2

We are generating emails which contain links to images: our client's branding, images showing other products offered by the client etc.

What are the security pitfalls if these links in the emails are src="http:// rather than src="https://? Should links to images contained in emails be secure?

Note: The emails would be generated from our secure webservers. The images would be hosted by the client on one of their webservers.

alecxe
  • 1,565
  • 5
  • 19
  • 34
Paul H
  • 71
  • 1
  • 3

4 Answers4

1

I would say yes. While an eavesdropper (in either case) can still see what server they are connecting to and therefor infer that they have some interaction with your company, you deny them at least some minor insight into what that interaction is.

Really what it comes down to is that you'll be exercising a best practice, that is to say using SSL when linking to your website. Consider it secure communication hygiene.

chao-mu
  • 2,801
  • 18
  • 22
  • 1
    While it would not pointless to do this I don't see the benefit when anyone can use link to those images also. Now your talking about spoofing email that has https links in it. – Ramhound Jun 20 '12 at 10:58
  • What does spoofing emails have to do with anything? – chao-mu Jun 21 '12 at 01:16
1

To follow up on Ramhound's comment on chao-mu's answer, using https links eliminates one attack vector -- someone who has access to the communication between the client's MUA and the server will not be able to see the content of the images.

However, the value of this is somewhat debatable if the image must display without user authentication (which would normally be the case for an email).

Email itself is transmitted over SMTP. Many SMTP links are SSL/TLS encrypted, but not all are. Therefore, if the client's MTA, or another SMTP server along the path, is not configured with SSL and the attacker therefore has access to the plain email, he can simply extract the https links and access them directly to determine the content of the image.

Furthermore, if the email is a "bulk" email, then one can assume that the image links will become "well known" and so any security added by https is effectively moot.

Using S/MIME or OpenPGP would be useful to encrypt the email end-to-end, and would work well in combination with email that includes https image links.

Community
  • 1
Raman
  • 111
  • 3
1

As a generic point: the email is not secure; in particular, it is not encrypted, not when stored, and (possibly) not when transferred either. If the gods smile upon you today, a given email may be encrypted when it is sent (the SMTP servers involved in the transfer may opportunistically use TLS encryption, and the recipient may download his email through an SSL/TLS-powered protocol like IMAPS). However, it is hard to get guarantees on that subject. Moreover, the email will be stored as is (unprotected) on the mail server's disk, and copies may be kept for some time on the intermediate servers' hard disks.

Therefore, the email contents, including the URL pointing to your extra pictures, cannot be considered "very secret". If the attacker is intent on being able to access these pictures, then he will, regardless of your use of HTTPS or not for the said pictures.

Correspondingly, your question makes any difference only against low-grade attackers, or attackers who are limited to eavesdropping on a specific portion of the network. Against those, HTTPS for the extra pictures may be useful if the pictures have something to hide; that is, the contents of the pictures are confidential, and/or the URL used to retrieve them contains some secret data (anyway, if the URL is guessable, then the picture will not remain secret for long; but the picture could be inherently public while the URL could contain something private like a password-like field).

Applying HTTPS will not harm your security (compared to not applying it), but it may imply a higher load on the server, not because of the encryption overhead (which is small, much smaller than usually considered), but because HTTPS tends to prevent proxies from caching data: if you serve the same picture to one million recipients then you will have to serve it one million times when using HTTPS, whereas with HTTP you could hope for all recipients in the same subnetwork to share the same proxy-cache. As with all things related to performance, this should be measured.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • unless your proxy/cache/CDN has a copy of your certificate and then the image can be cached without issue (e.g. cloudflare) – user12345 Mar 28 '18 at 17:54
  • regarding MITM attacks hiding URLs - it is not just a protection against secrets - but also from disclosing specific interests of the viewer to sensitive or taboo information or topics (e.g. politically sensitive material, health issues, etc.) from attackers (e.g. snooping employers, governments, etc.). The initial server destination is clear to MITM - but that's it if using HTTPS that isn't broken. More reading: [Is it possible to sniff HTTPS URLs](https://security.stackexchange.com/questions/176164/is-it-possible-to-sniff-https-urls) – user12345 Mar 28 '18 at 18:13
0

The answer is: It depends.

  • If the contents of the image is confidential or private, you should use SSL (https). For instance, suppose you are a medical provider and the image contains a lab result: then yes, you should be using SSL.

  • Similarly, if the URL to the image is somehow private (e.g., it includes their SSN or something), you should use SSL. That said, most of the time you probably shouldn't be putting secrets like that in the URL anyway.

  • In most other cases, it is fine to use ordinary http.

  • One possible exception: if your site is a high-security site, like a bank or payment provider, there might be an argument for hosting images over https. Why? Well, in this situation, hopefully you are using SSL sitewide. (If you aren't, you should be!) In particular, hopefully you've configured your site so it doesn't accept http connections, or so that any http request immediately redirects to the https site. In that situation, your images should be hosted on https as well.

D.W.
  • 98,860
  • 33
  • 271
  • 588