Sunday, May 03, 2009

Worries of sending confidential mail to someone's GMail mailid

Recently we had a conversation within our office friends circle. It was shocking to note that there is an unnoticed flexibility (if we say it is bug.. but if software company like Google says it is an application flexibility) which poses threat to our security and confidentiality. A 'dot' in the mail id account name is omitted in receiver's address validation.

For example, you are having gmail id Bob.James@gmail.com and another guy is having mail id BobJames@gmail.com (but below GMail answer tells it is not possible to have 2 mail ids like this in GMail but it is possible for Google Apps for Your Domain -the pay service Google offers) then both are considered for receiving the mail when someone sends mail. When some of your friend sends a confidential mail to Bob.James@gmail.com then BobJames@gmail.com will also receive that. Google just provides a simple link near the name (Yes, this is you.) Learn more and escape from any issue.

Excerpts from the link:

Your address is similar but has more or fewer dots (.) or different capitalization.

    Sometimes you may receive a message intended for someone whose address resembles yours but has a different number or placement of dots. For example, your address might be homerjsimpson@gmail.com, but the message was sent to a Homer.J.Simpson@gmail.com. What's going on?

    Gmail allows only one registration for any given username. Once you sign up for a particular username, any dot or capitalization variations are made permanently unavailable for new registration. If you created yourusername@gmail.com, no one can ever register your.username@gmail.com, or Your.user.name@gmail.com. Furthermore, because Gmail doesn't recognize dots as characters within usernames, adding or removing dots from a Gmail address won't change the actual destination address. Messages sent to yourusername@gmail.com, your.username@gmail.com, and y.o.u.r.u.s.e.r.n.a.m.e@gmail.com are all delivered to your inbox, and only yours.

    If you're homerjsimpson@gmail.com, no one owns Homer.J.Simpson@gmail.com, except for you. Sending mail to Homer.J.Simpson@gmail.com is the same as sending mail to homerjsimpson@gmail.com, or even HOMERJSIMPSON@GMAIL.COM. If you're getting mail addressed to Homer.J.Simpson@gmail.com, most likely someone was trying to send a message to Homer.J.Sampson@gmail.com, or Homer.J.Simpson1@gmail.com, and made a mistake. You might even get messages from mailing lists or website registrations because the intended recipient accidentally provided the wrong email address. In these cases, we suggest contacting the original sender or website when possible to alert them to the mistake.

    For security reasons, when you log in to Gmail, you must enter any dots that were originally defined as part of your username.

    Note: Google Apps recognizes dots. If you'd like to receive mail with a dot in your username, please ask your domain administrator to add the desired username as a nickname.

Here is the full link: http://mail.google.com/support/bin/answer.py?hl=en&ctx=mail&answer=10313

Learn more about the problem in : http://www.softpanorama.org/Skeptics/IT_skeptic/IT_obscurantism/misunderstanding_of_issues_of_security_and_trust.shtml

No comments:

Post a Comment