Quote:
Originally Posted by BritTim
The availability of limited access to the web interface (public terminals where U2F is unavailable/blocking some users from editing their own configuration) is not necessary for everyone, but is an important security feature for some. Its lack leads to a situation where security must be sacrificed in some cases so as not to get in the way of getting work done.
|
I'd just like to look back at this little bit some more.
- restricted mode didn't make any difference to being able to view emails. Somebody extracting everything could still exfiltrate all your email
- restricted mode didn't stop you sending email, a stolen session could still be used for spam or fraud
- restricted mode still allowed you to move messages between folders, just not permanent delete
Permanent delete isn't really permanent anyway, it's just setting a \Expunged system flag, then cyr_expire cleans up the email a week later. We already offer a self-serve restore from backup, which gets you back the email in the folder it was in, rather than wherever it was moved to.
What we could do (and it's on the roadmap as a wishlist item, because it's a ton of work) is something nice where you can see "in session X you deleted 5000 messages at 5:25am from <ipaddress>[countrycode]" with a button to restore just that set of messages along with an extra folder/label which allows you to quickly view them all...
But anyway, you can get back email if someone steals your session and wipes out a ton of messages. You were never more safe from them reading all your email or moving it all around or sending stuff on your behalf by having restricted mode. It was a crappy concept that I wrote when I wasn't thinking carefully of all the implications.
Bron.