if I have to check email on an untrusted shared machine, I can redirect it to a low value gmail account with low value password and read it from there. It still is not a perfect system, e.g. because some of the emails that can end up accessible from there may be too high value for the situation, but, well, it’s better than nothing.
Now, if I want to respond to emails so received or in general send emails from my high value account (or, “as if” from it) it seems that I am SOL. So for the time being I am forced to use the low value one for this purpose, which inter alia may mean gradual creep of it towards the high value, primary email category. And generally I think it’s a bad thing all around.
Anybody knows an existing solution to the dilemma? Or is this a potential market niche screaming for a good hard implementation?
If you are using an untrusted machine, any email you read or write on that machine is always going to be potentially vulnerable. You have no reasonable way of ensuring the machine operator has not installed an auditing/logging tool on the local machine to capture the contents of emails. I don’t see how it much matters which account you are using to read/write the emails; either way, the email content is potentially exposed to the machine operator.
If you are worried that someone will somehow obtain your email account password and start sending out spam by impersonating you, they can do this anyway without your email password. Email From: fields are not validated, so anyone can put anything they want in the From: field of their email messages. There are mechanisms that attempt to validate the From: field during transport, but these mechanisms are not widely implemented. If you need to assure recipients of your emails that those emails in fact came from you, you need to implement a digital signature and instruct email recipients to treat messages from you as valid only if they contain your valid digital signature.
I am trying to send email as if from my high value account without using my high value account password on an unsecure computer.
I am aware of the possibility of hostile monitoring of email texts being downloaded and read on the unsecured machine. This is not what the question is about.
As mentioned, if you can edit the headers of the email you are sending you could make it look like it’s coming from anywhere you want. I doubt (though I could be wrong) that Gmail or any other webmail program will assist you on this matter, so you’d have to get some dedicated client like MS Outlook and configure it appropriately.
You could set up a password-protected page on your own web server that has a form for mailing, into which you input the to address and the message, and the form posts to a script that uses server-side variables of your email address, password and SMTP server and uses that info to send the email.
Someone out there has nothing better to do than wait around for you to send an email from your high value account so they can jack your password? Find this person, kick them in the nuts and send your email while they’re writhing on the floor in pain.
Assuming that’s not an option, if this dirty computer has a modern browser you can put it into private browsing mode which will keep your session secure and which does not cache the data you enter. But that method depends on how much you trust Mozilla or Microsoft or Google’s abilities to keep their browsers secure against people with too much time on their hands.
What SmartAlecCat said. The high-value password is only stored on Google’s servers in this case.
What others said about faking the from: address. You don’t even need the high-value password in this case.
Enabling two-factor authentication in Gmail. This will make Gmail text or call you a secret, one-time-use code that you must enter IN ADDITION to your password to login. In other words, somebody would have to both know your password and have access to your cell phone to read your email.
Setting up your own one-time-use system (programming ability required) that syncs with your Gmail via IMAP or manually through POP3/IMAP and then generates one-time-use-passwords that you carry around with you (in your head, on a cell phone, on a piece of paper, whatever). Each password expires after one use and you move on to the next. ETA: Somebody’s done this and made it open-source: gmail-otp
You don’t need too much time on your hands to install a keylogger on an unsecure machine. You just need to be a son-of-a-virtuous-lady, and such folks are probably not in short supply.
The one time passwords sound like an obvious solution and I am happy to see that they are already implemented, but I do have to wonder if that is the best that cleverness and technology could yield nowadays. Sending email happens a lot, and replacing the password every time does not sound like fun.
ok, on second thought if the one time random string passwords were pre-generated in a secure environment and then stored in a mobile device or a small notebook and if Gmail were to allow me to switch between them as I am using them up without actually typing in the next one, that would work. It seems that gmail-otp is something along these lines.
That still would not eliminate the whole unpleasantness of exposing the high value email account to an unsecure computer even for a short time and even with a temporary throw-away password. But that could be a start. Next natural step would be introducing various pre-set restrictions on what I can and cannot do with the high value account while using an unsecure machine to keep the possible damage on compromise to a minimum.
Hmm, I can name a few projects here http://www.googlelabs.com/ that sound less useful than making gmail accounts safer in untrusted environments. Oh well, so it goes
Combine the two. Using filters, you can selectively and automatically forward messages to the secondary account. Then enable two-factor authentication on the secondary account and add your primary as a “Send As” account there.
Google doesn’t need your password. It fakes the from address. Though perhaps the word ‘fake’ is a bit strong – it does it with your knowledge and consent and includes enough headers that a recipient could determine it too.
