EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 28 Dec 2016, 04:35 AM   #16
jhollington
Essential Contributor
 
Join Date: Apr 2008
Posts: 292
Quote:
Originally Posted by TheJapanese View Post
Don't want, that my routers firmware knows my private mail-password, etc.
While I agree with your main point about the improved security of having two-factor authentication and app-specific passwords, it's fair to say that your routers firmware shouldn't know your mail passwords anyway as long as you're using TLS-encrypted connections, which you're pretty much required to do with FastMail, not only for web-based access but also for IMAP and other related protocols (and honestly, this isn't something that app-specific passwords would protect you from anyway if they weren't, which is a big part of the reason why FastMail enforces TLS connections on IMAP/POP connections and doesn't even allow STARTTLS).
jhollington is offline   Reply With Quote
Old 28 Dec 2016, 05:26 AM   #17
TheJapanese
Member
 
Join Date: Apr 2016
Posts: 34
Every device I use for mailing or pushing mails knows my password (because I enter it inside the routers firmware, mail software or devices like iphones itself). So it's much better to have app specific passwords.
TheJapanese is offline   Reply With Quote
Old 28 Dec 2016, 06:42 AM   #18
jhollington
Essential Contributor
 
Join Date: Apr 2008
Posts: 292
Quote:
Originally Posted by TheJapanese View Post
Every device I use for mailing or pushing mails knows my password (because I enter it inside the routers firmware, mail software or devices like iphones itself). So it's much better to have app specific passwords.
For IMAP mail clients, sure, but I wasn't quite clear on why you'd be entering your email account password into your router's firmware .... is this for notifications or something? In that case, yes, an app-specific password limited to SMTP submission is definitely a bonus.
jhollington is offline   Reply With Quote
Old 28 Dec 2016, 07:29 AM   #19
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 2,410
Quote:
Originally Posted by jhollington View Post
For IMAP mail clients, sure, but I wasn't quite clear on why you'd be entering your email account password into your router's firmware .... is this for notifications or something? In that case, yes, an app-specific password limited to SMTP submission is definitely a bonus.
I was assuming he was referring to NAS boxes, or other network devices with (for instance) printing and scanning functions that rely on email. No doubt there are other similar capabilities around also. Whatever his specific use case, device passwords are definitely a great feature.
BritTim is offline   Reply With Quote
Old 28 Dec 2016, 07:36 AM   #20
jhollington
Essential Contributor
 
Join Date: Apr 2008
Posts: 292
Quote:
Originally Posted by BritTim View Post
I was assuming he was referring to NAS boxes, or other network devices with (for instance) printing and scanning functions that rely on email. No doubt there are other similar capabilities around also. Whatever his specific use case, device passwords are definitely a great feature.
Yeah, agreed, and serious kudos to FastMail that they allow an app-specific password for SMTP-authenticated sending only I've used a couple of those myself.

I obviously originally assumed he was concerned that his router's firmware was potentially intercepting the password in transit
jhollington is offline   Reply With Quote
Old 28 Dec 2016, 08:22 AM   #21
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,640

Representative of:
Fastmail.fm
Quote:
Originally Posted by correo View Post
I respect what fastmail says about their approach to privacy, and I believe them. Nonetheless, if a law enforcement official showed up with a warrant or put a gun to their head, so to speak, they would be capable of turning over my plaintext emails. With the systems I describe from other providers, they are only capable of turning over encrypted data.
That stuff is plain old wishful thinking snakeoil. You log in every day to read your email. If you have an IMAP client it's logging in with your password every couple of minutes. If you have any push support, the law enforcement people with guns at their heads can say "send their device a push to say that new email has arrived" (for real, they can just send you a spam email to trigger the new email alert, or wait for a real one to arrive - I get one every few minutes anyway).

At this point you log in or your client logs in with your plaintext password, decrypting the mail store on the server, and it's game over. The fact that it's stored encrypted at rest and requires your password to be applied to decrypt it (on the server) would only have value if you knew in advance that you were being monitored and immediately took steps to make sure you never logged in again. Ever. In which case you don't have access to your email any more, either the old stuff or any new incoming emails (though the law enforcement people would get new emails, because they'd compel a copy be taken before being encrypted)

It's a cool idea from a cryptonerd perspective, but it's useless as security against any actual real-world threat.

(speaking of which "l33t haX0r breaks into provider computers and tries to read your email" suffers from exactly the same issue, sure they can only access your email while you're logged in and your vault is decrypted, but like I said - that's going to at least once per day, so they don't have to wait long. You're only safer if your provider notices them before you next log in and shuts them down)
brong is offline   Reply With Quote
Old 6 Jan 2017, 07:59 AM   #22
petar
Junior Member
 
Join Date: Jan 2017
Posts: 4
I just want to contribute a little bit with an article on browser based cryptography - https://tonyarcieri.com/whats-wrong-with-webcrypto. The point is that you can not trust the browser to isolate you from the server, mostly because you dynamically load unsupervised code for execution (from the server) - but not only. This means that services like ProtonMail and Tutanota are not as secure as advertised, at least in principle (and we have witnessed that principle manifest, sooner or later).
I myself am paid user of Tutanota, although I do not actually use it and consider this a donation for the development of the field, so this is not bashing. To have really secure client side encryption, you need a client, where code is not loaded dynamically, that is - not a browser. And this is just for the storage of messages - incoming and outgoing messages are still subject to interception. For real end to end encryption, the base mail system would have to be extended, which means that it will be generally incompatible with most of the world.
petar is offline   Reply With Quote
Old 14 Feb 2017, 02:14 PM   #23
TheJapanese
Member
 
Join Date: Apr 2016
Posts: 34
What about discontinuing TLS1.0 and TLS1.1 with Fastmail?

Some news over here?
TheJapanese is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 02:29 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy