I should say I was a long time holdout in reading my email on a shell (unix) account. After all, all of the key features being touted on the new web based or GUI based mail readers were available twenty years ago in programs like MH (now nmh) and filters such as Procmail, both programmable and endlessly customizable. I could do back flips and front aerials with my mail while the current crop were oozing their way out of the primordial sludge.

But, I have grudgingly entered the present day world, as Gmail (and Thunderbird, but that’s another topic) have made pretty good gains and I’m not yet prepared to set up my own personal mail server on my own linux box just in order to keep using a text based set of programs which admittedly don’t handle some things such as pictures all that cleanly (although that also meant that I basically never got email viruses).

Gmail Account

For the first three years, Gmail was invite only. Now it’s open to all. Of course, all the good names have been taken

Security

First of all, for any kind of web browsing of a relatively personal nature, I recommend making sure the session stays within https connections. In grossly simple terms, the “s” on https means the connection is secured from eavesdropping. One simple way to do this is to log in on Gmail from this address: https://mail.google.com which should thereafter retain the secure connection. I like to be absolutely sure of this, though, so on Firefox, I use a simple Greasemonkey script called GmailSecure to enforce the https connection. (It’s also extensible to force secure connections on an array of google related items.) Sorry Opera, IE, or Safari users, I couldn’t find comparable extensions for this (though an Opera widget called Gmail Checker has a feature request for this.

Second of all, as tempting as it might be to aggregate all new items into a feed reader for convenience, do NOT use a public web accessible reader such as Bloglines or GoogleReader to do so! These subscriptions become generally searchable on either service and while the full message can not be displayed, there’s chances that the excerpt will contain enough private information that can be viewed. I came across this security hole last year, and on re-checking Bloglines, I can still find gmail feeds hosted there. I’m at a loss as to why a feed is even offered in Gmail (or at least why not make it an option in the settings and default it off for security?) but since neither Gmail nor Bloglines have taken concrete steps in addressing this issue, I’ll put this warning down. Just don’t do RSS feeds of private email, and if you do, don’t use a public RSS reader to access them — use a personal one on a particular computer for the purpose. Oh, you wanted to be able to access the feed anywhere on the net? Then use Gmail’s web interface already, that’s what it’s for.

Notifications

There’s several ways to have Gmail notifications setup. Gmail itself provides small applets for Windows/Mac. The open source community has created an equivalent for Linux called CheckGmail (which is now available with some distributions, such as Ubuntu, so check the package managers first).

Opera and Firefox have various different widgets and extensions that provide notification. I use the Firefox Gmail Manager which has its own notification system besides much more: see below. Opera’s Gmail Checker is a small and simple widget solely for this purpose. I did not find any for Safari or IE on cursory check.

Favorite Firefox <-> Gmail Extensions

As a Firefox user, I like to search around at Firefox Add-ons for useful extensions. The ones I use are:

• Gmail Manager This is an essential script to handle multiple Gmail accounts. A small notification in the bottom tray of Firefox can be configured to display the current number of unread messages in the mailbox as well as a way to simply log into each account, with minimal switching around.

• Gmail Skins Fun to play with; note that some of the choices result in error messages, just uninstall, reinstall and choose a different theme.

• And of course I use the Firefox extension Greasemonkey. Saved Searches gives me dynamic folders, pretty useful. Hide Gmail Ads allows me to regain valuable real estate on my laptop where every centimeter counts.

Tips and Tricks

• Use a draft message (start a message and then save it rather than send it anywhere) to do quick file transfers between computers. I save the item into a draft on one computer, and pull it out from my login on another computer. It’s more convenient than emailing it to myself, and few home computers have a permanent IP address for ftp transfer and the like.

• I also use the drafts for “Notes to self” on particular emails. Sometimes I want to remind myself of things related to an email, and drafts attached to that email serve as a form of post-it notes.

• Sort everything! Any mailing lists should be slapped with a label and archived. This way I browse mailing lists at my leisure and I’m not distracted by constant incoming email. The only thing that should be popping up in my mail account are important things that I need to attend to relatively quickly. Gmail does provide pretty good filtering and labeling and other options for incoming email.

• Use the + feature in email addresses. The definition of mailing protocol means that addresses of the form somewhere+identifier@somedomain should be delivered t somewhere@somedomain . Not all mail providers adhere to this, but gmail does, and this can be a trick to sort incoming email from different sources. For example, when I’m forced to use my email address for something that I suspect will spam me later, I can use something like myemail+nyt@gmail.com to see. Since Gmail has reasonable filters, this is perhaps not as useful as it might have been at the start.

• Google itself lists several pretty cool Gmail related Greasemonkey scripts here; they’re all well worth looking at.

• There’s plenty of creative ways to divert items to Gmail: feeds can be sent via email through Feedster or Feedburner; that way I could if I chose have a daily weather forecast or my current to-do list emailed to me.

What would I like to see?

Gmail allows multiple email addresses to be forwarded to it, and to “reply” as those emails. However, those emails are still marked in the headers as originating from that particular gmail account. I would like to see it anonymized down to at least only knowing it’s routed through Gmail. Since the extra email addresses in question are verified before being added to Gmail’s list of alternate addresses, I don’t see why that can’t be offered.

Yes, a short list. Well, if it were longer, I wouldn’t be using Gmail in the first place Most of the time if I want a feature, I can find an extension of some type for it.

Miscellaneous Issues

One of the most annoying consequences of Google having assimilated Blogger is the effect it had on Blogger accounts versus Gmail accounts. I have a different “identity” on Blogger that’s well established, but not connected to my Gmail. Now, both accounts were retained in the merger, but they do not play well together. If I am logged into my Gmail when I encounter a Blogger post I wish to respond to, and I log in my old Blogger account, it logs me out of Gmail. I have not found a good way around this, although I have discovered that logging back to the original Gmail account often leaves the Blogger login available on other Blogger entries that I might respond to.

Those busy folks are at it again…just installed another update. This one apparently comes highly recommended with security fixes and the like. As usual, I used Mark on WordPress’s zipped diff file. No fuss, no muss…

So there is yet another update to WordPress (now at 2.0.7), which I urge you to go out and get. If you have 2.0.6, you can get just the diffs to 2.0.7. If you are not up to 2.0.7, I strongly suggest you do so, as many of the updates since the 2.0 release have consisted of security fixes, not just whizz-bang features.

In the same vein, akismet is up to 1.8.1 (although their website gives an earlier version number, I had 1.8.1 after updating). If you have already installed it and are just updating it, all you have to do is unpack the new version in the same plugin directory, you are already set up with your API key and everything (their faq doesn’t make it clear what is involved in updating versus newly-installing, probably because it’s so trivial).

Plus which I use the plugin Bad Behavior for further spam killing (now at version 2.0.9). It works a charm. It’s also been pretty recently updated, so I suggest installing it if you haven’t got it, or updating it if you’re behind.

Captcha

Ever had a mail/contact script hacked? There’s a couple of ways to avoid this problem. One of my favorites is to use some type of captcha program. There are several considerations though. Some of these programs can distort the image to the point where I have trouble reading it. And of course, for the visually impaired, this is a bit much (although it’s nice to see that Blogger added an audio alternative recently to their captcha script). I chose to use THaCAA - Telling Humans and Computers Apart Automatically for my latest mail script because it sidestepped some of these issues altogether (it can be seen here) and it is written in php.

I’ve been pretty pleased with this one. I particularly like that it’s text based. There’s nothing wrong with my vision, but half the time with the more typical captcha modules, I can’t make out what the squiggles are. Of course, any non-English speakers may be out of luck, but since I’m writing this in English, it’s reasonable for me.

While no captcha script is uncrackable, by any means, it seems to have been sufficient to stop the ones I’ve gotten here in their tracks. I haven’t had my other security checks (which come into play if anything gets past the captcha query) triggered so far, knock on wood. In other words, captcha makes a very good front line defense.

Installing this particular program was quite easy, following the given instructions. Once it has been unpacked into a directory on the website, then I modified my mail.php script as follows:

First, include the functions and such:


<?php
  global $textTHaCAA_datalocation;
  $textTHaCAA_datalocation='textTHaCAA/THaCAAdata';
  require_once('textTHaCAA/textTHaCAA.php');
?>


along the top of the file. Now, within the mail <form section:


<?php textTHaCAA_ask(); ?>


and then in the form response (amongst all other applicable checks):


<?php if (textTHaCAA_answer() && textTHaCAA_hasrun()) : ?>


If it passes the above checks (plus all the other requirements I have of other form data plus security requirements), then I send the email. It couldn’t have been easier to integrate (other than the nearly unrememberable acronym itself, but that’s what cut and paste is for ). I also liked how it integrated cleanly with the page layout itself, it makes no assumptions about sizes, colours, fonts, and so on. Big thumbs up.

General security tips

Besides that, there are some standard ways to avoid problems that a malicious human (as opposed to a ‘bot that can’t get past the captcha) might still present. Here are several tactics:

1. Check the host domain name and ensure that it’s from the same domain the mail script is at. E.g., my script checks that the originating form is from k9web and not some other machine.
2. Force the mail script to accept only POST style connections and not GET. GET potentially lets the hacker alter the variables in the URL itself. In general, no form variable that is of a sensitive nature should be modifiable this way; in my mail scripts I disallow it altogether.
3. Accept connections only from browsers and not other agents.
4. Check all given form values for anything suspicious. This could include mail headers (that would never be part of a general text message being sent as email) such as content type, cc, bbc, and so on.
5. Exclude also any type of commands that might be remotely executed depending on your server. For example, because I’m on a unix server, one of the things I check for and disable is anything that looks like an attempt at a shell escape.
6. Exclude or disable (I often simply strip out) any html in the variables. Or allow a small subset (italics, bold, blockquote) and exclude the rest.
7. Check for issues particular to the language you’re writing the script in. For example if I’m running a perl script I will strip out any backticks appearing in values because those are used to execute perl commands within them.

Resources

General faq on security. This document is starting to show its age (last updated 2002) but the general concepts and such laid out here are still very relevant and make a good starting point.

Specific tips for protecting mail forms written in php. Step by step example with php code supplied.

Specific tips for protecting forms written in perl. Step by step examples.

General tips on protecting web forms. This may be perl-oriented but it also has excellent general suggestions for any script writer to pay attention to plus links to other resources.

OK, thanks to Brian Layman who did some additional detective work, it turns out there’s a beta release available to plug the security issue. I haven’t installed it yet since I’m not in the position of being seriously compromised by having lots of registered users or comment activity, but for those WordPress bloggers with bigger setups or who don’t want to use the workaround, there are beta versions of WP 2.0.4 (which itself looks to have a stable release out in a few days, which is what I’m waiting for). Check Brian’s article for the latest beta downloads, it looks like they’re being pretty frequently updated right now.