|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
28 Dec 2016, 04:35 AM | #16 | |
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
Quote:
|
|
28 Dec 2016, 05:26 AM | #17 |
Member
Join Date: Apr 2016
Posts: 80
|
Every device I use for mailing or pushing mails knows my password (because I enter it inside the routers firmware, mail software or devices like iphones itself). So it's much better to have app specific passwords.
|
28 Dec 2016, 06:42 AM | #18 |
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
For IMAP mail clients, sure, but I wasn't quite clear on why you'd be entering your email account password into your router's firmware .... is this for notifications or something? In that case, yes, an app-specific password limited to SMTP submission is definitely a bonus.
|
28 Dec 2016, 07:29 AM | #19 | |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,095
|
Quote:
|
|
28 Dec 2016, 07:36 AM | #20 | |
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
Quote:
I obviously originally assumed he was concerned that his router's firmware was potentially intercepting the password in transit |
|
28 Dec 2016, 08:22 AM | #21 | |
The "e" in e-mail
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696
Representative of:
Fastmail.fm |
Quote:
At this point you log in or your client logs in with your plaintext password, decrypting the mail store on the server, and it's game over. The fact that it's stored encrypted at rest and requires your password to be applied to decrypt it (on the server) would only have value if you knew in advance that you were being monitored and immediately took steps to make sure you never logged in again. Ever. In which case you don't have access to your email any more, either the old stuff or any new incoming emails (though the law enforcement people would get new emails, because they'd compel a copy be taken before being encrypted) It's a cool idea from a cryptonerd perspective, but it's useless as security against any actual real-world threat. (speaking of which "l33t haX0r breaks into provider computers and tries to read your email" suffers from exactly the same issue, sure they can only access your email while you're logged in and your vault is decrypted, but like I said - that's going to at least once per day, so they don't have to wait long. You're only safer if your provider notices them before you next log in and shuts them down) |
|
6 Jan 2017, 07:59 AM | #22 |
Junior Member
Join Date: Jan 2017
Posts: 4
|
I just want to contribute a little bit with an article on browser based cryptography - https://tonyarcieri.com/whats-wrong-with-webcrypto. The point is that you can not trust the browser to isolate you from the server, mostly because you dynamically load unsupervised code for execution (from the server) - but not only. This means that services like ProtonMail and Tutanota are not as secure as advertised, at least in principle (and we have witnessed that principle manifest, sooner or later).
I myself am paid user of Tutanota, although I do not actually use it and consider this a donation for the development of the field, so this is not bashing. To have really secure client side encryption, you need a client, where code is not loaded dynamically, that is - not a browser. And this is just for the storage of messages - incoming and outgoing messages are still subject to interception. For real end to end encryption, the base mail system would have to be extended, which means that it will be generally incompatible with most of the world. |
14 Feb 2017, 02:14 PM | #23 |
Member
Join Date: Apr 2016
Posts: 80
|
What about discontinuing TLS1.0 and TLS1.1 with Fastmail?
Some news over here? |