Fortunately, it is also relatively easy to clean out this cache and other information related to your Internet café session, including cookies, after your session. You can use the browser menu (Tools/Internet Options in IE and Tools/Options in Firefox). In fact, this should be second nature to anyone who uses a public terminal to check email. A responsible Internet café will remind you of this; some even provide an automated end-of-session cleanup process. To be safe, however, make sure to do it yourself. You can also set a browser not to cache any pages, but this setting can slow performance, and it may not be available on a public terminal.
Some readers will be aware that Web pages themselves can be created with a "no-cache" setting. You can verify such restrictions when you view the page source of a message in Yahoo Mail, for example. The "no-cache" instruction is generally respected by the browser cache and caching servers used by ISPs. The latter are another place from which your email could be illicitly retrieved by someone with sufficient SRM: skills, resources and motivation. Anyone checking email in public places should have an "SRM index" in mind. Is the email so sensitive that someone would apply a serious amount of skills, resources and motivation to obtain it?
The specific vulnerability involving Gmail and Microsoft Internet Explorer, recently publicized by application security vendor Cenzic, requires serious SRM. Other attacks could be easier, like putting a keystroke logger on a public computer or "shoulder-surfing" to capture messages as a user types them.
If you are accessing email wirelessly in a public place, someone could be sniffing the airwaves. Therefore, your precautions and countermeasures should be appropriate to the sensitivity of the data that is potentially exposed. For example, if you have internal sales data that must be transferred securely, encrypt the information and send it as an attachment to a message that says something innocuous like "Here is the data you requested."
In other words, risk is relative. A good rule of thumb is not to send or receive mission-critical data from a public place via webmail unless your company has put some serious rules and safeguards in place and cleared you to do so.
This was first published in May 2008