Chapter IV

Admin sees everything. Web tools.


Modern web email clients are convenient, fast, functional and look good. For this reason many users do not even consider using standalone tools for working with their email.

What most users do not understand is that while the Internet privacy, in general, exists only as a discussion subject, using web tools for email strips one off the last defense in holding on to any secrets.

So why use them? Well, these tools are still very convenient and centrally managed. Changing a computer does not change your address book, email box content, the looks of the system, etc. It also allows you to access your email from a work computer on which you are not allowed to install any software. Although, these days our mobile phones successfully took away the need from doing this (smartphones and email encryption will be discussed in another chapter).

Having said all that, does it make sense to discuss these tools? I guess it certainly make sense to talk about the conditions when they are both convenient and secure (for the user). We’ll talk about two types of tools allowing email encryption when using a web client – web-only and hybrid – the latter, allowing to use the web access while holding the encryption keys and running the encryption locally, on your computer.

At the end of the chapter we’ll explain how it is possible that the admin sees everything… well, everything that matters. Later… for now take it for granted.

Web-only tools

Before presenting an example system let’s define when using encryption on a web-only email client is safe and protects you from eavesdropping.

    when you manage your email client. Remember, the website presenting your email is only a client, it is not the email server. So what one can do is to build a private web-service – on a server at home, on a server rented from one of the cloud providers, or in a virtual machine on your computer, or simply a background process. Of course, the installation of such a tool, implies a number of pre-requisites, like a web server, the OS behind it, security systems, firewalls, etc. So in general let’s consider it an advanced subject. (You can also request the set up from an experienced IT professional and then take over, change all access routes and manage the system yourself from now on.)
  • when you trust your admin. Hahahaha! No, seriously. This is the Internet, you don’t have any friends. A trusted administrator in a company network, will dutifully keep your email safe and make sure you’re the only one that reads it until they’re told otherwise. A public email provider like Google or Yahoo! won’t even be located close to the word “trusted”.

Without unnecessary details, one web-based email client that provides encryption and key handling capabilities is Roundcube – It is a free, lightweight and simple to configure software package that allows you to connect to any email service through IMAP and SMTP just like Thunderbird.

Someone that goes on installing it will most likely do that along their own email server. But that comes with another set of complications and is not always possible, when using a private, home Internet connections.

Hybrid systems

Yet, web email users are not all lost. One software package that provides email encryption for this case is called Maivelope – It comes in a form of a web-browser plugin.

It is a package that enriches your browser with a toolkit that processes encryption on your local computer, while presenting the results embedded in the user interface provided by your webmail provider.

The downside of this system is that it ties the configuration to your installation of the web browser, therefore, taking away all the goodies related to accessing your webmail from anywhere. It won’t work with all webmail systems, nor with all web browsers. However, the main players are covered.

The upside is that the encryption and decryption does not reach the email, or webmail server, so you’re data is protected.

As for the configuration, it is similar to Enigmail in Thunderbird and requires the same encryption engine to be present on your computer.

Admin sees everything

Let’s go back to the web only systems. Even though the communication channel between your browser and the web server is encrypted, there are two places where the data flying through this channel is accessible.

  • just before your browser sends or receives the data
  • just before the web server sends or receives the data

The data, we’re concerned about is your password and your email cipher.


When you send your password to log in it is received by the server, processed (hashed) and then compared to the entry present in the database to confirm your identity.

Yes, it is first received and then processed. An admin can have the web server store the password before processing. We do not worry about it that much, because an admin does not really need your password to access any information. But think of this: How is it possible that Internet service providers periodically produce statistics of trivial passwords if those are only stored in a safe, encrypted, hashed or whatever else form?

Encrypted email

When you use encryption in a web-only service you need to understand what the web server really does.

Everything presented in your browser window (a system with Mailvelope installed is indeed an exception to that) has first been generated by the web server. So when you see your email cipher, it means that the server read it, placed it withing the website interface and sent to your browser. When in next step you request the decryption, the server performs the calculations, generates the text and again sends it to your browser.

The admin can request the server to store anything that it generates before sending to you. It’s one of reasons for which web-only email encryption is not considered safe.

There are plenty more, like JavaScript attacks. These happen often when using a web browser at a random Internet shop or a computer infected with a virus or malware. JavaScript is a programming language that historically was designed to execute code within your browser. When unauthorized, hidden code is executed inside a dodgy browser, it can do a lot of harm to (or with) the content that the browser is presenting.

End of Chapter IV