Session security: Something to consider

MagicDavid · 26 Feb 2010, 06:42 AM

Hi all

I've just come back from a lovely holiday in South Africa.

As I travelled around, I used the excellent SMS One Time Password feature to stop the countless keyloggers installed on internet café PCs.

However, I was almost hijacked by a different attack - session hijack.

A trojan locked up the PC. I wasn't able to log off my mail session. I went to the neighbouring PC and logged in again - a new Fastmail session. However, the session on the other PC was still open and there was no way I could log it off.

As long as the hacker refreshed the inbox page every hour or so they'd be able to keep the session open indefinitely - or at least several hours without me even knowing and without me being able to do anything.

As far as I can see, you can log in to Fastmail on several different computers at the same time and have different sessions open independently and invisibly. Even with SMS OTP and HTTPS it seems you're still susceptible to some man in the middle attacks on café computers.

I was thinking what might be a solution to this - perhaps an 'active sessions' tool that showed all the open and active sessions and a button to terminate them . That way you could log on to another computer and shut down any open sessions you weren't happy with.

Does anyone else have any views?

Terry · 26 Feb 2010, 07:09 AM

could you have not use Ctrl-Alt-Delete and shut the Pc down ?

MagicDavid · 26 Feb 2010, 07:18 AM

Hi Terry

Yes, I could have asked the staff to pull the plug on the computer, but the session would still be open (as I wasn't able to log out). This means someone with the URL (easy to get from the history or URL logging) could come back to the PC later with the logged URL and session cookie already on the PC and access my account - as long as the session hadn't timed out from inactivity - but that's not for at least two hours.

I also think it's susceptible from 'man in the middle' attacks where a rouge SSL certificate has been installed on the café computer.

I could be wrong about this - perhaps someone could clarify.

janusz · 26 Feb 2010, 06:27 PM

Quote:

Originally Posted by MagicDavid

as long as the session hadn't timed out from inactivity - but that's not for at least two hours.

Strictly speaking that's not necessarily true: when logging in you can specify a shorter time-out period (30 minutes is the minimum)

David · 26 Feb 2010, 10:54 PM

Quote:

Originally Posted by janusz

Strictly speaking that's not necessarily true: when logging in you can specify a shorter time-out period (30 minutes is the minimum)

I agree with this but it surely does not address the issues that MagicDavid is addressing. A fix (of another variety) is required methinks.

janusz · 26 Feb 2010, 11:20 PM

All I had in mind was a damage limitation exercise

David · 26 Feb 2010, 11:32 PM

Damage limitation exercises (especially at Fastmail) often result in workarounds (of some kind or another) - which I rarely agree with, which is why I responded as I did janusz - your point is well taken though

MagicDavid · 27 Feb 2010, 02:19 AM

Am I right in thinking that a session only times out after inactivity, so if you selected 30 minutes it would only time out if nothing happened for that time?

For example, if someone clicked a link or a button would it reset the clock and give them potentially unlimited access to your account without any knowledge that the additional session was even open, as long as they refreshed the page within the timeout period?

janusz · 27 Feb 2010, 04:57 AM

Quote:

Originally Posted by MagicDavid

Am I right in thinking that a session only times out after inactivity, so if you selected 30 minutes it would only time out if nothing happened for that time?

In my experience, a session crash (browser or PC falling over or being restarted) resets the session. Whether this counts as a time-out is a moot point here....

MagicDavid · 27 Feb 2010, 06:04 PM

I don't think it does. Try hitting reboot now without logging off, then go into your history, click your last Fastmail session and, tada, you're in!

n5bb · 1 Mar 2010, 10:49 AM

Rob Mueller posted in the Fastmail Blog about sessions a few days ago. I just asked him about session security, and he confirmed that to get back into the session you need:

The URL used to access your account after login.
The cookie which Fastmail places on that PC.
The session must not be timed out. If you log in using the Public Terminal method, the session will time out after 30 minutes with no activity.

Rob says that there isn't any easy way to improve on this, and that it's unlikely that you will have the PC crash in such a manner.

Bill

MagicDavid · 1 Mar 2010, 08:35 PM

This is clearly a risk. Applications like Facebook ONLY allow one session at a time - you can't have two concurrent sessions with the same username. This is because they have considered the security implications and taken them seriously.

All of the information - cookies and URLs are available in a man in the middle SSL attack. Which can be performed on any public computer where someone can install a rogue certificate. The default timeout is fairly lengthy and gives ample time to run an automatic refresh script which could potentially keep your session open indefinitely as far as I can see.

Although the OTPs give better security, people need to understand it's not anywhere near protecting their session on a public, corporate computer or any PC they are not in full control of. The latest releases of trojans not only log keys, but cache cookies and urls too.

As I also mentioned earlier, the random café I was using seemed to routinely crash PCs, put up a paywall screen over an existing session (ie. the browser was still live behind the pay window but no way of accessing the browser) - the next paying user would be returned to the browser which would be already logged in to my session. Many cafés are now using Thin Clients with sessions occurring remotely on a server - again, easy to hijack an open session and keep control open.

My suggestions are either:

* like the login log, to show a list of open sessions so users know how many times their account is logged in at any one time (perhaps with a 'terminate' button; OR

* allow users to decide whether they wish to allow more than one webmail session logged in at any time (there's only one of me, so I only want to be logged in once!)

As my email account contains far more sensitive information than my Facebook account, I'd like to know that the session security is at least as good. I understand there may not be an easy way to do this, but I don't think that means the developers shouldn't look in to it.

**Shelded** · 4 Mar 2011, 09:38 AM

How about a post to the Feature Requests forum?

MagicDavid · 4 Mar 2011, 04:20 PM

Good idea - could you perhaps move this post into that forum?

scutworker · 4 Mar 2011, 06:17 PM

A facility to terminate other sessions already exists on some services like Gmail. I just tested it by logging in on my PC, then on my phone. I terminated the other locations on my phone and was logged out on my PC as soon as I clicked any link in Gmail.

Maybe Fastmail could implement something like this?

26 Feb 2010, 06:42 AM	#1
MagicDavid Senior Member Join Date: Aug 2005 Location: England, UK Posts: 164	Session security: Something to consider Hi all I've just come back from a lovely holiday in South Africa. As I travelled around, I used the excellent SMS One Time Password feature to stop the countless keyloggers installed on internet café PCs. However, I was almost hijacked by a different attack - session hijack. A trojan locked up the PC. I wasn't able to log off my mail session. I went to the neighbouring PC and logged in again - a new Fastmail session. However, the session on the other PC was still open and there was no way I could log it off. As long as the hacker refreshed the inbox page every hour or so they'd be able to keep the session open indefinitely - or at least several hours without me even knowing and without me being able to do anything. As far as I can see, you can log in to Fastmail on several different computers at the same time and have different sessions open independently and invisibly. Even with SMS OTP and HTTPS it seems you're still susceptible to some man in the middle attacks on café computers. I was thinking what might be a solution to this - perhaps an 'active sessions' tool that showed all the open and active sessions and a button to terminate them . That way you could log on to another computer and shut down any open sessions you weren't happy with. Does anyone else have any views?

1 Mar 2010, 10:49 AM	#11
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,930	Session timeouts Rob Mueller posted in the Fastmail Blog about sessions a few days ago. I just asked him about session security, and he confirmed that to get back into the session you need: The URL used to access your account after login. The cookie which Fastmail places on that PC. The session must not be timed out. If you log in using the Public Terminal method, the session will time out after 30 minutes with no activity. Rob says that there isn't any easy way to improve on this, and that it's unlikely that you will have the PC crash in such a manner. Bill

26 Feb 2010, 07:09 AM	#2
Terry The "e" in e-mail Join Date: Jul 2002 Location: VK4 Posts: 3,029	could you have not use Ctrl-Alt-Delete and shut the Pc down ?

26 Feb 2010, 07:18 AM	#3
MagicDavid Senior Member Join Date: Aug 2005 Location: England, UK Posts: 164	Hi Terry Yes, I could have asked the staff to pull the plug on the computer, but the session would still be open (as I wasn't able to log out). This means someone with the URL (easy to get from the history or URL logging) could come back to the PC later with the logged URL and session cookie already on the PC and access my account - as long as the session hadn't timed out from inactivity - but that's not for at least two hours. I also think it's susceptible from 'man in the middle' attacks where a rouge SSL certificate has been installed on the café computer. I could be wrong about this - perhaps someone could clarify.

26 Feb 2010, 11:20 PM	#6
janusz The "e" in e-mail Join Date: Feb 2006 Location: EU Posts: 4,945	All I had in mind was a damage limitation exercise

26 Feb 2010, 11:32 PM	#7
David Ultimate Contributor Join Date: Dec 2001 Location: Canada. Posts: 10,355	Damage limitation exercises (especially at Fastmail) often result in workarounds (of some kind or another) - which I rarely agree with, which is why I responded as I did janusz - your point is well taken though

27 Feb 2010, 02:19 AM	#8
MagicDavid Senior Member Join Date: Aug 2005 Location: England, UK Posts: 164	Am I right in thinking that a session only times out after inactivity, so if you selected 30 minutes it would only time out if nothing happened for that time? For example, if someone clicked a link or a button would it reset the clock and give them potentially unlimited access to your account without any knowledge that the additional session was even open, as long as they refreshed the page within the timeout period?

27 Feb 2010, 06:04 PM	#10
MagicDavid Senior Member Join Date: Aug 2005 Location: England, UK Posts: 164	I don't think it does. Try hitting reboot now without logging off, then go into your history, click your last Fastmail session and, tada, you're in!

1 Mar 2010, 08:35 PM	#12
MagicDavid Senior Member Join Date: Aug 2005 Location: England, UK Posts: 164	This is clearly a risk. Applications like Facebook ONLY allow one session at a time - you can't have two concurrent sessions with the same username. This is because they have considered the security implications and taken them seriously. All of the information - cookies and URLs are available in a man in the middle SSL attack. Which can be performed on any public computer where someone can install a rogue certificate. The default timeout is fairly lengthy and gives ample time to run an automatic refresh script which could potentially keep your session open indefinitely as far as I can see. Although the OTPs give better security, people need to understand it's not anywhere near protecting their session on a public, corporate computer or any PC they are not in full control of. The latest releases of trojans not only log keys, but cache cookies and urls too. As I also mentioned earlier, the random café I was using seemed to routinely crash PCs, put up a paywall screen over an existing session (ie. the browser was still live behind the pay window but no way of accessing the browser) - the next paying user would be returned to the browser which would be already logged in to my session. Many cafés are now using Thin Clients with sessions occurring remotely on a server - again, easy to hijack an open session and keep control open. My suggestions are either: * like the login log, to show a list of open sessions so users know how many times their account is logged in at any one time (perhaps with a 'terminate' button; OR * allow users to decide whether they wish to allow more than one webmail session logged in at any time (there's only one of me, so I only want to be logged in once!) As my email account contains far more sensitive information than my Facebook account, I'd like to know that the session security is at least as good. I understand there may not be an easy way to do this, but I don't think that means the developers shouldn't look in to it.

4 Mar 2011, 09:38 AM	#13
Shelded Moderator Join Date: Aug 2001 Location: USA Northwest Posts: 3,849	How about a post to the Feature Requests forum?

4 Mar 2011, 04:20 PM	#14
MagicDavid Senior Member Join Date: Aug 2005 Location: England, UK Posts: 164	Good idea - could you perhaps move this post into that forum?

4 Mar 2011, 06:17 PM	#15
scutworker Member Join Date: Mar 2006 Posts: 44	A facility to terminate other sessions already exists on some services like Gmail. I just tested it by logging in on my PC, then on my phone. I terminated the other locations on my phone and was logged out on my PC as soon as I clicked any link in Gmail. Maybe Fastmail could implement something like this?