EmailDiscussions.com - View Single Post

paul29 · 24 Jan 2017, 03:16 PM

Some security thoughts:

1. One easy way to handle restricted mode might be to have an alternative web UI that's just a pure IMAP client, that could have its own password and optional 2FA. I'd use this for travel when I don't have my own computer. I might set something like this up with Roundcube on a VPS, though I thought using Fastmail would mean I don't have to run my own servers.

2. U2F barely exists right now; Firefox doesn't support it without a special add-on, etc. We can talk about a science fiction future when U2F is the right way to authenticate dubious computers to Fastmail, but that future is not the present day. So right now, 2FA means SMS and TOTP.

3. SMS is a terrible form of authentication because it can be intercepted or spoofed too easily, and it has impaired usefulness for international travel because your phone might not have international roaming. So that leaves TOTP.

4. TOTP is at least semi-workable (phone app or hardware token) but the old printed OTP was superior imho, because it meant you didn't have to carry an electronic gadget with you. I wouldn't bring a smartphone on international travel because of border checks etc. A keychain token is slightly ok, but a slip of paper that I can rip up and throw away before entering the airport is best.

5. TOTP is a pain to leave turned on all the time if you log in a lot like I do. It would be great to be able to whitelist specific IP addresses, which would at least cut back to 1 TOTP entry per session. Right now there's a "don't require for later sessions" but that's done with a browser cookie, not good if you clear cookies all the time.

6. There's imho a bug(?) in the implementation of "view and log out existing sessions". The cookies last for a month but you can only view the past 2 weeks of sessions. So there could be a 3 week old active cookie out there with no way to kill it. In fact I usually have 100s of active sessions (unkilled cookies) because I typically log out by closing the browser or clearing all cookies, so killing them one by one is impractical. It seems like a security obstacle that there's no button to log out ALL the old sessions in one shot.

Here's the latest in the string of border search stories that makes me prefer printed OTP to TOTP, U2F, or travelling with a smartphone: https://vc.gg/blog/so-its-been-a-while.html

24 Jan 2017, 03:16 PM	#44
paul29 Senior Member Join Date: Apr 2014 Posts: 166	Some security thoughts: 1. One easy way to handle restricted mode might be to have an alternative web UI that's just a pure IMAP client, that could have its own password and optional 2FA. I'd use this for travel when I don't have my own computer. I might set something like this up with Roundcube on a VPS, though I thought using Fastmail would mean I don't have to run my own servers. 2. U2F barely exists right now; Firefox doesn't support it without a special add-on, etc. We can talk about a science fiction future when U2F is the right way to authenticate dubious computers to Fastmail, but that future is not the present day. So right now, 2FA means SMS and TOTP. 3. SMS is a terrible form of authentication because it can be intercepted or spoofed too easily, and it has impaired usefulness for international travel because your phone might not have international roaming. So that leaves TOTP. 4. TOTP is at least semi-workable (phone app or hardware token) but the old printed OTP was superior imho, because it meant you didn't have to carry an electronic gadget with you. I wouldn't bring a smartphone on international travel because of border checks etc. A keychain token is slightly ok, but a slip of paper that I can rip up and throw away before entering the airport is best. 5. TOTP is a pain to leave turned on all the time if you log in a lot like I do. It would be great to be able to whitelist specific IP addresses, which would at least cut back to 1 TOTP entry per session. Right now there's a "don't require for later sessions" but that's done with a browser cookie, not good if you clear cookies all the time. 6. There's imho a bug(?) in the implementation of "view and log out existing sessions". The cookies last for a month but you can only view the past 2 weeks of sessions. So there could be a 3 week old active cookie out there with no way to kill it. In fact I usually have 100s of active sessions (unkilled cookies) because I typically log out by closing the browser or clearing all cookies, so killing them one by one is impractical. It seems like a security obstacle that there's no button to log out ALL the old sessions in one shot. Here's the latest in the string of border search stories that makes me prefer printed OTP to TOTP, U2F, or travelling with a smartphone: https://vc.gg/blog/so-its-been-a-while.html