|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
16 Oct 2010, 12:36 PM | #1 |
Senior Member
Join Date: Aug 2005
Location: England, UK
Posts: 164
|
Session security
Hi all
A while ago I wrote about something that worried me about session security. Essentially Fastmail lets you have several (unlimited?) logged in sessions on several different computers at the same time. My original post is here: http://www.emaildiscussions.com/show...ssion+security Gmail and now Facebook have implemented a function that allows you to log off ALL open sessions. It would put my mind at ease if Fastmail could do the same. The Gmail and Fastmail solution also checks the GeoLocation of the IP addresses you've logged in on recently and if, say, you're logged in at home in London and suddenly you also login in Poland or Russia it displays a warning in a red bar at the top of the page. Very useful - but the 'log off all' function on its own would be sufficient. I'm sure we all store highly sensitive information in our email boxes (possibly there more than anywhere else) - this simple extra security would give me much more peace of mind. As always - your views are welcome... Thanks David |
16 Oct 2010, 06:44 PM | #2 |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,095
|
Certainly, your proposal has merit. The question is how much effort it would need and the relative priority of the change over other enhancements we would like.
It is understandable that Gmail and Facebook have made this a priority, given the highly publicized intrusions they have suffered. Are such intrusions at all likely for Fastmail users who are careful (such as using the one-time password feature when in an unsafe environment)? I am not sure. You are probably aware that Fastmail does keep a record of your account accesses, which you can examine to see if there is suspicious activity. Perhaps, this makes your proposed changes less important. Hmmm... |
16 Oct 2010, 07:30 PM | #3 | ||
Senior Member
Join Date: Aug 2005
Location: England, UK
Posts: 164
|
Thanks for your reply Tim.
In my opinion, security is the most important issue when it comes to any system that holds our private, personal or sensitive data. Facebook, GMail, our banks all realise this. However, the data held in my email box probably contains far more personal information than any of those services. And, what's more, with access to my email account, you can reset passwords and gain access to sites like Facebook, thereby undermining any additional security those sites provide. Yes, we can use OTP - but I don't use that logging in from my own computer - and who knows if we've been hit by a 0-day key logger which has exploited an unknown vulnerability on our computers before our anti-virus companies have clocked it. Here is a bit more information - the article talks about OTP first (which we already have at Fastmail) but then talks about the session security later. http://www.electricpig.co.uk/2010/10...ime-passwords/ Quote:
http://www.electricpig.co.uk/2010/03...-fights-scams/ Quote:
|
||
16 Oct 2010, 08:28 PM | #4 |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,095
|
I have decided, after some consideration, that I like the Gmail warning and am terrified by the remote sign out without additional safeguards. Remote sign out probably makes it easier for a malicious attacker to lock you out of your own account, because the attacker can use the feature against you.
I think what I would like to see, in addition to the warning, is additional logic around the backup account:
Note, by the way, that even the Gmail warning has a downside. It allows an attacker to know if you are online also. In the end, I think successful intrusion by a malicious and skilled attacker is almost certain to cause grief, even if you know about it promptly. It is essential to avoid the break-in in the first place. |
16 Oct 2010, 08:39 PM | #5 |
Senior Member
Join Date: Aug 2005
Location: England, UK
Posts: 164
|
Interesting point.
However, at the moment, if someone was logged in to another session in your email account right now, you wouldn't know... so, actually, the attacker might not want to log you out of your sessions, because until (or even if) you notice something in your login log, he has access to you daily emails. Bear in mind, the 'log out all' function just logs you out, not blocks you completely. This backed up with answering a 'secret question' before being able to reset your password (as seems common with many web based applications) would alleviate the problem you have quite rightly identified. At the moment, they could keep the session open indefinitely simply by getting the browser to automatically refresh the page every two hours. I'm not even sure even using the existing change password function at the moment would end any currently open sessions - since they are already authenticated. If I were an attacker - the last thing I'd want to do is raise the alarm and lock you out of your account when I could have dual access to your account for the next few weeks - reading every new message that's coming in. I think something needs to be done - not sure what the perfect solution is, but GMail and Facebook seem to have some good ideas. |