP, but the system employed by Capita positively amuses me - it's all done online on a HTTPS wesbite, but fails to deal with the salient security points. This is my basic analysis:
The purpose of email encryption should be twofold:
- To protect the contents in transit between the sender and recipient so that eavesdropping and man in the middle attacks are rendered ineffective.
- If the end email account is compromised, then the content of the email cannot easily be read without further security and encryption being bypassed.
The Capita solution appears to fail on both counts in my opinion.
The system appears to work as follows:
- The sender at Capita sends an email to the recipient. The email remains on a "secure" server and a separate email is sent to the recipient with an attachment.
- Opening the attachment redirects the user to a HTTPS site where the recipient sets up some simple security details such as a password and an answer to a "security" question. Once this is set up, the recipient can see the email sent by Capita and respond securely.
- If any further emails are received, then the recipient can log into the site and retreive them securely once again over HTTPS.
This at first glance appears to be a fairly secure way of doing things. The reasons for saying this are:
- The content of the email travels over HTTPS which is secure; and
- The content of the email is not being stored in the recipient's mailbox.
HOWEVER, the flaws are:
- The initial set up email is sent to the recipient's mailbox: If the recipient's mail is being eavesdropped upon, or the email box is compromised, then there is nothing stopping the hacker using the welcome email to sign up themselves by setting the password and security question and reading the secure email. Indeed, this is the very attack that this system is designed to thwart.
- Even if the would-be hacker was slow off the mark and the recipient hasset up a password and security question, if the email box is compromised, or if eavesdropping is occurring, the original or subsequent reply notifications can be used to navigate to the site and using the lost password link and the answer to the security question, the hacker can reset the password and gain access to the secure content.
- If the hacker knows neither the password nor the security question answer, then clicking the lost password link and the "I can't remember the answer to my security question" link dispatches and email to the already compromised email account with a link that allows the password to be reset and reveals the answer to the security question in plain text nullifying the security of the security question and allowing access to the secure email.
So to summarise: The system is designed to prevent someone from reading an email if their email address is being eavesdropped upon while email is in transit or if the account is compromised. However if either situation occurs, a hacker can (a) set the password on the secure emails and read them and/or (b) reset and view the answer to the security question before gaining access to the secure email the system is designed to protect.
All in all, a fail on all accounts. Capita ought to be ashamed, not only because this system offers a false sense of protection, but because it's an overly oneorus and convoluted system which makes it difficult for the end user to receive their email. All in all, they'd be better off without it and I could spend more time looking at other issues that make it a less than desirable "solution". Maybe another time.