EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 10 Nov 2022, 01:04 AM   #1
aoeuaoeu
Member
 
Join Date: Jan 2009
Posts: 50
New 'high-risk change' thing in beta is horrible!

Now, in beta, Fastmail asks for password whenever the user edits the Sieve script. I can understand this policy when it applies to a 'redirect' line but why on Earth is my editing a 'fileinto' directive considered a """high-impact or high-risk change"""?? It'd be much less annoying for Fastmail to show a banner for a day..or for a week..or for however long..saying "Sieve script last updated yyyy-MM-dd HH:mm'.

> We now ask for your password in Settings only when you attempt to make a high-impact or high-risk change to your account and, if you have two-factor authentication set, we now require your 2FA token on all untrusted devices."
aoeuaoeu is offline   Reply With Quote

Old 10 Nov 2022, 04:00 AM   #2
Avion
Junior Member
 
Join Date: Sep 2022
Posts: 15
It's so easy, if you're not experienced, to screw up the sieve script, so anything that makes you think twice before diving in may be of value to both the user and to Fastmail support.

Personally, I would have no problem with re-authenticating.

If you have strong feelings about it, however, you're best raising the question direct with Fastmail support, as you're unlikely to find them visiting here on this forum.
Avion is offline   Reply With Quote
Old 10 Nov 2022, 04:19 AM   #3
aoeuaoeu
Member
 
Join Date: Jan 2009
Posts: 50
Yup. I did contact Fastmail. Thank you for the suggestion and thank you for weighing in.

It's not a 'help the user get the Sieve script right' measure. But rather it's a poorly implemented """security""" measure. The prompt says something like 'just checking it's you -- please enter your password'. Under my account name, over the past 15 years, there's been hundreds of edits to my Sieve script. Not even one has come from someone other than me. This is true for damn-near all Sieve users, I bet.

Someone who's savvy enough to use Sieve tends to know what she or he is doing -- and that includes looking for nefarious modifications. A 'Sieve script modified recently' banner would e a lot less annoying!

If Fastmail's gonna meddle with thie Sieve sequence then it ought to diff the scripts so that only the really truly """high-impact or high-risk changes"""" (e.g., `redirect` directives) are subject to the annoying password prompt.

It's a lazy implementation and, as my renewal date nears, it makse me pause.

Last edited by aoeuaoeu : 10 Nov 2022 at 04:19 AM. Reason: typo
aoeuaoeu is offline   Reply With Quote
Old 11 Nov 2022, 02:31 PM   #4
Terry
The "e" in e-mail
 
Join Date: Jul 2002
Location: VK4
Posts: 2,966
What if you unknowingly get hacked, they change your script to forward on Banking emails etc and you would have no idea unless you look at your script daily.

Anything to keep my mail secure to me is a bonus...
Terry is offline   Reply With Quote
Old 11 Nov 2022, 10:48 PM   #5
aoeuaoeu
Member
 
Join Date: Jan 2009
Posts: 50
Your mail already is secure, man.

Fastmail says this change serves to target """high-impact or high-risk""" settings changes. Me adding in a 'fileinto' line constitutes neither high impact nor high risk.

It would be a lot less amateurish for Fastmail to show a 'Sieve script udated recently' banner -- rather than asking every user, on every edit, to enter password. It's flat-out *wrong* for Fastmail to lump all Sieve edits together -- e.g., 'redirect' line is high-impact and it's high-risk whereas 'fileinto' line is not. If they're gonna subject advanced users to these annoying security changes then they ought to evaluate the Sieve changes themselves -- not just whether or not Sieve was changed.

I prefer to not play 'What if this happens to me?' games about scenarios that won't ever happen to me.

Last edited by aoeuaoeu : 11 Nov 2022 at 11:31 PM.
aoeuaoeu is offline   Reply With Quote
Old 11 Nov 2022, 11:20 PM   #6
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,047
I have a suspicion that Fastmail has been influenced by what has been "high-impact or high-risk" in terms of their support costs. I can imagine a recurring theme where a lot of support time has been invested finding errors in people's sieve scripts (some of those cases have been reported here) and, after support has identified the issue, the account owner swearing that they never made the change that created the problem. I can see Fastmail wanting to have any change people made seared into their memory to avoid future aggravation

I think a better way of addressing this would be a sieve script change log that allows either account owners or support to quickly check whether changes were made that could explain problems when they are encountered..
BritTim is offline   Reply With Quote
Old 11 Nov 2022, 11:29 PM   #7
aoeuaoeu
Member
 
Join Date: Jan 2009
Posts: 50
Nice post!

Seems clear like day that there's numerous options that are less annoying than 'enter your password whenever you want to add in a fileinto line even though you've been doing exactly that, without any problems whatsoever, for the past 15 years'.

When you say 'errors', BritTim, you're talking not about validation errors (which Fastmail catches at the time of submission) but rather about typos leading to unexpected effects such as a message being filed in to the wrong folder?

I've always assumed that most Fastmail users don't use Sieve. All the more true in recent -- after the revamp of the rules interface. Do you folks agree?
aoeuaoeu is offline   Reply With Quote
Old 11 Nov 2022, 11:37 PM   #8
aoeuaoeu
Member
 
Join Date: Jan 2009
Posts: 50
Let me put emphasis on this detail: The password prompt says something like 'we just want to make sure it's you -- please enter your password'. The 'make sure it's you' thing looks pretty weird.
aoeuaoeu is offline   Reply With Quote
Old 12 Nov 2022, 01:43 AM   #9
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,047
Quote:
Originally Posted by aoeuaoeu View Post
When you say 'errors', BritTim, you're talking not about validation errors (which Fastmail catches at the time of submission) but rather about typos leading to unexpected effects such as a message being filed in to the wrong folder?
The biggest issue is when people complain they are not receiving emails because a sieve rule requests that those emails are discarded.
BritTim is offline   Reply With Quote
Old 12 Nov 2022, 02:57 AM   #10
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,890
Quote:
Originally Posted by BritTim View Post
people complain they are not receiving emails because a sieve rule requests that those emails are discarded.
So will requesting a password solve this problem?
janusz is offline   Reply With Quote
Old 12 Nov 2022, 03:19 AM   #11
aoeuaoeu
Member
 
Join Date: Jan 2009
Posts: 50
If adding a 'fileinto' line counts as being a """high-impact or high-risk change""" then so too does changing the UI font lol.
aoeuaoeu is offline   Reply With Quote
Old 12 Nov 2022, 06:50 AM   #12
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,047
Quote:
Originally Posted by janusz View Post
So will requesting a password solve this problem?
No, and I am not advocating for this change. However, Fastmail might be taking the view that stressing the potential high risk nature of changes to the sieve script might make people more careful, and make it more likely that they will remember if they screw up.
BritTim is offline   Reply With Quote
Old 12 Nov 2022, 06:56 AM   #13
aoeuaoeu
Member
 
Join Date: Jan 2009
Posts: 50
'Sieve script updated recently' banner would be better.

Though also, with plenty respect to BritTim, I don't buy the 'Fastmail wants to help people not mess up' theory. The password prompt says something like "Just checking to make sure it really is you" -- this sounds security oriented not user-error oriented.

Though, for what it's worth, I do totally buy the theory that Fastmail might be trying to add friction to the Sieve process.
aoeuaoeu is offline   Reply With Quote
Old 15 Nov 2022, 05:24 AM   #14
Terry
The "e" in e-mail
 
Join Date: Jul 2002
Location: VK4
Posts: 2,966
Aliases are no longer being locked which I find strange
Terry is offline   Reply With Quote
Old 15 Nov 2022, 08:38 AM   #15
Terry
The "e" in e-mail
 
Join Date: Jul 2002
Location: VK4
Posts: 2,966
Quote:
Originally Posted by aoeuaoeu View Post
Your mail already is secure, man.

Fastmail says this change serves to target """high-impact or high-risk""" settings changes. Me adding in a 'fileinto' line constitutes neither high impact nor high risk.
file into or divert the mail.


I prefer to not play 'What if this happens to me?' games about scenarios that won't ever happen to me.[/quote]

Well it's not all about you is it.
Terry is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 11:45 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy