Session security

MagicDavid · 16 Oct 2010, 12:36 PM

Hi all

A while ago I wrote about something that worried me about session security. Essentially Fastmail lets you have several (unlimited?) logged in sessions on several different computers at the same time.

My original post is here:
http://www.emaildiscussions.com/show...ssion+security

Gmail and now Facebook have implemented a function that allows you to log off ALL open sessions. It would put my mind at ease if Fastmail could do the same.

The Gmail and Fastmail solution also checks the GeoLocation of the IP addresses you've logged in on recently and if, say, you're logged in at home in London and suddenly you also login in Poland or Russia it displays a warning in a red bar at the top of the page. Very useful - but the 'log off all' function on its own would be sufficient.

I'm sure we all store highly sensitive information in our email boxes (possibly there more than anywhere else) - this simple extra security would give me much more peace of mind.

As always - your views are welcome...

Thanks

David

BritTim · 16 Oct 2010, 06:44 PM

Certainly, your proposal has merit. The question is how much effort it would need and the relative priority of the change over other enhancements we would like.

It is understandable that Gmail and Facebook have made this a priority, given the highly publicized intrusions they have suffered. Are such intrusions at all likely for Fastmail users who are careful (such as using the one-time password feature when in an unsafe environment)? I am not sure.

You are probably aware that Fastmail does keep a record of your account accesses, which you can examine to see if there is suspicious activity. Perhaps, this makes your proposed changes less important.

Hmmm...

MagicDavid · 16 Oct 2010, 07:30 PM

Thanks for your reply Tim.

In my opinion, security is the most important issue when it comes to any system that holds our private, personal or sensitive data. Facebook, GMail, our banks all realise this. However, the data held in my email box probably contains far more personal information than any of those services.

And, what's more, with access to my email account, you can reset passwords and gain access to sites like Facebook, thereby undermining any additional security those sites provide.

Yes, we can use OTP - but I don't use that logging in from my own computer - and who knows if we've been hit by a 0-day key logger which has exploited an unknown vulnerability on our computers before our anti-virus companies have clocked it.

Here is a bit more information - the article talks about OTP first (which we already have at Fastmail) but then talks about the session security later.

http://www.electricpig.co.uk/2010/10...ime-passwords/

Quote:

Facebook has also outed two new features. There’s a new remote sign off feature (similar to the one packed by Gmail) that will allow users to log-out of Facebook in all the locations they’re logged in at. It’s now also possible to spot where you’re logged in by checking your Facebook account settings. Handy for spotting if someone is spying on your profile.

Facebook has also announced that it’s planning a third new Facebook security feature that will regularly prompt you to update your security information. We hope it’s not too regular with those updates.

More information on the GMail security:

http://www.electricpig.co.uk/2010/03...-fights-scams/

Quote:

The new Google Gmail feature uses the IP address of a computer logging in to your Gmail account to work out the location. If your recent logins come from locations that are strangely far apart within a short timeframe, Google will display a big red banner in Gmail warning you of a login attempt from an unusual location.

Once Gmail has let you know, Google lets you check the details of recent login attempts. You can either approve them as accurate (for instance if you’ve just been travelling a lot) or identify them as a genuine attack on your Gmail account with Google giving you a quick link to change your password there and then.

Bear in mind the login log doesn't show you where you are currently logged in with an active session, it just logs each time someone submits a username and password. Log OUTs are not captured. Also it requires you to access the login log each time you want to find out who's been logging in.

BritTim · 16 Oct 2010, 08:28 PM

I have decided, after some consideration, that I like the Gmail warning and am terrified by the remote sign out without additional safeguards. Remote sign out probably makes it easier for a malicious attacker to lock you out of your own account, because the attacker can use the feature against you.

I think what I would like to see, in addition to the warning, is additional logic around the backup account:

Any request to change the backup account (to send "forgotten" passwords) is notified to the old backup account and only takes effect after, say, 12 hours.
During that period, the update to the backup account could be canceled.
Requests for changes to the login password would be sent to the old account.
If a backup account is defined, any change to your login password would require confirmation via a message to the backup account.
Finally, remote sign out would need confirmation via a message sent to the backup account.

The downside of all this is that an attacker who has broken into your backup account, and knows that it is a backup account for your Fastmail and knows your Fastmail account name is in a better position to prevent you recovering without assistance from Fastmail support. (He is already in your Fastmail account, under these conditions, because he has your login password.)

Note, by the way, that even the Gmail warning has a downside. It allows an attacker to know if you are online also.

In the end, I think successful intrusion by a malicious and skilled attacker is almost certain to cause grief, even if you know about it promptly. It is essential to avoid the break-in in the first place.

MagicDavid · 16 Oct 2010, 08:39 PM

Interesting point.

However, at the moment, if someone was logged in to another session in your email account right now, you wouldn't know... so, actually, the attacker might not want to log you out of your sessions, because until (or even if) you notice something in your login log, he has access to you daily emails.

Bear in mind, the 'log out all' function just logs you out, not blocks you completely. This backed up with answering a 'secret question' before being able to reset your password (as seems common with many web based applications) would alleviate the problem you have quite rightly identified.

At the moment, they could keep the session open indefinitely simply by getting the browser to automatically refresh the page every two hours. I'm not even sure even using the existing change password function at the moment would end any currently open sessions - since they are already authenticated.

If I were an attacker - the last thing I'd want to do is raise the alarm and lock you out of your account when I could have dual access to your account for the next few weeks - reading every new message that's coming in.

I think something needs to be done - not sure what the perfect solution is, but GMail and Facebook seem to have some good ideas.

16 Oct 2010, 12:36 PM	#1
MagicDavid Senior Member Join Date: Aug 2005 Location: England, UK Posts: 164	Session security Hi all A while ago I wrote about something that worried me about session security. Essentially Fastmail lets you have several (unlimited?) logged in sessions on several different computers at the same time. My original post is here: http://www.emaildiscussions.com/show...ssion+security Gmail and now Facebook have implemented a function that allows you to log off ALL open sessions. It would put my mind at ease if Fastmail could do the same. The Gmail and Fastmail solution also checks the GeoLocation of the IP addresses you've logged in on recently and if, say, you're logged in at home in London and suddenly you also login in Poland or Russia it displays a warning in a red bar at the top of the page. Very useful - but the 'log off all' function on its own would be sufficient. I'm sure we all store highly sensitive information in our email boxes (possibly there more than anywhere else) - this simple extra security would give me much more peace of mind. As always - your views are welcome... Thanks David

16 Oct 2010, 08:28 PM	#4
BritTim The "e" in e-mail Join Date: May 2003 Location: mostly in Thailand Posts: 3,095	I have decided, after some consideration, that I like the Gmail warning and am terrified by the remote sign out without additional safeguards. Remote sign out probably makes it easier for a malicious attacker to lock you out of your own account, because the attacker can use the feature against you. I think what I would like to see, in addition to the warning, is additional logic around the backup account: Any request to change the backup account (to send "forgotten" passwords) is notified to the old backup account and only takes effect after, say, 12 hours. During that period, the update to the backup account could be canceled. Requests for changes to the login password would be sent to the old account. If a backup account is defined, any change to your login password would require confirmation via a message to the backup account. Finally, remote sign out would need confirmation via a message sent to the backup account. The downside of all this is that an attacker who has broken into your backup account, and knows that it is a backup account for your Fastmail and knows your Fastmail account name is in a better position to prevent you recovering without assistance from Fastmail support. (He is already in your Fastmail account, under these conditions, because he has your login password.) Note, by the way, that even the Gmail warning has a downside. It allows an attacker to know if you are online also. In the end, I think successful intrusion by a malicious and skilled attacker is almost certain to cause grief, even if you know about it promptly. It is essential to avoid the break-in in the first place.

16 Oct 2010, 06:44 PM	#2
BritTim The "e" in e-mail Join Date: May 2003 Location: mostly in Thailand Posts: 3,095	Certainly, your proposal has merit. The question is how much effort it would need and the relative priority of the change over other enhancements we would like. It is understandable that Gmail and Facebook have made this a priority, given the highly publicized intrusions they have suffered. Are such intrusions at all likely for Fastmail users who are careful (such as using the one-time password feature when in an unsafe environment)? I am not sure. You are probably aware that Fastmail does keep a record of your account accesses, which you can examine to see if there is suspicious activity. Perhaps, this makes your proposed changes less important. Hmmm...

16 Oct 2010, 08:39 PM	#5
MagicDavid Senior Member Join Date: Aug 2005 Location: England, UK Posts: 164	Interesting point. However, at the moment, if someone was logged in to another session in your email account right now, you wouldn't know... so, actually, the attacker might not want to log you out of your sessions, because until (or even if) you notice something in your login log, he has access to you daily emails. Bear in mind, the 'log out all' function just logs you out, not blocks you completely. This backed up with answering a 'secret question' before being able to reset your password (as seems common with many web based applications) would alleviate the problem you have quite rightly identified. At the moment, they could keep the session open indefinitely simply by getting the browser to automatically refresh the page every two hours. I'm not even sure even using the existing change password function at the moment would end any currently open sessions - since they are already authenticated. If I were an attacker - the last thing I'd want to do is raise the alarm and lock you out of your account when I could have dual access to your account for the next few weeks - reading every new message that's coming in. I think something needs to be done - not sure what the perfect solution is, but GMail and Facebook seem to have some good ideas.