|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
17 Apr 2016, 10:21 PM | #1 |
Member
Join Date: Oct 2010
Posts: 65
|
Tor hidden service
Hello,
It would be nice to have a hidden service to access Fastmail |
18 Apr 2016, 09:24 PM | #2 | |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Quote:
https://www.fastmail.com/help/ourservice/security.html If you are thinking that Tor adds any type of security, you are out of your mind, because it likely increases the scrutiny placed on you: https://www.reddit.com/r/hacking/com...or_still_safe/ http://www.infosecurity-magazine.com...you-may-think/ My question is, what on earth are you doing that you have to hide you are using fastmail email? The email is secure. Read the first link. You want to hide that you are using Fastmail? /cl |
|
18 Apr 2016, 09:52 PM | #3 |
Cornerstone of the Community
Join Date: Mar 2011
Location: ~$
Posts: 652
|
As ChinaLamb said, every bit of information that you send to and receive from FastMail is already encrypted. So a hidden service would give you just as much security as accessing FastMail through regular Tor exit nodes. (The operator of the exit node will see that someone is using FastMail, but they will not know who it is, nor have access to any actual data you send to and receive from FastMail.)
|
19 Apr 2016, 05:30 AM | #4 |
Member
Join Date: Oct 2010
Posts: 65
|
|
19 Apr 2016, 05:34 AM | #5 |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Use a vpn. Much safer in countries where websites are blocked. TOR brings up a ton of unnecessary scrutiny against yourself. I'd say stay away from TOR unless you want people to think you are doing something illegal.
But, it's your life. /cl |
19 Apr 2016, 06:09 AM | #6 |
Member
Join Date: Oct 2010
Posts: 65
|
Is it? I was thinking about this today. What if a MTM attack goes on with a valid certificate? What if Google changes Chrome to accept a carefully crafted certificate when we access Fastmail? Is the Android Fastmail client hardcoded with the FM certificate?
|
19 Apr 2016, 08:45 AM | #7 | |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Quote:
Many articles out there on this. TOR use in many countries is not to be trusted, because TOR cannot guarantee exit points. They weed the fake ones out *when they are found*.... *if they are found*... And if one is found, it means it was being used for a while before someone spotted it. Fake exit points are always one step ahead in that game... No way to guarantee... Even if TOR were as secure as you seem to think it is, you still need a browser. TOR couldnt save you from faked certificates in Chrome. Besides, If we see google changing chrome to fake certificates & steal your passwords, there will be a lot of class action lawsuits out there and Google will cease to be a company overnight. The FastMail App has a hard wired certificate. It gives you a warning if someone tries to spoof. I know, someone tried to use fake certificates on me. The app warned me. /cl |
|
19 Apr 2016, 09:06 AM | #8 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
FastMail has a smart group of developers who are on top of these things:
https://www.fastmail.com/help/ourservice/security.html Also see: https://blog.fastmail.com/2014/05/09...n-more-secure/ https://blog.fastmail.com/2015/03/13...-to-2048-bits/ Bill |
19 Apr 2016, 10:03 AM | #9 |
Member
Join Date: Oct 2010
Posts: 65
|
Thank you, China Lamb!
|
19 Apr 2016, 10:09 AM | #10 |
Master of the @
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007
Representative of:
Fastmail.fm |
It's not hardwired; it performs exactly the same checks as your browser does - making sure there's a chain of trust back to the trusted certs on your device.
|
19 Apr 2016, 10:12 AM | #11 |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
|
19 Apr 2016, 11:33 AM | #12 |
Member
Join Date: Oct 2010
Posts: 65
|
|
19 Apr 2016, 12:46 PM | #13 |
Master of the @
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007
Representative of:
Fastmail.fm |
It's no less secure than using the FM webapp from your mobile browser.
Adding public key pins and then getting those added to the Chromium and Firefox preload lists will happen this year. Probably sooner rather than later. It shouldn't be hard, but I need to focus - if I screw it up, I lock out everyone |
19 Apr 2016, 08:16 PM | #14 | |
Member
Join Date: Dec 2013
Posts: 54
|
Quote:
|
|