January 16, 2021
Hot Topics:

Secure Web Based Mail Services

  • By Keith Pasley, CISSP
  • Send Email »
  • More Articles »

Outsourced Web Mail Service

A third approach to Web mail security is via outsourced or hosted Web mail service. Yahoo and MSN provide a Web mail access. However, very few people using their services would rate such services as 'secure;' thus, the need exists for a business-class level of secure Web mail access provided by managed security service providers such Co-Mail.

The Co-Mail secure mail service, offered by Ireland-based NR Lab LTD, provides a Web-based secure e-mail service with a user interface that can be used by anyone. The Co-Mail security architecture allows this service to be a good choice for any size organization. Co-Mail allows a company to use its own or a Co-Mail registered domain for mail routing. This mail service provides mail confidentiality and uses cryptography based on OpenPGP and SSL. Other security features of this online e-mail service include rudimentary anti spam, file encryption, and strong user authentication via (optional) Rainbow iKey support.

Through an administrative Web interface, an admin can register for the service and set up new users, among other housekeeping tasks. From the admin interface can be viewed organizational e-mail statistics such as near-immediate or historical user account activity. The administrator can customize the look and feel for the end user by uploading the company logo's, modifying the background header, and selecting the header text color. In addition, a company can use its own domain name or become a sub domain to the Co-Mail service.

End-user account creation can be done by the admin or the actual end user. In either case, there is the same three-step process:

  1. Register the user name.
  2. Random mouse movement to generate the asymmetric keys.
  3. Create a pass phrase, and then you're done.

The security minded may find this process very simple, yet behind the scene is a server-based implementation of OpenPGP. In the case of end-user registration, the admin interface provides for sending a customizable message to the end user with URL pointing to registration site.

Co-Mail can integrate into the end user's current e-mail environment via a downloadable proxy software called Co-Mail Express. Co-Mail Express is a lightweight-software application that resides on the end user's Desktop tray. Its job is to intercept mail directed to port 25 to encrypt/decrypt a mail message. Although this feature is not mandatory, some may find helpful if Web-based mail interfaces are not your cup of tea.

Once an end user logs in to the service, the user can perform the usual e-mail tasks such sending and receiving mail. In addition, the user can encrypt/decrypt files for secure storage (S-Disk) on the user's computer, manage the address book, export the address book, turn on/off antispam, set up auto reply texts, and so on.

Although very easy to use for small- to medium-user communities, traditional large enterprises may be hesitant to outsource their entire e-mail service to a third party. ISPs in particular may want to think seriously about this service value to their customers. This service is worth a look due to potential cost savings in upfront setup and ongoing maintenance. Lower cost and implementation speed are two reasons a large community may want to outsource its e-mail system to Co-Mail. However, the strength of the security employed by the service provider is also a central concern. Technical details for Co-Mail are available online at: http://www.co-mail.com/data.html.

E-mail management use to be simpler, but the threats against e-mail have grown more complex. With products such as Co-Mail, that provide a relatively good level of service availability and security, e-mail users around the world can take advantage of strong security with simple administration.

About the Author

Keith Pasley, CISSP is an information security professional with over 20 years of experience in the information technology industry. He has designed security architectures and implemented security strategies for both government and commercial sectors. Pasley has written articles on various security related subjects.

Page 2 of 2

This article was originally published on November 4, 2003

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date