PolarisMail - signup security

[rismi]

Quote:

Originally Posted by George_B

How about this. We made our entire site SSL only.

Might be a bit overkill, but better be safe than sorry.

Cheers

Great move. Good to see a company so responsive. Keep it up!

[digp]

Polarismail are very good.

Don't be put off by minor things like this.

Imagine if it was hotmail. You would still be waiting for a reply in a few years time I expect.

[kijinbear]

Quote:

Originally Posted by George_B

How about this. We made our entire site SSL only.

Might be a bit overkill, but better be safe than sorry.

Not overkill at all. Browsers now show a blue bar whenever someone visits polarismail.com, which is a pretty good way to make a positive first impression. This might even be worth the extra server resources that SSL consumes.

In my opinion, every website that handles personal information should be served entirely over SSL, no ifs buts or ands. Plain HTTP is only acceptable for purely informational "Web 1.0" websites. I've been traveling lately, and every hotel and airport I've been to so far have had zero security on their wifi hotspots. It would take a trivial amount of skill for some mischievous kid to set up an ad-hoc hotspot and MITM everything. You know, there are apps for doing that.

Thanks for making the world a slightly safer place!

[William9]

I agree that that SSL is welcome and highly desirable.

[rismi]

Quote:

Originally Posted by digp

Polarismail are very good.

Don't be put off by minor things like this.

To be honest, no matter how good - and responsive - they are, I can't help but feel that security probably isn't a strong point, and for that reason, they are not for me.

The fact that signup security had been removed by a developer at some point in the past, unbeknownst to George, is rather worrying, as is the fact that after I raised this matter, the issue was quietly fixed with no word here - look at the post from petergh. Only after I pointed out to petergh in the next post that it had changed since I visited did George rejoin the debate to claim that I must have viewed a cached copy. That turned out to be incorrect (I had only just visited the site, so no chance of a cached copy) - read the posts for the full detail.

To be fair to George, it may well be that after he enquired about this, his developers realised their mistake and quietly fixed it behind his back to cover themselves, but nonetheless it points to the fact that security at PolarisMail is probably something of an achilles heel... as does the fact that the signup page itself was not served as https until neilj pointed out why this was A Bad Thing.

The final issue for me that the developers at PolarisMail don't understand this stuff fully is that the entire site was made HTTPS. At first I thought this was great (see my response above), but having thought more... well... George describes it as "overkill", so presumably it's not what he asked for, just what he got. Was it that the developers couldn't get "just the signup page" working as HTTPS, so they threw it on the whole site? Idle speculation of course, but plausible nonetheless.

Quote:

Originally Posted by digp

Imagine if it was hotmail. You would still be waiting for a reply in a few years time I expect.

I agree, responsiveness is important, and most of the big boys completely fall down here, which is why I was looking into PolarisMail. This has put me off though. I'd rather have a big corporation ignoring me but keeping my data safe, than a small company listening hard but possibly not protecting my information adequately.

Maybe there is a small company out there that is hot on security and responsive? I'm open to suggestions from anyone. Must have ActiveSync mobile push and an online calendar. I'm all ears...

[Cory]

I'm also looking for a new email provider, Rackspace might fit the bill as a big company that will protect your data. I haven't used them in three years, but they were great back then (just don't have some of the features I'm looking for, Thunderbird sync mainly).

Quote:

Originally Posted by rismi

To be honest, no matter how good - and responsive - they are, I can't help but feel that security probably isn't a strong point, and for that reason, they are not for me.

The fact that signup security had been removed by a developer at some point in the past, unbeknownst to George, is rather worrying, as is the fact that after I raised this matter, the issue was quietly fixed with no word here - look at the post from petergh. Only after I pointed out to petergh in the next post that it had changed since I visited did George rejoin the debate to claim that I must have viewed a cached copy. That turned out to be incorrect (I had only just visited the site, so no chance of a cached copy) - read the posts for the full detail.

To be fair to George, it may well be that after he enquired about this, his developers realised their mistake and quietly fixed it behind his back to cover themselves, but nonetheless it points to the fact that security at PolarisMail is probably something of an achilles heel... as does the fact that the signup page itself was not served as https until neilj pointed out why this was A Bad Thing.

The final issue for me that the developers at PolarisMail don't understand this stuff fully is that the entire site was made HTTPS. At first I thought this was great (see my response above), but having thought more... well... George describes it as "overkill", so presumably it's not what he asked for, just what he got. Was it that the developers couldn't get "just the signup page" working as HTTPS, so they threw it on the whole site? Idle speculation of course, but plausible nonetheless.


I agree, responsiveness is important, and most of the big boys completely fall down here, which is why I was looking into PolarisMail. This has put me off though. I'd rather have a big corporation ignoring me but keeping my data safe, than a small company listening hard but possibly not protecting my information adequately.

Maybe there is a small company out there that is hot on security and responsive? I'm open to suggestions from anyone. Must have ActiveSync mobile push and an online calendar. I'm all ears...

[rismi]

Quote:

Originally Posted by Cory

I'm also looking for a new email provider, Rackspace might fit the bill as a big company that will protect your data. I haven't used them in three years, but they were great back then (just don't have some of the features I'm looking for, Thunderbird sync mainly).

The only thing putting me off Rackspace is the 5 account minimum...

At the moment, the one who fits the bill best for me is Office 365. I just don't fancy handing my life story over to Microsoft...

[George_B]

Quote:

Originally Posted by rismi

To be honest, no matter how good - and responsive - they are, I can't help but feel that security probably isn't a strong point, and for that reason, they are not for me.

The fact that signup security had been removed by a developer at some point in the past, unbeknownst to George, is rather worrying, as is the fact that after I raised this matter, the issue was quietly fixed with no word here - look at the post from petergh. Only after I pointed out to petergh in the next post that it had changed since I visited did George rejoin the debate to claim that I must have viewed a cached copy. That turned out to be incorrect (I had only just visited the site, so no chance of a cached copy) - read the posts for the full detail.

To be fair to George, it may well be that after he enquired about this, his developers realised their mistake and quietly fixed it behind his back to cover themselves, but nonetheless it points to the fact that security at PolarisMail is probably something of an achilles heel... as does the fact that the signup page itself was not served as https until neilj pointed out why this was A Bad Thing.

The final issue for me that the developers at PolarisMail don't understand this stuff fully is that the entire site was made HTTPS. At first I thought this was great (see my response above), but having thought more... well... George describes it as "overkill", so presumably it's not what he asked for, just what he got. Was it that the developers couldn't get "just the signup page" working as HTTPS, so they threw it on the whole site? Idle speculation of course, but plausible nonetheless.


I agree, responsiveness is important, and most of the big boys completely fall down here, which is why I was looking into PolarisMail. This has put me off though. I'd rather have a big corporation ignoring me but keeping my data safe, than a small company listening hard but possibly not protecting my information adequately.

Maybe there is a small company out there that is hot on security and responsive? I'm open to suggestions from anyone. Must have ActiveSync mobile push and an online calendar. I'm all ears...

Hi Rismi,

There has indeed been a miscommunication between myself and the web developers. I am mostly dedicated to our e-mail operations and must leave others in charge for other matters such as our website. Here's what I can tell you:

1. To our knowledge, nobody was affected by this bug in the sign-up page.

2. It is just as easy to SSL protect a portion of the website vs the entire website. When I made the request it simply made more sense to protect everything since it doesn't take up that many resources anyways. I said it was 'overkill' because there is no actual need to serve our Services page over SSL.

3. I find it a bit overreaching to claim that we are lax on security because of this bug. We have implemented full SSL sessions for all of our various interfaces before many other providers, including Hotmail for example

4. I think it's important to listen to our clients and improve our service based on their recommendations. Thank you for pointing this one out to us.

5. We are on the verge of releasing two-factor authentication through SMS and that will provide an extra layer of security as well.

Cheers

[rismi]

Quote:

Originally Posted by George_B

Hi Rismi,

There has indeed been a miscommunication between myself and the web developers.

It seems like they lied to you when you asked them whether signups were secured. Only when I demonstrated that they weren't secured did they fix this, which does not inspire confidence.

Quote:

Originally Posted by George_B

1. To our knowledge, nobody was affected by this bug in the sign-up page.

Firstly, this wasn't a bug - it was a nasty and deliberate workaround.

Secondly, it would be virtually impossible for you to know whether anyone had been affected by it. People shouldn't re-use passwords, but they do, and anyone who was sniffed signing up for this would have given away a good collection of information - name, telephone number, email address, password. That could have been abused away from your service, and you would not know it had happened.

Quote:

Originally Posted by George_B

2. It is just as easy to SSL protect a portion of the website vs the entire website. When I made the request it simply made more sense to protect everything since it doesn't take up that many resources anyways. I said it was 'overkill' because there is no actual need to serve our Services page over SSL.

Fair play.

Quote:

Originally Posted by George_B

3. I find it a bit overreaching to claim that we are lax on security because of this bug. We have implemented full SSL sessions for all of our various interfaces before many other providers, including Hotmail for example

That's great, although comparing any email service to Hotmail is usually a good way to flatter it . SSL is one part of the picture, but for an online organisation to maintain security it has to be a part of its DNA, and this shows that for some staff at least, it isn't. This was "error on line one" stuff, a real schoolboy mistake.

This insecure sign-up form wasn't caused by a bug, it was quite intentional. The correct and secure line of code was present in the signup script, but commented out by someone who couldn't get it working properly and didn't care (or worse, understand?) what the security consequences of that were.

I have every confidence in you, but I don't feel I can trust your web developers. When a choice between "make it work" and "make it secure" turns up, they have already shown that they will choose the former.

Quote:

Originally Posted by George_B

4. I think it's important to listen to our clients and improve our service based on their recommendations. Thank you for pointing this one out to us.

This is an admirable trait and others would do well to emulate it. I hope you don't feel I'm being too harsh here - I'm very grateful to have the opportunity to discuss this with you. Clearly this kind of engagement would be impossible if we were talking about a Hotmail security issue - and that really is a selling point for you and your service.

Quote:

Originally Posted by George_B

5. We are on the verge of releasing two-factor authentication through SMS and that will provide an extra layer of security as well.

Implemented properly this would be good, but again, it comes down to how well I trust your web developers not to cut corners.

I think at the end of it all, your web developers made a major mistake by choosing to turn off security, made it worse by not admitting it, then made it even worse by trying to cover it up quietly. Some good has come out of this, becuase now your whole site is encrypted. Throughout this episode you have been communicative and informative and that has been incredibly refreshing.

Maybe you should hire an independent firm to do a security audit? Just an idea, but I know that you are genuinely open to ideas about the service.

[George_B]

Well, here's what I can tell you.

The web developers are actually subcontracted and not part of my staff. They have already been given hell for this.

The web server is actually separate from our other infrastructure hence the need to communicate with the e-mail service API via Ajax in order to complete the order.

[FredOnline]

Quote:

Originally Posted by George_B

We are on the verge of releasing two-factor authentication through SMS and that will provide an extra layer of security as well.

This option is very important to me - I look forward to the implementation and sincerely hope it is easy to use.

I use the Gmail two-factor authentication on some accounts - it's easy to use, and IMHO an excellent implementation.

[rismi]

Quote:

Originally Posted by George_B

Well, here's what I can tell you.

The web developers are actually subcontracted and not part of my staff. They have already been given hell for this.

The web server is actually separate from our other infrastructure hence the need to communicate with the e-mail service API via Ajax in order to complete the order.

That is actually quite reassuring, as I guess you won't be using those guys again! Good to hear the service is divided up like that.

[digp]

rismi i think you are getting carried away

[George_B]

Quote:

Originally Posted by FredOnline

This option is very important to me - I look forward to the implementation and sincerely hope it is easy to use.

I use the Gmail two-factor authentication on some accounts - it's easy to use, and IMHO an excellent implementation.

We're still not sure how to price it out though. We have no intention on making money from it so we don't mind passing along the cost of our sms gateway vendor without overhead. I know that some providers charge for SMS credits but I think we want to stay away from that model.

Our costs for SMS are:

in the US/Canada/UK for $.01/$.01/$.04 per message respectively.
Germany: between $0.017 and $0.096
France: $0.162
Netherlands: between $0.063 and $0.111
India: $0.016
Pakistan: $0.016

So far the plan is to offer a new 'Enhanced Plus' account which has the ability for two step authentication through SMS for 36$/year ( instead of 24$/year for Enhanced ) with unlimited logins.

Thoughts ?

[William9]

What about a token two factor authentication such as RSA SecurID?