Steve Lamb's Blog

Security Matters

Should I use Outlook Web Access (OWA), Gmail, Hotmail or other webmail from a cyber cafe?

Should I use Outlook Web Access (OWA), Gmail, Hotmail or other webmail from a cyber cafe?

  • Comments 10
  • Likes

Absolutley NOT unless the information in your messages and contacts is already in the public domain!

Don't get me wrong - OWA provides an excellent webmail system.

My point is that if you don't have a reason to trust the client machine you shouldn't view/access or enter sensitive information as anything you see/type can be stolen by a malicious third party. Using multi-factor authentication (aka "blinkin' tokens"), HTTPS/SSL on protects the transport (and authentication of the parties).

I am staggered at the number of organisations who allow (and encourage) their employees to access corporate information from unmanaged machines!!!!

There ARE cyber cafes who are very good at ensuring the security of the client machine - it's a differentiator - however the VAST majority of cyber cafes do not provide this assurance

  • Hmmm... not sure that I entirely agree.  I mean - it depends on the sensitivity of the information.  I wouldn't think that the average business or would have a lot of sensitive information that was at serious confidentiality risk through this scenario.  Sure - you wouldn't want to publish that info, but it is unlikely that the agent/individual who compromises the data from the public terminal would have any interest in it or any particular use for it.

    I would, however, insist that any access from a public terminal require two-factor authentication as the password itself is sensitive enough material to worry about it being compromised.

  • hi to you guys i lake to ask you a question ? its that o.k.

  • Edgar> of course - go ahead

  • Steve, are you saying that you believe that it is inherently insecure and putting a corporation at risk if they _are_ using multi factor "blinkin' tokens", as you put it, to access corporate data/apps? It wasn't 100% clear from your post. And if so how does this differ from the the "TS Web Access/TS Gateway" solution presented at the recent Technet sessions that yourself and James O'Neill gave? Thanks

  • Going one step further - should we ever trust a client machine which we don't physically own? The best HTTPS and SSL security layers can't stop a device-level keylogger.

  • Matt> I'm saying that if the client machine is compromised then strong authentication and transport (SSL) won't save you.

  • Ian> absolutely not for exactly the reason you state - they are a multitude of ways your I/O can be compromised on an unmanaged machine

  • As I've explained before I like to do mail in the morning before I leave the house. Finding myself running

  • I wish to import my current contacts list and mail from outlook 2oo5 folders to OWA.

  • I wish to import my contacts list and mail folders from existing outlook 2005

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment