EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 28 Dec 2016, 06:15 AM   #31
jhollington
Senior Member
 
Join Date: Apr 2008
Posts: 191
Quote:
Originally Posted by BritTim View Post
First, I am assuming that regular access, where possible, should be using U2F. I argue for OTP in the common case where those using computers on an ad hoc basis are unable to establish a session using U2F.
While I'll agree with that in principle, I think at this point the distinction between U2F and TOTP 2FA methods is pretty subtle for most users — at least compared to the magnitude of difference over a non-2FA world. Sure, everybody should be using U2F in an ideal world, but I think that for the vast majority of users, a TOTP-based authentication method is more than secure enough for what they're trying to protect — especially in light of the steps FastMail is already taking to ensure the security of the sessions themselves.

Speaking for myself, for example, while I fully understand the technical security advantages of U2F, I've made a conscious decision that I'd rather rely on TOTP and use my browser of choice than be required to use Chrome just to gain what I consider to be an incremental security benefit for my own purposes. For example, I don't consider myself to be vulnerable to phishing attacks, I trust the steps FastMail has taken to prevent MitM attacks and session hijacking, and I rarely use computers that have a high probability of being compromised by malware (e.g., I might log in from a client's PC on a corporate network or a business centre in a reputable hotel, but I've never had reason to do so in a generic Internet cafe).

Ultimately, the problem is that these security issues right now are largely about preaching to the choir. If you're educated enough to understand the benefits of U2F and go through a process of configuring a lower-security TOTP access strategy — and actually willing to go through the hassle of using that methodology, then chances are you're aware enough of the security risks that the benefits provided by U2F really are quite incremental.

Obviously it's a different matter when you're talking about building solutions in business environments, but 20+ years of consulting experience in IT security and messaging systems tells me that this is an uphill battle as well unless you've got management that's ready to buy in and seriously enforce restrictions on their end users. Then again, maybe I've just been jaded by working with clients like law firms where the inmates are running the asylum

Quote:
Once U2F (or a common method which is equally secure) becomes ubiquitous, I accept that there is no need for time and function limited, alternative less secure authentication methods. My own sense is that this is not going to be true any time soon. As a practical matter, it cannot even be assumed that you will be allowed access to the USB port on computers that are not your own (for some good security reasons).
Yeah, the reality is that I don't expect U2F or anything like it to become mainstream in the near future for exactly those reasons. Lack of USB access is a key point, and frankly it's also a somewhat ironic trade-off..... a public terminal that doesn't restrict USB access has a higher risk of being a compromised terminal — both directly as a result of that and secondarily as a sign that those operating the terminals aren't as security conscious as they should be.
jhollington is offline   Reply With Quote
Old 28 Dec 2016, 08:32 AM   #32
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,631

Representative of:
Fastmail.fm
Quote:
Originally Posted by BritTim View Post
I deliberately waited quite a while before answering, rereading your points several times. I wanted to be clear in my mind that what I believe to be a reasonable position truly is.
Thanks for doing that. I've let this sit through Christmas as well, to wait until I'm back in the office and can sit down without distraction to reply.


Quote:
I see two main areas where alternative restricted logins can be of benefit:
  • People who, on occasion, need to use computers whose status is uncertain can benefit from a combination of one-time passwords and a session that does not allow administrative functions. It is true that, in theory, an active one-time session can be exploited in the background to steal data or impersonate you on emails sent out by malware. It is very difficult to do this in a way that is not visible. In particular, the oft made argument that password reset requests can be made and completed within a one-time session without the user noticing strikes me as fanciful in most cases. On the other hand, stolen credentials (especially those allowing administrative rights) that can be used at leisure are extremely dangerous. Nefarious activities are very likely to go unnoticed.
  • In a business context, we often wish to restrict the ability of individual users to modify rules, specify the devices on which they can access mail, and certain other actions. While we could simply lock the user out from the web interface altogether and mandate use of external mail clients, this seems an unfortunate requirement. We would like to be able to specify that the user can use the web interface to carry out activities analogous to those available in a regular IMAP client, but require administrator assistance for other actions.

I do not regard the above to be exotic options of benefit to only a tiny number of users. Separation of user and administrative concerns is quite common. Time limited access rights are of proven value.

I am sure implementation would raise some detailed challenges. However, I would argue the basic structure is not that complex.

The session could have a flag that indicates whether or not administrative rights are available. Web interface menus adapt accordingly, together with checks when entering an administration page that it should be allowed.
I wouldn't implement it that way. I would require that the second factor be entered again to upgrade a session to administrative mode, and that the upgrade be time limited. Certainly for anything non-reversible. I'm going to create a specific feature request for this idea and flag it for our next security review meeting (we hold them every few months), and we're due for one in January.

Quote:
For one-time passwords, I would suggest
  • A setting indicates that one-time passwords can be sent via SMS to the specified phone number. Sessions using one-time passwords would always be limited (no administrative function) sessions.
  • The login screen has an option to the right of the password field "Request one-time password".
  • A short time out (300 seconds, perhaps) is established for sessions initiated using one-time passwords.
Other opinions?
I think this is going into the "too complex" territory, and SMS OTP is already known awful for security (not to mention deliverability, I had someone yesterday who had SMSes failing all day due to who knows what - he's in Australia and using the same provider I am and mine is fine, but his was ported between two providers in such a way that maybe their interlink died over Christmas. Who knows. There's no insight).

Overall, I'm quite happy that "enter fresh second factor to upgrade this session to administrative for 30 minutes" solves all the realistic risk cases while being very easy to understand.
brong is offline   Reply With Quote
Old 28 Dec 2016, 08:46 AM   #33
jhollington
Senior Member
 
Join Date: Apr 2008
Posts: 191
Quote:
Originally Posted by brong View Post
I wouldn't implement it that way. I would require that the second factor be entered again to upgrade a session to administrative mode, and that the upgrade be time limited. Certainly for anything non-reversible.
I think that's a logical way to handle that especially for things that are not just non-reversible but may be critical to proper operation. Obviously as I noted earlier, anything under "Passwords & Security" should require more than just the base password, since that's kind of an open hole right now for keyloggers and malware to exploit. However, almost everything under the "Admin" section in the preferences should probably fall into that category, as messing with domains and aliases could have far-reaching consequences and may easily go unnoticed consider something like a hacker updating an alias to add an external address so that they would get copies of all mail destined to that address, not to mention all of the malicious possibilities that could stem from unauthorized DNS record changes. Rules would also be another potentially dangerous attack vector that could easily go unnoticed by the typical user.

Quote:
Overall, I'm quite happy that "enter fresh second factor to upgrade this session to administrative for 30 minutes" solves all the realistic risk cases while being very easy to understand.
I think that's fair, but at the same time I think it also needs to be clear what the user is doing and what the timeout is something along the lines of "You may want to think twice about doing this if you're on an untrusted computer" since as we've already discussed a lot of these protections are as much for the novice user.

However, I also think that the point that BritTim made about restricted administrative access for business and family account scenarios is valid as well. Although I realize that FastMail doesn't differentiate these in the same way that you folks used to, it doesn't remove the fact that there are scenarios where I might provide an account for a kid or an employee where I don't want them to have the flexibility to change certain settings. It's not uncommon in business environments to want to restrict forwarding rules or POP fetching, for example.
jhollington is offline   Reply With Quote
Old 28 Dec 2016, 09:10 AM   #34
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,631

Representative of:
Fastmail.fm
Quote:
Originally Posted by jhollington View Post
I think that's a logical way to handle that especially for things that are not just non-reversible but may be critical to proper operation. Obviously as I noted earlier, anything under "Passwords & Security" should require more than just the base password, since that's kind of an open hole right now for keyloggers and malware to exploit. However, almost everything under the "Admin" section in the preferences should probably fall into that category, as messing with domains and aliases could have far-reaching consequences and may easily go unnoticed consider something like a hacker updating an alias to add an external address so that they would get copies of all mail destined to that address, not to mention all of the malicious possibilities that could stem from unauthorized DNS record changes. Rules would also be another potentially dangerous attack vector that could easily go unnoticed by the typical user.
Yep, I got all that on the ticket I just created in our internal tracker

Quote:
I think that's fair, but at the same time I think it also needs to be clear what the user is doing and what the timeout is something along the lines of "You may want to think twice about doing this if you're on an untrusted computer" since as we've already discussed a lot of these protections are as much for the novice user.
It has to be something that's easy to translate into lots of languages - one of the downsides of translating our interface into many languages is that it costs a lot to add any text anywhere!

I'm not going to speculate about the exact interface design, because I don't know what we'll do there, but I agree that it needs to be clear that you're enabling dangerous-stuff mode.

Quote:
However, I also think that the point that BritTim made about restricted administrative access for business and family account scenarios is valid as well. Although I realize that FastMail doesn't differentiate these in the same way that you folks used to, it doesn't remove the fact that there are scenarios where I might provide an account for a kid or an employee where I don't want them to have the flexibility to change certain settings. It's not uncommon in business environments to want to restrict forwarding rules or POP fetching, for example.
We already have that. There's a checkbox next to the user in the 'Settings' => 'Users' => 'Edit' screen called 'Admin'. If that's not checked, they can't change a bunch of settings.

Now forwarding rules and POP fetching aren't in what can be locked down right now. More fine grained permission control is something on our radar for improving business tooling, and family will get the same features too.
brong is offline   Reply With Quote
Old 28 Dec 2016, 12:16 PM   #35
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 2,290
Quote:
Originally Posted by brong View Post
Overall, I'm quite happy that "enter fresh second factor to upgrade this session to administrative for 30 minutes" solves all the realistic risk cases while being very easy to understand.
I think that is a great solution.
BritTim is offline   Reply With Quote
Old 31 Dec 2016, 07:58 AM   #36
DarioMor
Essential Contributor
 
Join Date: Jun 2002
Location: Rio de Janeiro, Brasil
Posts: 325
wow... it was a really good thread.

Thank you all EMD users who, just like me, loves Fastmail.com, and shows it with lots of suggestions and some criticism.

And thank you Brong for your eventual presence here, it is better few than none.

I hope we keep working together on 2017, keeping FASTMAIL growing, changing, evolving and driving most of our online presence, even generally hidden behind your own personal domains!!!

To all fastmail crew: my kudos and best wishes.

Dario
DarioMor is offline   Reply With Quote
Old 5 Jan 2017, 12:28 PM   #37
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,631

Representative of:
Fastmail.fm
Quote:
Originally Posted by BritTim View Post
I make no claim that my experience should mandate keeping these features around when the classic interface is canned (as I think is inevitable)
https://www.fastmail.com/help/guides...ransition.html

We have been talking about it for a while of course, and you're right - it is inevitable. It's getting more and more horrible to maintain over time. Having the timeline will also force us to deal with things that are only available in Classic, because "just log in to Classic and do it there" won't be an option any more.
brong is offline   Reply With Quote
Old 5 Jan 2017, 02:41 PM   #38
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 2,290
Quote:
Originally Posted by brong View Post
https://www.fastmail.com/help/guides...ransition.html

We have been talking about it for a while of course, and you're right - it is inevitable. It's getting more and more horrible to maintain over time. Having the timeline will also force us to deal with things that are only available in Classic, because "just log in to Classic and do it there" won't be an option any more.
This is important news. Thank you for the advance warning.

It is good news that forward multiple messages as attachments is returning. I will put my thinking cap on to see if I can find ways of handling the other two key tasks for which I see switching to classic as the current solution (copy, not move, messages and create a zip file of messages in a search).
BritTim is offline   Reply With Quote
Old 5 Jan 2017, 03:13 PM   #39
neilj
Cornerstone of the Community
 
Join Date: Apr 2004
Location: Melbourne
Posts: 970

Representative of:
Fastmail.fm
Quote:
Originally Posted by BritTim View Post
(copy, not move, messages).
Hold down the alt key while dragging onto folder in the sidebar will copy rather than move.

Neil.
neilj is offline   Reply With Quote
Old 5 Jan 2017, 03:55 PM   #40
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 7,913
Quote:
Originally Posted by neilj View Post
Hold down the alt key while dragging onto folder in the sidebar will copy rather than move.
That's great, Neil! Where is that documented? I can't see any mention in help. And when you use this feature, the + during copy is tiny and hard to see.

Bill
n5bb is offline   Reply With Quote
Old 5 Jan 2017, 05:11 PM   #41
Terry
The "e" in e-mail
 
Join Date: Jul 2002
Location: AU
Posts: 2,309
It would be nice to have that option to save to the HD....
Terry is offline   Reply With Quote
Old 5 Jan 2017, 07:49 PM   #42
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 2,290
Quote:
Originally Posted by neilj View Post
Hold down the alt key while dragging onto folder in the sidebar will copy rather than move.

Neil.
It would be good if this gets mentioned in the migration guide, as well as the regular help documentation.
BritTim is offline   Reply With Quote
Old 13 Jan 2017, 01:01 AM   #43
sheprd
The "e" in e-mail
 
Join Date: Sep 2001
Location: VA, USA
Posts: 2,398
me thinks FM is probably unaware of the Ford Edsel the new coca cola and the windows 8 seems customers don't like major changes. Time will tell if the new FM is accepted. All other email services that I have used remain user friendly
sheprd is offline   Reply With Quote
Old Today, 04:16 PM   #44
paul29
Senior Member
 
Join Date: Apr 2014
Posts: 164
Some security thoughts:

1. One easy way to handle restricted mode might be to have an alternative web UI that's just a pure IMAP client, that could have its own password and optional 2FA. I'd use this for travel when I don't have my own computer. I might set something like this up with Roundcube on a VPS, though I thought using Fastmail would mean I don't have to run my own servers.

2. U2F barely exists right now; Firefox doesn't support it without a special add-on, etc. We can talk about a science fiction future when U2F is the right way to authenticate dubious computers to Fastmail, but that future is not the present day. So right now, 2FA means SMS and TOTP.

3. SMS is a terrible form of authentication because it can be intercepted or spoofed too easily, and it has impaired usefulness for international travel because your phone might not have international roaming. So that leaves TOTP.

4. TOTP is at least semi-workable (phone app or hardware token) but the old printed OTP was superior imho, because it meant you didn't have to carry an electronic gadget with you. I wouldn't bring a smartphone on international travel because of border checks etc. A keychain token is slightly ok, but a slip of paper that I can rip up and throw away before entering the airport is best.

5. TOTP is a pain to leave turned on all the time if you log in a lot like I do. It would be great to be able to whitelist specific IP addresses, which would at least cut back to 1 TOTP entry per session. Right now there's a "don't require for later sessions" but that's done with a browser cookie, not good if you clear cookies all the time.

6. There's imho a bug(?) in the implementation of "view and log out existing sessions". The cookies last for a month but you can only view the past 2 weeks of sessions. So there could be a 3 week old active cookie out there with no way to kill it. In fact I usually have 100s of active sessions (unkilled cookies) because I typically log out by closing the browser or clearing all cookies, so killing them one by one is impractical. It seems like a security obstacle that there's no button to log out ALL the old sessions in one shot.

Here's the latest in the string of border search stories that makes me prefer printed OTP to TOTP, U2F, or travelling with a smartphone: https://vc.gg/blog/so-its-been-a-while.html
paul29 is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 08:13 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy