An incredible new Gmail feature, “Confidential E-mail Mode” by Google looks to be one of those wonderful surprises that will be catching people off guard in a bad way.
Send an email using Gmail in which Google puts a link in the body (and removes your e-mail content from the e-mail). The link, in which only the recipient can open, opens an external webpage where the e-mail content can be read. The e-mail can be read, but not forwarded, downloaded, copied, or printed. This is probably a bad idea.
Google needs to first define what “confidential” means as it applies to their Confidential Mode e-mail. In plain understanding, it should mean that only the intended recipients should be able to read the contents as it is private. In practice, the email is still on Google’s hard drives, most likely still indexed by Google, and ‘deleted’ only from the sender and receiver’s view, but not from Google.
As a point of privacy, Google Confidential E-mail is not private and average users could mistakenly believe the Google confidential E-mail is encrypted e-mail that no one can read. The good news is that if Google is not deleting the messages from its servers, they would be available with court orders in criminal investigations.
Only one of my Gmail accounts has the Confidential Mode option, and you can send a Google Confidential e-mail to any e-mail service besides Google and it will work the same: User clicks a link in the e-mail and prays that the e-mail is legitimate.
Perhaps the biggest issue will be the ease at which phishing campaigns will take on using a Confidential Gmail, where the user has no idea of the content or can judge maliciousness based on content. Users will now only have the sender and subject-line to determine if the e-mail is a phishing attempt. If the sender e-mail address is from a known sender that has been compromised or spoofed, then only the subject-line will be available for a clue as to the legitimacy of the e-mail.
Nothing should change related to host forensics, as webmail/Internet forensics is the same (same or more difficult depending on everything, such if the Tor browser was used).
The big change is yet another entry point through a potentially well-crafted phishing attempt using a Gmail feature. Users can’t see the content until they click the link to open the external webpage, which will be too late. Personally, I don’t see this taking off as a widely used feature since it involves adding a step to read an e-mail. One extra button will make it useless as it will be more frustrating when it consumes three more seconds to read every e-mail sent via Confidential e-mail. As for the Confidential e-mail not being able to print or forward, taking a photo with a smart phone quickly negates the security feature of deleting the e-mail all together (yes, I know the content may be gone, but the original e-mail metadata is still there with the original e-mail).
For the infosec folks. Maybe it is a good time to make sure users don't click links in e-mails. Hey…don’t we say that already anyway? Sheesh.