Is there a difference in privacy and security between webmail access and desktop email clients? Is one inherently more secure than the other? Is it more secure to use an email service that does not offer webmail, but only access via IMAP, POP, SMTP in a desktop email client? Let us consider that both are using equal encryption techniques, ie TLS for the connection between server and client.
Asked
Active
Viewed 9,038 times
3 Answers
2
Security of a local mail client is much more dependent on the physical security of the device than a webmail client is.
Local clients tend to have mail passwords saved, whereas it's possible, but less common for webmail clients. Not only does this saved password allow access to mail if you can access the users account, but you hope this password is stored securely.
You would also have mail files stored on the machine. There may be sensitive data embedded in the mail files. These would need to be secured for the user only. I forgot that I had loaded Thunderbird on my laptop, and when I reinstalled it 2 years later, it found my old mail.
Webmail apps have issue with saved files as well, though proper HTTP caching directives, and the ability to wipe out cache, or with private browsing, mitigates most of this.
Rich Homolka
- 32,350
2
The security of the email would largely depends on the security of the physical server storage, and not so much on the client access mode (web or imap, etc). The connection mode does little for the overall security as most breaches take place on the server side (probably close to 99%), and not while email is in transit.
For any meaningful security you additionally need to use encryption for email storage. The best would be to have each message encrypted on the client side with its own set of keys, with private key never leaving sender's computer in plain form. There are several solutions that provide such strong security. I would look into pgp email solutions or http://cryptoheaven.com
However, a solution with connection layer security such as Pop3S / Imap SSL / SMTP TLS for the client connections does provide appearance of security for an average consumer, but offers not much real protection indeed.
Henry Johnes
- 21
0
Accessing email via unencrypted protocols such as HTTP, Pop3, Smtp or Imap are equaly "unsafe" (e.g. any intermediate router between your PC and the final destination may read your data in clear...)
Accessing email with HttpS is a good solution. (like with Gmail for example). With an email client such as Thunderbird the access to a mail service via protocols like Pop3S or Imap SSL and SMTP TLS are also secured (encrypted between your PC to the destination).
For sure, a safest way is to encrypt the mail itself with GnuPG for example. Even using an unencrypted protocol such as Pop3 nobodies except you and the person you emailed with PGP or GnuPG may read the content of the mail.
To make a long story short:
- easiest way: use email services with Pop3S or Imap SSL and SMTP TLS
- second choice if your email provider do not use encrypted protocol:encrypt your mail with GnuPG
- "Parano" way: do both! ;)
climenole
- 3,516
- 1
- 22
- 30