A Framework for the Implementation of Secure Bare-Based Web-Email System

Total Page:16

File Type:pdf, Size:1020Kb

A Framework for the Implementation of Secure Bare-Based Web-Email System GSTF Journal on Computing (JoC) Vol.4 No.3, October 2015 DOI 10.7603/s40601-014-0018-4 A Framework for the Implementation of Secure Bare-Based Web-Email System Patrick Appiah-Kubi, Anthony Tsetse, and Alae Loukili Received 29 Jun 2015 Accepted 27 Jul 2015 Abstract - Webmail systems have being developed for services to ensure email exchanges. Figure 1 presents a different OS-based platforms. These OS-based systems pictorial illustration of email exchanges between the present their own benefits and treats. Framework and white various email services. papers for developing these systems are available but there is no specific framework available for the implementation of user mail such systems on Bare PC. Implementation of such systems on agent a Bare PC poses daunting challenges and innovative HTTP/TLS server Request SMTP/POP3 opportunities that are revolutionary in server designs. Web server / Building such systems for security could even be more Mail Agent challenging. Secure Webmail systems are complex, large and require intricate components to develop. As a result, a lean system was developed for this research. The lean concept also SQL Queries helps to build small protocol suite, intertwining of protocols, limited requirement space, simple user interfaces and minimal design options. The paper provides a detail framework for the design and implementation, experimental setup and the results of experiments conducted. Performance Database is evaluated by measuring the processing time, throughput, the CPU Utilization and load distribution. The results show Figure 1: Conventional Email Exchanges that the performance of the Bare PC Webmail server is significantly better than that of the OS-based servers. In situations where dynamic HTTP requests are sent Keywords-Bare PC; Application Object; HTTP; PHP to the Webmail Server for processing/parsing coupled parser; TLS; SMTP; Operating system. with a secured request using static or dynamic TLS, the complexity of Webmail system increases significantly. The design of the Bare PC-based web-email system was I. INTRODUCTION as a result of experiences gained in developing the Bare PC TLS, HTTP, SMTP and POP3 protocols. A Bare PC Webmail is a web-based email service that allows Web server interfaces with any commercial client users to access their email through a web browser instead adhering to the client requests and their interfaces. It does of using desktop email clients (such as Microsoft Outlook, not have any control on the client user interfaces. The Pegasus Mail, Mozilla Thunderbird and Eudora). It allows Bare PC webmail system developed is user friendly to users to access their email account from any Internet Bare PC environment as the functionality and complexity enabled device located anywhere, unlike the application- can be dealt with at the server level. This is because; based email system. A conventional secure webmail webmail system servers generate and serve all Web pages system uses protocols such as simple mail transfer to the client thus allowing the designer to control the protocol (SMTP), post office protocol (POP3) or internet design of the system. message access protocol (IMAP), hypertext transfer The Bare PC webmail architecture is based on protocol (HTTP) and transport layer security (TLS), to threading techniques, delay/resume lists, and task stack exchange messages. These protocols provide independent DOI: 10.5176/2251-3043_4.3.333 ©The Author(s) 2015. This article is published with open access by the GSTF 71 GSTF Journal on Computing (JoC) Vol.4 No.3, October 2015 mechanisms to provide efficient memory utilization and the x86 systems[7] have extended OS kernels allowing process control. It contains its own data execution applications to run guest plug-ins on the host OS. However knowledge and control, and does not require any other none of the above proposed techniques propose a complete software support to run. Currently, the Bare PC Webmail elimination of all OS support except for the Bare PC system run on Intel Pentium 4 (or above) based PCs and paradigm. The strength of Bare PC applications is derived only requires common general-purpose hardware from its simplicity, smaller code, design by obscurity, including USB-based bootable devices, network interface design for longevity, and inherent security. The Bare box cards, and USB-based persistent storage. The system is can be used to run a variety of applications. The also not vulnerable to attacks targeting an underlying OS. Application Object (AO) is self-contained and it belongs Bare PC applications are built to be secure since all to an owner, which can be made secure at the AO level. underlying OS vulnerabilities are eliminated at design As the AOs are application centric, it does not require all level. The TLS protocol added to the design enhances OS components as needed in today’s OS. Only necessary security when sending and receiving messages. Since a hardware interfaces and controls are included in the AO Bare PC server application is self-supporting, it is unlike thus making the AO small in size, simple in design and its OS-based counterpart that relies on services provided development. An AO may constitute a single application by the OS. For example, a Bare PC server application such as Webmail server or it may consist of composite contains lean versions of the necessary protocols, manages applications including: Webmail server, Web Browser and memory, schedules tasks on the CPU, and directly a Text-editor. Applications like the Web server[8], Email accesses the underlying hardware. Furthermore, the Server[9][10] VoIP[11][12] and TLS on web server[13] application layer and transport layer protocol code is have been built on Bare PC and these applications intertwined within the code for the server application. demonstrated significant improvements in performance There is no socket interface for applications in a Bare PC compared to other commercial systems. These server, and the intertwined parts of the code and the applications uncovered the unique features of the Bare PC underlying task structure can differ from application to architecture and served as the bases for the design and application. Protocol intertwining reduces inter-layer implementation of the Bare PC Webmail Server. communication overhead compared to a conventional OS- Current Webmail systems such as Atmail[14], based TCP/IP protocol stack, but complicates the design Petmail[20], MailTraq[15], Axigen[16], Afterlogic[17], and implementation of the server. Bare PC applications do Squirrelmail[18], Facemail[19], icewarp[21], not use a local disk (they only require detachable mass Hexamail[22], all focus on OS-based systems. Some of storage). The application directly communicates with the these systems are designed for high performance, while hardware (in this case an X86-based CPU). This approach others such as Cisco’s Webex[23] are designed for high can be used to build pervasive devices, gateways, routers, reliability and availability. Techniques to improve or sensors that host small efficient bare PC applications. performance of the Open Webmail system are discussed in The paper is organized as follows, section I is the [24]. Email server architecture, which is based on a spam introduction, II covers related work, III covers architecture workload and optimized with respect to concurrency, I/O and design, IV covers experimental analysis and V is the and IP address lookups, is shown to significantly improve conclusion. performance and throughput. The design and implementation of an email pseudonym server providing anonymity to reduce server threats is capable of reducing II. RELATED WORK risks due to OS-based vulnerabilities. Some performance and design details of Webmail system is described in [24]. The first attempt to minimize Operating systems The security aspects of Webmail systems have been (OS) functionality was proposed in the Exokernel[1][2] studied by many authors [25][26]. Webmail systems use architecture where minimum OS functionality was used HTTPS/TLS protocol to protect email messages in transit. to obtain core processes such as kernel system processes. However, all existing TLS-capable Webmail systems are Studies such as Microkernel, OS-Kit[3], Bare-metal OS based, and there is no TLS-capable Webmail system Linux, IO-Lite[4], Tiny OS[5] and other approaches have that runs on a Bare PC. There are alternate approaches to tried to reduce the interaction of OS or bypass OS to gain email security. S/MIME [25] provides encryption, efficiency in the system. In [6], Linux is used to enable authentication, message integrity and non-repudiation for direct communication with the hardware by reducing the MIME messages exchanged between users (i.e., end-to- OS reliability. More recently, sandboxing techniques on end). The design and implementation of a secure email ©The Author(s) 2015. This article is published with open access by the GSTF 72 GSTF Journal on Computing (JoC) Vol.4 No.3, October 2015 system that provides encryption and signing, and 21 Resume ETH IP TCP additional features such as elimination of spam and prevention of harmful attachments is described. The 19 20 NIC RCV implementation of a secure Webmail system that uses Driver Task CallerID for access is discussed in [26]. Operating System 22 STD 5 (OS-based) systems are based on some sort of centralized POP3 Object resource manager or controller to provide hardware 18 6 SMTP abstractions to applications. The Bare PC previously Object N referred to as dispersed Operating Systems computing 7 I HTTP (DOSC)[27] proposes an extreme end of the spectrum in Network C Object 8 OS for building computer applications where there is no TLS centralized resource manager or controller running in the Object machine. Applications[28] in Bare PC directly TCP Table communicate with hardware (no need for abstraction (TCB) (Migratory layers) and the computer is made Bare (no hard disk, no Entries) 13 Running resident software, except BIOS).
Recommended publications
  • Uila Supported Apps
    Uila Supported Applications and Protocols updated Oct 2020 Application/Protocol Name Full Description 01net.com 01net website, a French high-tech news site. 050 plus is a Japanese embedded smartphone application dedicated to 050 plus audio-conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also 10086.cn classifies the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese web portal operated by YLMF Computer Technology Co. Chinese cloud storing system of the 115 website. It is operated by YLMF 115.com Computer Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr Korean shopping website 11st. It is operated by SK Planet Co. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt Lithuanian news portal Chinese web portal 163. It is operated by NetEase, a company which 163.com pioneered the development of Internet in China. 17173.com Website distributing Chinese games. 17u.com Chinese online travel booking website. 20 minutes is a free, daily newspaper available in France, Spain and 20minutes Switzerland. This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Shared 2shared is an online space for sharing and storage.
    [Show full text]
  • System Node Reference
    IceWarp Unified Communications System Node Reference Version 10.4 Print ed on 10 December, 2012 Contents System Node 1 Services .......................................................................................................................................................................... 2 Service Ports ...................................................................................................................................................... 2 General .............................................................................................................................................................. 4 Service – Properties ............................................................................................................................... 7 Service – Logging ................................................................................................................................... 9 Service – Access ................................................................................................................................... 10 Service – Other .................................................................................................................................... 11 SOCKS and Minger Server .................................................................................................................... 12 SOCKS .................................................................................................................................................. 12 Minger Server .....................................................................................................................................
    [Show full text]
  • Leveraging Open Source Software
    1 Leveraging Open Source Software (Text of talk delivered by Justice Yatindra Singh Judge Allahabad High Court at the 9th e- Governance conference on 3rd February 2006 at Kochi, Kerala) FUD is an abbreviation of fear, uncertainty and doubt; it is often a salesman's strategy: spreading false rumours regarding others' products. Open source software (OSS) is its victim. In our country FUD for OSS arises out of ignorance. I am glad that, we are discussing OSS as it has crucial role to play in the IT world. WHAT IS OSS? A computer programme consists of two parts: Source Code and Object Code. Nowadays, computer programmes are written in high level computer languages using compact English words. This part is known as source code. These languages also have a programme called compiler and with their help, source code is compiled into machine language so that computers may understand it. When it is so done, it is called object code or machine code. Description―if it complies with certain conditions―is protected as a Copyright. Source code is a kind of description and can be protected as copyright provided it is published or disclosed. In the proprietery software, source code is generally not disclosed and in such a situation it is protected as a trade secret or undisclosed information. There was a debate whether object code is protected as a copyright or not but after TRIPS, it has to be protected as a copyright and now object code is so protected. Everyone is not using copyrights to have rights in computer programme.
    [Show full text]
  • Argosoft Mail Server Pro User Guide
    http://www.argosoft.com Argosoft Mail Server Pro User Guide June 2002 1 Introduction Thank you for choosing Argosoft Mail Server Pro. This lightweight and extremely affordable mail server is robust, stable, easy to configure, easy to manage and is fully capable of competing head to head with any mail server on the market. It can perform all basic e-mail tasks, and much more. It is fully functional mail system, which supports most popular protocols, SMTP, POP3, Finger, and has a built-in Web server, to give users quick and easy access to their email via any Web browser, which supports HTTP 1.0 or later. The web interface can also be used to administer the mail server. While this easy to use mail server is pretty much obvious in terms of use there are few little things that even a seasoned e-mail expert may not stumble across immediately. This document is basic guide to getting started! Features • Has true support of multiple domains - you can create accounts with the same name, which belong to different domains • Supports multiple IP homes (virtual domains) • Has built in mailing list server • Has WAP interface • Allows setup of domain administrators - users who can change domain related information via the Web interface; • Filtering of mail according to IP addresses of server which attempts to relay mail to local users • ORDB and MAPS support • Supports distribution lists; • Supports auto responders; • Supports basic filters; • Unlimited message size (there is a limit of 5 Megs for freeware version); • Can listen on single IP address, rather than all addresses available on your computer; • Has built-in web server.
    [Show full text]
  • AXIGEN Mail Server™ Has Been Designed to Enable Businesses to Cut Costs Without Cutting Corners
    Combating the increasing cost of email Why you should read this white paper Businesses usually adopt a commonsense approach when it comes to spending the IT budget with cost being a major influencer in purchasing decisions. However, when it comes to choosing a mail server, many businesses seem to pay less attention to the costs and, as a result, end up spending far more money than is necessary. This white paper will explain how businesses can significantly reduce the costs of their email communication while continuing to provide users with a best-in-class messaging and collaboration solution. White paper Introduction Today, email is absolutely mission-critical. Communication and collaboration keep your business running. Email and electronically enabled collaboration have become so embedded in normal day-to-day operations that many businesses simply could not function without them. These services enable everything from productivity enhancing collaboration between employees to external communications with customers and business partners and demand 24x7 availability. Many businesses, however, have found that the cost of providing employees with the latest in messaging and collaboration technology is rapidly escalating. To meet modern business needs, mail servers have had to become more complex – and with that additional complexity come additional management burdens and costs. Furthermore, some mail servers have an upgrade process that is both extremely complex and extremely costly and which may necessitate the purchase of replacement server hardware. Combined, these factors place a considerable drain on corporate resources. The problem is especially severe for small and medium sized businesses (SMBs) which usually do not have access to the same financial or technical resources as large enterprises.
    [Show full text]
  • Downloadable Email Program for My Pc 32 Best Free Email Clients
    downloadable email program for my pc 32 Best Free Email Clients. Here are 32 best free email client software . These let you manage and access all of your email accounts in one single place easily. All these email client software are completely free and can be downloaded to Windows PC. These free software offer various features, like: can be used with IMAP, SMTP, POP3 and Gmail, keeps your emails safe and secure, lets you open various emails simultaneously, provide protection from spam, lets you view your emails offline, manage and access all of your email accounts in one single place, supports PH, LDAP, IMAP4, POP3 and SMPT mail protocols etc. So, go through this list of free email client software and see which ones you like the most. Thunderbird. Thunderbird is a free and handy email client software for your computer. It can be used with IMAP, SMTP, POP3 and Gmail. It will also work with email accounts provided by MS Exchange Server. The user interface of Thunderbird is tabbed. It lets you open various emails simultaneously. Thunderbird keeps your emails safe and secure. It also has special filters for filtering the mail. Windows Live Mail. Windows Live Mail is a free email client for your computer. It works with various email accounts. It lets you access Yahoo, Gmail, Hotmail and emails from different servers which supports POP3 and SMTP. Its security features are excellent it will also provide protection from spam. You can also view your emails offline in this freeware. Zimbra Desktop. Zimbra Desktop is a free email client.
    [Show full text]
  • Mailarchiva Enterprise Edition V1.9
    MailArchiva Enterprise Edition Administration Guide Willkommen Bienvenidos Welkom Bienvenue Welcome MailArchiva Enterprise Edition v1.9 INSTALLATION AND AMINISTRATION GUIDE For Windows / Linux MailArchiva Enterprise Edition Administration Guide 1 INDEX 1 INDEX ............................................................................................................. 2 2 IMPORTANT NOTICE ....................................................................................... 4 3 CONTACT INFORMATION ................................................................................. 4 TECHNICAL REQUIREMENTS .................................................................................. 5 4 OVERVIEW ...................................................................................................... 6 5 HIGH-LEVEL FEATURES ................................................................................... 7 6 ARCHITECTURE ............................................................................................... 9 7 INSTALLATION .............................................................................................. 10 7.1 EXCHANGE SERVER CONFIGURATION .................................................................... 11 7.2 SERVER INSTALLATION (ON WINDOWS ) ................................................................ 14 7.3 SERVER INSTALLATION (ON LINUX ) ..................................................................... 15 7.4 MICROSOFT EXCHANGE ...................................................................................
    [Show full text]
  • OSS Watch National Software Survey 2008
    OSS Watch National Software Survey 2008 Ramón Casero Cañas Acknowledgements Publication information The survey was prepared and the report written by Ramón This survey report is licensed under the Creative Commons Casero Cañas (OSS Watch), and edited by Ross Gardler and Attribution-ShareAlike 2.0 England & Wales licence. Elena Blanco (OSS Watch), and Pete Cooper. OSS Watch National Software Survey 2008 However, there are many people who helped to make it pos- Ramón Casero Cañas sible. We would like to thank the ICT directors of the FE and HE institutions, who took the time to respond to the survey First edition, published February 2009. and send feedback to us; Dr Ellen Helsper (Oxford Internet Institute) for her advice, academic input and support; Randy Metcalfe, former OSS Watch Service Manager, who set us with this task and was always a source of encouragement and support; Michael Fraser, former OSS Watch Director, for his comments; Gabriel Hanganu, Stuart Yeates and Rowan Wilson (OSS Watch) for their comments, envelope stuffing, corrections and so much more; Laura Marriott and Beverley McNichols for their data collection; Jean Davis and Sally Hard- ing for envelope stuffing; Barry Cornelius, Dominic Hargreaves, Charles Hutchings, Liz Masterman, Denise McDonough, Stuart Lee, Janet McKnight, Howard Noble, Mark Norman, Catrin Radcliffe and Peter Robinson for their comments about the online questionnaire; Judy McAuliffe, Tina Dick, Leslie Ferguson, Fran Jackson, Bruce Shakespeare, Jane Truby and Wendy Simmonds for their help with administration
    [Show full text]
  • Data Security Endpoint Applications
    Data Security Endpoint Applications Endpoint Applications | Data Security Solutions | Version 7.7.x You can monitor any number of applications on the endpoint. Websense has analyzed the metadata for dozens of applications and can monitor these with great accuracy. (They are listed in this article.) You can add other applications to the list. If you want to analyze the applications based on their metadata, you can use a utility that Websense provides. Built-in support, page 1 Importing other applications, page 8 Built-in support Endpoint Applications | Data Security Solutions | Version 7.7.x Following are the applications that you can choose to monitor on the endpoint when you set up your endpoint policy. This includes software applications, Web applications, and SaaS (software as a service) applications. Also noted is whether the application is supported on Windows endpoint, Mac endpoint, or both, and the type of operations that can be analyzed by Data Security. Mac Endpoint was introduced in v7.7.2. Please note that only File Access can be analyzed on Mac endpoint. Group Application Windows Mac Supported Default Operations Operations Browsers Chrome * Copy/Cut Copy/Cut Paste Paste Firefox * File Access Internet Explorer Opera Internet * Browser Safari Web ** Browser Data Security - Endpoint Applications 1 Data Security Endpoint Applications Group Application Windows Mac Supported Default Operations Operations CD Burners Acoustica Copy/Cut File Access MP3 CD Paste Burner File Access Alcohol 120% Alcohol Launcher CD Mate Disk Utility
    [Show full text]
  • Malware: Computer Viruses, Spyware, and Key-Loggers
    Certificates for cs.washington.edu 1 Certificates for GMail Important fields: Testing SSL Configuration (1) 3 Client completed verification of received certificate chain Testing SSL Configuration (2) 4 Received certificate chain (two certificates) Size of received certificate chain Testing SSL Configuration (3) 5 Issued session identifier (Session-ID) for stateful TLS resume. Example from “High Performance Browser Networking” Where to Use SSL? 6 Login page? Where else? What about JavaScript includes? Image includes? Why not encrypt everything? Where to Use SSL? 7 Some browsers may not support SSL SSL may decrease performance somewhat. If users are downloading large, public files, there may be a system burden to encrypt these each time. You will probably want the home page accessible via HTTP, so that users don't have to remember to type https to get to it. Firesheep (2010) 8 Assume you are using the facebook.com site over an unsecured Wi-Fi network such as in shopping malls and coffee shops. When you visit the Facebook site, you are required to enter the username and password. When you send that request and on successful login, Facebook sends you an authentication token in the clear which is then sent every time you browse Facebook pages Firesheep 9 Facebook Switches to HTTPS in 2012 10 Lab-2 11 Part 1 Part 2 Black-box fuzzing is far C programming is tricky from easy Bounds are far from obvious even when Very little insight into reasoning about a short program behavior function Makes you appreciate Makes you appreciate programming in Java or having access to C# where array accesses source code! are checked at runtime! Lab-2: Survey 12 Part 1 Part 2 A.
    [Show full text]
  • Efficient Spam Filtering System Based on Smart Cooperative Subjective and Objective Methods*
    Int. J. Communications, Network and System Sciences, 2013, 6, 88-99 http://dx.doi.org/10.4236/ijcns.2013.62011 Published Online February 2013 (http://www.scirp.org/journal/ijcns) Efficient Spam Filtering System Based on Smart * Cooperative Subjective and Objective Methods Samir A. Elsagheer Mohamed1,2 1College of Computer, Qassim University, Qassim, KSA 2Electrical Engineering Department, Faculty of Engineering, Aswan University, Aswan, Egypt Email: [email protected], [email protected] Received September 17, 2012; revised January 16, 2013; accepted January 25, 2013 ABSTRACT Most of the spam filtering techniques are based on objective methods such as the content filtering and DNS/reverse DNS checks. Recently, some cooperative subjective spam filtering techniques are proposed. Objective methods suffer from the false positive and false negative classification. Objective methods based on the content filtering are time con- suming and resource demanding. They are inaccurate and require continuous update to cope with newly invented spammer’s tricks. On the other side, the existing subjective proposals have some drawbacks like the attacks from mali- cious users that make them unreliable and the privacy. In this paper, we propose an efficient spam filtering system that is based on a smart cooperative subjective technique for content filtering in addition to the fastest and the most reliable non-content-based objective methods. The system combines several applications. The first is a web-based system that we have developed based on the proposed technique. A server application having extra features suitable for the enter- prises and closed work groups is a second part of the system. Another part is a set of standard web services that allow any existing email server or email client to interact with the system.
    [Show full text]
  • Mail Box Server and Web Mail Server
    OPS535 – Advanced Network Administration Mail Box Server Lab POP3 and IMAP Servers Web mail using squirrelmail Secure IMAP (Mail Box Server) server for user's remote mail access CentOS 7.0 rpm package: dovecot 2.2.10-4 CentOS7,0 Web Site: http://www.dovecot.org Configuration file: /etc/dovecot/dovecot.conf Starting/stopping dovecot use systemctl command - by default starts/stops pop3, pop3s, imap, imaps Logging: by default log messages send to /var/log/maillog file (syslog option) Very Useful Command: dovecot -n (display vital information about dovecot) On CentOS 7.0: [root@mail ~]# dovecot -n # 2.2.10: /etc/dovecot/dovecot.conf # OS: Linux 3.10.0-229.14.1.el7.x86_64 x86_64 CentOS Linux release 7.1.1503 (Core) mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } ssl = required ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem userdb { driver = passwd } On CentOS 5.3: root@localhost ~]# dovecot -n # 1.0.7: /etc/dovecot.conf login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3):
    [Show full text]