Is there any risk to an Activation Email? My ASP.NET Site is set up so that a us

Question

Is there any risk to an Activation Email?

My ASP.NET Site is set up so that a user has to check their Email and click an activation link which is made of a GUID created as their user ID in the SQL Membership Tables.

There is a third party application that holds an Email, a not so secret 4 digit ID Number for each potential user, so the user must use this Email and ID together in order to register an account, the account is not "approved" until they activate their account using the link in the Email sent to this Email. only employees can set the Email and ID in the third party application.

This site handles signing up for an Email Subscription of semi-privileged information, this site doesn't actually handle the emailing of the semi-privileged information.

Other than Social Engineering, what is the risk associated with this set up for user registration?

Explanation / Answer

The main problem is that e-mail is not a secure distribution mechanism and is potentially susceptible to intercept. It is unfortunately often the best we have available for trying to validate a user has access to the e-mail box, but shouldn't be trusted exclusively.

Many e-mail servers make no attempt to protect the contents of an e-mail in transit and any computer or router in the path of the e-mail can read the messages. Anyone with access to that path, either through being an ISP or through a virus on the users computer could access the contents of the e-mail.

Additionally, unless the e-mail goes to an SSL secured website, it would be possible for an attacker to spoof the page and intercept the GUID on the way back to your server as well.

Most likely the user will be the person who actually owns the e-mail address, but you have no guarantees of that.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.