Home / Blogs

Why Foldering Adds Very Little Security

Steven Bellovin

I keep hearing stories of people using "foldering" for covert communications. Foldering is the process of composing a message for another party, but instead of sending it as an email, you leave it in the Drafts folder. The other party then logs in to the same email account and reads the message; they can then reply via the same technique. Foldering has been used for a long time, most famously by then-CIA director David Petraeus and his biographer/lover Paula Broadwell. Why is foldering used? What is it good for, and what are its weaknesses? There's a one-word answer to its strength — metadata — but its utility (to the extent that it had any) is largely that of a bygone era.

Before I start, I need to define a few technical terms. In the email world, there are "MUAs" — Mail User Agents — and "MTAs" — Mail Transfer Agents. They're different.

An MUA is what you use to compose and read email. It could be a dedicated mail program — the Mail app on iPhones and MacOS, Outlook on Windows, etc. An MUA needs to be configured with the domain names of the user's outbound and inbound email servers. MUAs live on user machines, like laptops and phones; MTAs are servers and are run by corporations, ISPs, and mail providers like Google. And there's a third piece, an inbound mail server. A receiving MTA hands off the mail to the inbound mail server; the MUA talks to it and pulls down email from it.

Webmail systems are a bit funny. Technically, they're remote MUAs that you talk to via a web browser. But they still talk to MTAs and inbound mail servers, though you don't see this. The MUA and MTA might be on the same computer for a small operation (perhaps running the open source squirrelmail package); for something the size of Gmail or Hotmail, the webmail servers are on separate machines from the MTAs. However, foldering doesn't involve an MTA. Rather, it involves composing messages and leaving them in some folder. The folders are all stored on disk — as it turns out, on disk managed by the inbound mail server, even though you're composing mail. (Why? Because only inbound mail servers and MUAs know about folders; MTAs don't. The MUA could have a draft mail folder (it probably does), but by sending it to the inbound mail server, you can start composing email on one device and continue from another.)

Webmail systems are, as I said, MUAs. For technical reasons, they generally don't have any permanent folder storage of their own; they just talk to the inbound mail server.

So: foldering via a webmail system involves a web server and an inbound mail server. It does not involve an MTA — and that's important.

If you're trying to engage in covert communications, you're not going to use your own mail systems — it's too obvious what's going on. Accordingly, you'll probably use a free commercial email service such as Google's Gmail or Microsoft's Outlook. The party with whom you're communicating will do the same. Let's follow the path of a typical email from a Gmail user (per the usual conventions in cryptography, we'll call her Alice) to an Outlook user named Bob.

The sender logs in to Gmail, probably via a web browser though possibly via an MUA app. Even back in the mists of time, the login connection was encrypted. However, until 2010, the actual session wasn't encrypted by default, though users were able to turn on encryption since at least 2008. Let's assume that our hypothetical conspirators or lovers were security-conscious, and thus turned on encryption for this link. That meant that no eavesdropper could see what was going on, and in particular could not see who logged in to Gmail or to whom a particular email was being sent. After Alice clicks "Send", though, the webmail MUA hands the message off to the MTA — and that's where the security breaks down. Back then, the MTA-to-MTA traffic was not encrypted; thus, someone — an intelligence agency? — monitoring the Internet backbone would see the emails. Bingo: our conspirators are burned. And even if we're talking about simple legal processes, the sender and recipient of such email messages are (probably) legally metadata and hence are readily available to law enforcement.

Suppose, though, that Alice and Bob used foldering. There are no MTAs involved, hence no sender/receiver metadata, and no unencrypted content flowing anywhere. They're safe — or so they thought…

When Alice logs into Gmail, her IP address is recorded. It, too, is metadata. An eavesdropper doesn't know that it's Alice, but her IP address is visible. More importantly, it's logged by Gmail: user Alice logged in from 203.0.113.42. Oddly enough, "Alice" — it's really Bob, of course — logged in from 198.51.100.17 as well, and those two IP addresses aren't physically located anywhere near each other. That discrepancy might even be logged. Regardless, it's in Gmail's log files, and if Alice or Bob is under suspicion, a simple subpoena for the log files (or a simple hack of the mail server) will show what's going on: these two IP addresses are showing a decidedly odd login pattern, and one of them belongs to a party under suspicion.

So where are we, circa 2010? Suppose neither Alice nor Bob were suspected of anything and they sent email. An intelligence agency monitoring assorted Internet links would see email between the two of them; if one was being targeted, it would be able to pick off the contents of the messages. If they used foldering though, they would be much safer; there wouldn't be any incriminating unencrypted traffic. The spooks would see traffic from Alice's and Bob's IP addresses to Gmail or Outlook, but that's not suspicious. The login names and the sessions themselves are protected.

Suppose, though, that Alice and/or Bob were under suspicion by law enforcement. A subpoena would get the login IP addresses; the discrepancy would stick out like a sore thumb, and the investigation would proceed apace.

In other words, in 2010 foldering would protect against Internet eavesdropping but not against law enforcement.

The world is very different today. Following the Snowden revelations, many email providers turned on encryption for MTA-to-MTA traffic. As a consequence, our hypothetical intelligence agency can't see that email is flowing between Alice and Bob; it's all protected. If they're being investigated, of course, a subpoena will show the email — but the same sort of subpoena would also show the login IP addresses.

Where does that leave us? Today, an attacker with access to log files, either via subpoena or by hacking a mail server, can see the communication metadata whether Alice and Bob are using foldering or simply sending email. An eavesdropper can't see the communications in either case. This is in contrast to 2010, when an eavesdropper could learn a lot from email but couldn't from a foldering channel.

Conclusion: if Alice and Bob and their mail services take normal 2018 precautions, foldering adds very little security.

By Steven Bellovin, Professor of Computer Science at Columbia University
Follow CircleID on
Related topics: Cybersecurity, Email, Privacy
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

The same amount of security Phil Howard  –  Aug 23, 2018 1:09 PM PST

So foldering is, today, no more secure than regular email, but really, is it any less so, for those who have been using it all along?  MTA-to-MTA, now secure, is still not used by foldering.

Good summary about something I hadn't heard Doug Mehus  –  Sep 03, 2018 9:59 AM PST

Good summary about something I hadn't heard about. Interestingly, I think my parents have been "foldering" by sheer accident, only because they use the same Gmail account (that I set up for them) that has each of their first names as the "first name" in their Google Account as well as their married last name in their Google Account. If one wants to send a note to the other, they'll usually send an e-mail message to themselves, which, technically, still passes between Google's outgoing and incoming mail servers, or they'll update a note in the "drafts" folder (the "foldering" you talked about).

One thing I'm unclear about, though, is how could Google provide the full e-mail message under subpoena if the message itself is fully encrypted?

And another thing, while Google might even "red flag" the logins from disparate geographical locations, which may show a high likelihood of two people corresponding, wouldn't that all be legally-flimsy, at best, circumstantial evidence?

Cheers,
Doug

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC