|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
26 Feb 2010, 06:42 AM | #1 |
Senior Member
Join Date: Aug 2005
Location: England, UK
Posts: 164
|
Session security: Something to consider
Hi all
I've just come back from a lovely holiday in South Africa. As I travelled around, I used the excellent SMS One Time Password feature to stop the countless keyloggers installed on internet café PCs. However, I was almost hijacked by a different attack - session hijack. A trojan locked up the PC. I wasn't able to log off my mail session. I went to the neighbouring PC and logged in again - a new Fastmail session. However, the session on the other PC was still open and there was no way I could log it off. As long as the hacker refreshed the inbox page every hour or so they'd be able to keep the session open indefinitely - or at least several hours without me even knowing and without me being able to do anything. As far as I can see, you can log in to Fastmail on several different computers at the same time and have different sessions open independently and invisibly. Even with SMS OTP and HTTPS it seems you're still susceptible to some man in the middle attacks on café computers. I was thinking what might be a solution to this - perhaps an 'active sessions' tool that showed all the open and active sessions and a button to terminate them . That way you could log on to another computer and shut down any open sessions you weren't happy with. Does anyone else have any views? |
26 Feb 2010, 07:09 AM | #2 |
The "e" in e-mail
Join Date: Jul 2002
Location: VK4
Posts: 3,029
|
could you have not use Ctrl-Alt-Delete and shut the Pc down ?
|
26 Feb 2010, 07:18 AM | #3 |
Senior Member
Join Date: Aug 2005
Location: England, UK
Posts: 164
|
Hi Terry
Yes, I could have asked the staff to pull the plug on the computer, but the session would still be open (as I wasn't able to log out). This means someone with the URL (easy to get from the history or URL logging) could come back to the PC later with the logged URL and session cookie already on the PC and access my account - as long as the session hadn't timed out from inactivity - but that's not for at least two hours. I also think it's susceptible from 'man in the middle' attacks where a rouge SSL certificate has been installed on the café computer. I could be wrong about this - perhaps someone could clarify. |
26 Feb 2010, 06:27 PM | #4 |
The "e" in e-mail
Join Date: Feb 2006
Location: EU
Posts: 4,945
|
|
26 Feb 2010, 10:54 PM | #5 |
Ultimate Contributor
Join Date: Dec 2001
Location: Canada.
Posts: 10,355
|
I agree with this but it surely does not address the issues that MagicDavid is addressing. A fix (of another variety) is required methinks.
|
26 Feb 2010, 11:20 PM | #6 |
The "e" in e-mail
Join Date: Feb 2006
Location: EU
Posts: 4,945
|
All I had in mind was a damage limitation exercise
|
26 Feb 2010, 11:32 PM | #7 |
Ultimate Contributor
Join Date: Dec 2001
Location: Canada.
Posts: 10,355
|
Damage limitation exercises (especially at Fastmail) often result in workarounds (of some kind or another) - which I rarely agree with, which is why I responded as I did janusz - your point is well taken though
|
27 Feb 2010, 02:19 AM | #8 |
Senior Member
Join Date: Aug 2005
Location: England, UK
Posts: 164
|
Am I right in thinking that a session only times out after inactivity, so if you selected 30 minutes it would only time out if nothing happened for that time?
For example, if someone clicked a link or a button would it reset the clock and give them potentially unlimited access to your account without any knowledge that the additional session was even open, as long as they refreshed the page within the timeout period? |
27 Feb 2010, 04:57 AM | #9 |
The "e" in e-mail
Join Date: Feb 2006
Location: EU
Posts: 4,945
|
In my experience, a session crash (browser or PC falling over or being restarted) resets the session. Whether this counts as a time-out is a moot point here....
|
27 Feb 2010, 06:04 PM | #10 |
Senior Member
Join Date: Aug 2005
Location: England, UK
Posts: 164
|
I don't think it does. Try hitting reboot now without logging off, then go into your history, click your last Fastmail session and, tada, you're in!
|
1 Mar 2010, 10:49 AM | #11 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,930
|
Session timeouts
Rob Mueller posted in the Fastmail Blog about sessions a few days ago. I just asked him about session security, and he confirmed that to get back into the session you need:
Bill |
1 Mar 2010, 08:35 PM | #12 |
Senior Member
Join Date: Aug 2005
Location: England, UK
Posts: 164
|
This is clearly a risk. Applications like Facebook ONLY allow one session at a time - you can't have two concurrent sessions with the same username. This is because they have considered the security implications and taken them seriously.
All of the information - cookies and URLs are available in a man in the middle SSL attack. Which can be performed on any public computer where someone can install a rogue certificate. The default timeout is fairly lengthy and gives ample time to run an automatic refresh script which could potentially keep your session open indefinitely as far as I can see. Although the OTPs give better security, people need to understand it's not anywhere near protecting their session on a public, corporate computer or any PC they are not in full control of. The latest releases of trojans not only log keys, but cache cookies and urls too. As I also mentioned earlier, the random café I was using seemed to routinely crash PCs, put up a paywall screen over an existing session (ie. the browser was still live behind the pay window but no way of accessing the browser) - the next paying user would be returned to the browser which would be already logged in to my session. Many cafés are now using Thin Clients with sessions occurring remotely on a server - again, easy to hijack an open session and keep control open. My suggestions are either: * like the login log, to show a list of open sessions so users know how many times their account is logged in at any one time (perhaps with a 'terminate' button; OR * allow users to decide whether they wish to allow more than one webmail session logged in at any time (there's only one of me, so I only want to be logged in once!) As my email account contains far more sensitive information than my Facebook account, I'd like to know that the session security is at least as good. I understand there may not be an easy way to do this, but I don't think that means the developers shouldn't look in to it. |
4 Mar 2011, 09:38 AM | #13 |
Moderator
Join Date: Aug 2001
Location: USA Northwest
Posts: 3,849
|
How about a post to the Feature Requests forum?
|
4 Mar 2011, 04:20 PM | #14 |
Senior Member
Join Date: Aug 2005
Location: England, UK
Posts: 164
|
Good idea - could you perhaps move this post into that forum?
|
4 Mar 2011, 06:17 PM | #15 |
Member
Join Date: Mar 2006
Posts: 44
|
A facility to terminate other sessions already exists on some services like Gmail. I just tested it by logging in on my PC, then on my phone. I terminated the other locations on my phone and was logged out on my PC as soon as I clicked any link in Gmail.
Maybe Fastmail could implement something like this? |