|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
31 Dec 2018, 07:31 AM | #16 |
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
Consider if you only ever use your FIDO U2F key, but for emergency recovery purposes have your phone or a TOTP registered.
If you never lose your key and only use that key, and you never use the TOTP or phone method, then are you safe from MITM attacks? |
31 Dec 2018, 09:44 AM | #17 | |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Quote:
The issue would be whether your backup phone option could be hacked; Reddit was hacked with an SMS intercept. You want to think about social engineering of someone taking over your phone account. For some, this may be overkill, but for others of us, these are real issues to consider. |
|
31 Dec 2018, 12:13 PM | #18 | |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,095
|
Quote:
For many of us, the risk of a targeted attack is sufficiently low that we do not worry about it. Our main concern is automated attacks that aim to infiltrate accounts with weak security. What you suggest is likely good enough against such attackers. |
|
4 Jan 2019, 09:59 PM | #19 |
Cornerstone of the Community
Join Date: Jul 2011
Posts: 713
|
Excellent thread, ChinaLamb, thank you!
|
5 Jan 2019, 08:25 AM | #20 |
Member
Join Date: Oct 2010
Posts: 65
|
Certificate pinning
What if FastMail app (Android and iOS) did certificate pinning?
|
6 Jan 2019, 06:07 AM | #21 |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
|
6 Jan 2019, 07:06 AM | #22 | |
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
Quote:
But if I only use my FIDO U2F key, then this targeted attack will fail? |
|
6 Jan 2019, 11:12 AM | #23 |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Check this out... Hackers targeting journalists, including those using 2FA (which is simple 2 factor authentication -- ie. authenticator codes)...
https://mashable.com/article/hackers.../#K6LfewCAGOql Yes, U2F, FIDO was designed to thwart this kind of attack... |
6 Jan 2019, 11:40 AM | #24 | ||
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
Quote:
Quote:
It seems that if you avoid clicking such notification links, and instead type in the URL into a web page for the site in question, you can avoid the phishing attempt - is this assumption correct? |
||
6 Jan 2019, 08:55 PM | #25 |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
The problem is that even the best security researchers have found themselves phished. Yes, if you never try to log into a fake login you should be safe. But even some of the best out there after getting fooled. All it takes is one groggy morning or one instance where you are not fully paying attention.
The other issue is with dns intercept, or if someone takes over your dns and sends you to a malicious website that has a certificate and looks exactly like Google. Or maybe your favorite VPN gets hacked and bad actors reroute you to fake login page for Google. Again all with legitimate certificates (but not necessarily Google's). How often do you inspect the certificates before you login? |
6 Jan 2019, 09:21 PM | #26 |
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
That's all kinda depressing
|
7 Jan 2019, 02:09 AM | #27 |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Doesn't need to be. You just have to be smart about online security, and realize that just like people want to break into your home, they want to break into your email and accounts too. The internet has matured a lot in the last 20 years, and so has online crime.
We've moved from crunching credit cards, to swyping credit cards, and now we've got chip and pin credit cards. Technology evolves as crime evolves. I'd love to complain about it, but complaining doesn't make it any better. Put this in perspective. How much thought do you put into securing your home? Average lock for your home costs $100 at the big box stores - my home has 5 of those. Average key replacement for your car costs $250 from the dealer. Alarm systems? Etc? We haven't thought much about online security, aside from passwords. I don't want to get into it, but systems like Life-Lock have been shown to pretty much be a scam by the FCC. We all need to be aware of what gives the "illusion" of security, and what genuinely *does* give security. Unfortunately, Authenticator codes are looking more and more like the illusion of security, although they are better than nothing. With all this in perspective, for those that want protection from growing phishing attempts, something like the Google Titan key is quite affordable, $50 for 2 keys. Hopefully prices will go down, and with the rapid expansion of FIDO acceptance, I bet we're going to see it deployed much more broadly in the very near future. |
7 Jan 2019, 02:25 AM | #28 |
Essential Contributor
Join Date: Apr 2002
Posts: 280
|
Unfortunately, Fastmail doesn't support FIDO U2F when using a email client. Thunderbird version 60.0 added FIDO U2F support. So I submitted a support request in August asking if they supported its use by a email client because I wanted to use a Yubikey with my Fastmail IMAP account in Thunderbird.
The reply was "We currently do not support this. We hope to support this in the future, but don't have any timeline on this now, sorry." |
7 Jan 2019, 07:05 AM | #29 | |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Quote:
/cl |
|
12 Jan 2019, 06:33 AM | #30 | |
Essential Contributor
Join Date: Dec 2008
Location: Canada
Posts: 312
|
Quote:
Security Key NFC - $27 direct from Yubico, free shipping in the States. Their standard FIDO2 U2F key is $20, readily available on Amazon. Have one as a backup. -- For unphishable/unhackable online security you don't need the bells & whistles of the more expensive Series 5 keys. An NFC security key is preferrable to Google's Titan Bluetooth key (requires charging from time to time, not FIDO2, manufactured in China by Feitian). about FIDO2 Last edited by pjwalsh : 14 Jan 2019 at 06:28 AM. |
|