I would like to know if it's possible to provide an email certificate (signed by a recognised CA) so the user clicking on the mailto link can send encrypted email to the owner of the cert ?
hello#gmail.com
Is there any way to do that using the mailto link or using some JS ? Given the mailto link is handled by a local email client, should be possible ?
If there is no direct way to do this, how to make it?
One option is a web form for message sending, served via HTTPS. The server-side handler of the form would compose an encrypted mail on the server and then send it via SMTP. This provides almost the same level of security as direct encryption (given that your server is secure). Unfortunately there's no other simple way to do what you want. Of course, you can put a link for your .cer file download and tell the user to download the .cer file and use it to compose an encrypted mail, but how would you deal with GMail users and mobile users? Web form is more flexible and easier to use for the sender.
You can look up what you according to the current specification can do with a mailto URL in RFC 2368. You'll see that it only refers to the construction of the mail text and headers, not their encoding or encryption. There may be extensions for some mail clients, but that's not something one should generally count on.
Furthermore, Web mail users generally will have problems with such links anyways. Thus, for a solution that has to be usable by anyone, a scheme counting on some client side program is not a good choice.
Thus, some Web form as mentioned by #Eugene accessable only via https would best serve your requirements.
Related
I'm building a web service for internal use and one feature I would like to implement is having users be able to fill out HTML forms and submit from email so that they don't necessarily have to go to the web page to use its functionality. The problem is that the web page requires authentication via nginx so a simple redirect won't work. Accessing the email account requires authenticating into Okta which is also the same creds that will get you into nginx, so is it possible to somehow pass along that information to the form?
The web page is running on flask, just in case that's important.
In short the answer is no. In most modern day mailing services such as gmail the mail will be counted as spam because you are trying to gather "sensitive" information(even if its something as simple as a name)
Trying to gather information through email is a security risk and you should do so only through your secure server
I have a site, http://foo.com. I have another site, https://bar.com. If I submit a form from non-secured foo.com to secured bar.com, is the transaction encrypted?
Example:
http://foo.com/form.html
<form action="https://bar.com/process.php" method="post">
...inputs, validation, and form happiness...
</form>
My use case is forms emailed to users that may contain sensitive information that need to be submitted to our site (which has SSL). The form would be an attachment that would be opened from their desktop for example and filled out, then submitted to our server. Is there a way to encrypt that communication?
I found two potentially relevant questions, which give conflicting answers:
Secure Cross Domain Form Submission
[yes, it is secure, but] Not inherently secure. The SSL on the host is not relevant, the SSL on the third party server is. However you must set the post to "https://..." rather than just "http://", it isn't enough for it to be a "secure server" you have to invoke it securely.
Securing Forms submitting to a diffrent domain
One simple way is to use HTTPS and but thats as long as both can be HTTPS. They must also both have SSL certificates.
Since the form is going to be posted to a secure server https://bar.com/process.php, data will be encrypted along with the request. On the other hand it wouldnt be secure even if the form had been hosted on a secured https://bar.com/form.html but had been posted to a non secure http://foo.com/process.html
Here's excerpt from the article "Sending form data" on Mozilla Developer Network
Note: It's possible to specify a URL that uses the HTTPS (secure HTTP)
protocol. When you do this, the data is encrypted along with the rest
of the request, even if the form itself is hosted on an insecure page
accessed using HTTP. On the other hand, if the form is hosted on
secure page but you specify an insecure HTTP URL with the action
attribute, all browsers display a security warning to the user each
time they try to send data because the data will not be encrypted.
ref: Sending form data: MDN Article
Yes, it is encrypted. No, it is not secure.
The reason being is that the user has no assurance that the form is secure. A Man-In-The-Middle could have intercepted the response from http://foo.com and changed the form to:
<form action="https://evil.example.com/process.php" method="post">
...inputs, validation, and form happiness...
</form>
and the user would be none the wiser that they were sending insecure data until after the horse had bolted. evil.example.com may redirect back to https://bar.com to decrease their chances of detection.
Bottom line: Always place sensitive forms on HTTPS pages. This gives assurance to the user that their submitted data will be safe in transit.
Usually, when you send an e-mail (with Thunderbird or Outlook), you don't send it directly.
example: I have a gmail address and I want to send an e-mail to a myopera address. The process will be:
user->gmail server(gmail-smtp-in.l.google.com)->myopera server(in1.smtp.messagingengine.com)->final user who'll download it's email with pop/imap.
One of the inconvenient is the size: Imagine you have attachment of 50Mb: the limit of myopera is 60MB; but the limit of gmail is 25MB,So the mail will be refused whereas it would be accepted if it was send directly to myopera.
But I saw with telnet that, it is possible to send mail directly with SMTP commands.
I want to write a client-side Only web application which would convert a mail in a set of SMTP commands for sending it. I should be very basic and not support encryption
I don't know how to create a TCP connection from a client, so, here's my questions: Does a library already exist? If not, what I should use? I've read about the existence of WebSockets but that Ajax would be more universal.
Also, most of the actuals implementations of WebSocket I saw, don't work in my latests versions of web browser despite the fact they 'support it'. There's also the raw Socket API from the W3c (I've no idea of the web browsers which actually support it).So, I would like to not avoid statements telling it is impossible to create near raw TCP/UDP session. Since it is possible, I can't imagine nobody created a kind of library for dealing with protocols
You should take an alternative route.
If i had that issue i would still use a server side component of some sort, and just have the server contact to receiving mail server directly.
Given the email: "someuser#somedomain.tld" you could do a DNS MX record lookup on "somedomain.tld" and find the receiving mail server say "mail.somedomain.tld", then you could tell your mail send component to send the email directly to "mail.somedomain.tld", that way you would have an immediate feedback on whatever the mail went through or not.
For Objective-C you may use https://github.com/jetseven/skpsmtpmessage
By looking at the source you see how SMTP works.
I want to set up a project page on GitHub, so that it acts as a live site.
The site would require an API sid & token (both just long strings of text) that, in a self-hosted environment, the user would just add to the config file.
If I host this through GitHub project pages, users will supply their sid/token through a form. The page with the form will need to be served over SSL so that the sid/token aren't transferred as cleartext. The problem is that GitHub project pages don't allow SSL.
So, if I can find another secure way to take input through a form aside from using SSL, then I can host this whole thing a hosted service through GitHub project pages.
The project would be open source, so I don't expect any sort of encoding/hashing scheme to work, since the methods would be public.
The sid/token are being used in curl calls to an API which is sent over SSL. Perhaps there's a way to direct the form input directly to that SSL URL instead of having it go through the non-SSL GitHub project page...
Any ideas?
You can just give the action attribute of the form the HTTPS URL of the target script, if that's possible.
You could also use some kind of Challenge-Response encryption/hashing scheme using Javascript. The algorithm for that would be something like this:
Server generates unique, random token, saves it and sends it to the client along with the form HTML.
On the client side, Javascript intercepts the form submission and hashes the sensitive form data with the server-generated token as a salt.
Server can now check whether the hash is equal to its own calculated hash value
HOWEVER
A man-in-the-middle attacker with the ability to modify traffic (for example through ARP poisening, DHCP or DNS spoofing) could always strip all your client-side protection mechanisms from the served HTML. Have a look at SSLStrip for a tool to rewrite HTTPS URLs to unsecure HTTP URLs on the fly. The challenge-response could be defeated something like this:
Save token sent by the server, remove the Javascript from the HTML form.
As the form submission is not intercepted now, we get the raw input data.
Hash the data using the same algorithm that the Javascript would have performed.
Thank you for all the fish.
You see, an intercepting attacker can probably defeat any defense mechanism you try to make up.
I have a web application, written in PHP, where we have a couple of files that regularly needs to be sent to multiple recipients. The client wishes to have the mail conversation in their mailbox, so the web app should not send the e-mails itself. Is it possible, and if so how, to do the following:
Create an e-mail with multiple recipients
Add text to the subject and body of the e-mail
Download and attach a zip file which is available on the server
The mail client in question is Outlook - I'm unsure of the exact version.
I'm open to suggestions on which technology to use for this - the client mentioned Visual Basic but I'm unsure of how I could use that on the client side of the web app - or if it's even appropriate.
Assuming that the client want's to send that by hand, you can do all that by using the mailto: in an tag and "&attachment=". The only problem is that attached files need to be localy accessable. If they are not, they are not attached. Exact syntax specifications can be found here: mailto: Syntax
If you have imap access to the customers mail server you could use php imap mail and php imap mail compose to create a email which will just show up in your customers sent email folder.
Also I there is a MIME Message class, where the author claims that it can create and save an email as an .eml file. MIME Class
This is theoretically possible, but only with IE on the client side, and with other limitations and tribulations.
How about a different approach: Have the web server send out the E-Mail, and send a copy into the client's mailbox. Mark the copy with a special header or something, and add a rule in the client's Outlook to sort mails with that header into a specific folder.