|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
28 Dec 2016, 05:15 AM | #31 | ||
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
Quote:
Speaking for myself, for example, while I fully understand the technical security advantages of U2F, I've made a conscious decision that I'd rather rely on TOTP and use my browser of choice than be required to use Chrome just to gain what I consider to be an incremental security benefit for my own purposes. For example, I don't consider myself to be vulnerable to phishing attacks, I trust the steps FastMail has taken to prevent MitM attacks and session hijacking, and I rarely use computers that have a high probability of being compromised by malware (e.g., I might log in from a client's PC on a corporate network or a business centre in a reputable hotel, but I've never had reason to do so in a generic Internet cafe). Ultimately, the problem is that these security issues right now are largely about preaching to the choir. If you're educated enough to understand the benefits of U2F and go through a process of configuring a lower-security TOTP access strategy — and actually willing to go through the hassle of using that methodology, then chances are you're aware enough of the security risks that the benefits provided by U2F really are quite incremental. Obviously it's a different matter when you're talking about building solutions in business environments, but 20+ years of consulting experience in IT security and messaging systems tells me that this is an uphill battle as well unless you've got management that's ready to buy in and seriously enforce restrictions on their end users. Then again, maybe I've just been jaded by working with clients like law firms where the inmates are running the asylum Quote:
|
||
28 Dec 2016, 07:32 AM | #32 | |||
The "e" in e-mail
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696
Representative of:
Fastmail.fm |
Quote:
Quote:
Quote:
Overall, I'm quite happy that "enter fresh second factor to upgrade this session to administrative for 30 minutes" solves all the realistic risk cases while being very easy to understand. |
|||
28 Dec 2016, 07:46 AM | #33 | ||
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
Quote:
Quote:
However, I also think that the point that BritTim made about restricted administrative access for business and family account scenarios is valid as well. Although I realize that FastMail doesn't differentiate these in the same way that you folks used to, it doesn't remove the fact that there are scenarios where I might provide an account for a kid or an employee where I don't want them to have the flexibility to change certain settings. It's not uncommon in business environments to want to restrict forwarding rules or POP fetching, for example. |
||
28 Dec 2016, 08:10 AM | #34 | |||
The "e" in e-mail
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696
Representative of:
Fastmail.fm |
Quote:
Quote:
I'm not going to speculate about the exact interface design, because I don't know what we'll do there, but I agree that it needs to be clear that you're enabling dangerous-stuff mode. Quote:
Now forwarding rules and POP fetching aren't in what can be locked down right now. More fine grained permission control is something on our radar for improving business tooling, and family will get the same features too. |
|||
28 Dec 2016, 11:16 AM | #35 |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,095
|
|
31 Dec 2016, 06:58 AM | #36 |
Essential Contributor
Join Date: Jun 2002
Location: Rio de Janeiro, Brasil
Posts: 356
|
wow... it was a really good thread.
Thank you all EMD users who, just like me, loves Fastmail.com, and shows it with lots of suggestions and some criticism. And thank you Brong for your eventual presence here, it is better few than none. I hope we keep working together on 2017, keeping FASTMAIL growing, changing, evolving and driving most of our online presence, even generally hidden behind your own personal domains!!! To all fastmail crew: my kudos and best wishes. Dario |
5 Jan 2017, 11:28 AM | #37 | |
The "e" in e-mail
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696
Representative of:
Fastmail.fm |
Quote:
We have been talking about it for a while of course, and you're right - it is inevitable. It's getting more and more horrible to maintain over time. Having the timeline will also force us to deal with things that are only available in Classic, because "just log in to Classic and do it there" won't be an option any more. |
|
5 Jan 2017, 01:41 PM | #38 | |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,095
|
Quote:
It is good news that forward multiple messages as attachments is returning. I will put my thinking cap on to see if I can find ways of handling the other two key tasks for which I see switching to classic as the current solution (copy, not move, messages and create a zip file of messages in a search). |
|
5 Jan 2017, 02:13 PM | #39 |
Cornerstone of the Community
Join Date: Apr 2004
Location: Melbourne
Posts: 971
Representative of:
Fastmail.fm |
|
5 Jan 2017, 02:55 PM | #40 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
|
5 Jan 2017, 04:11 PM | #41 |
The "e" in e-mail
Join Date: Jul 2002
Location: VK4
Posts: 3,029
|
It would be nice to have that option to save to the HD....
|
5 Jan 2017, 06:49 PM | #42 |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,095
|
|
13 Jan 2017, 12:01 AM | #43 |
The "e" in e-mail
Join Date: Sep 2001
Location: VA, USA
Posts: 2,789
|
me thinks FM is probably unaware of the Ford Edsel the new coca cola and the windows 8 seems customers don't like major changes. Time will tell if the new FM is accepted. All other email services that I have used remain user friendly
|
24 Jan 2017, 03:16 PM | #44 |
Senior Member
Join Date: Apr 2014
Posts: 166
|
Some security thoughts:
1. One easy way to handle restricted mode might be to have an alternative web UI that's just a pure IMAP client, that could have its own password and optional 2FA. I'd use this for travel when I don't have my own computer. I might set something like this up with Roundcube on a VPS, though I thought using Fastmail would mean I don't have to run my own servers. 2. U2F barely exists right now; Firefox doesn't support it without a special add-on, etc. We can talk about a science fiction future when U2F is the right way to authenticate dubious computers to Fastmail, but that future is not the present day. So right now, 2FA means SMS and TOTP. 3. SMS is a terrible form of authentication because it can be intercepted or spoofed too easily, and it has impaired usefulness for international travel because your phone might not have international roaming. So that leaves TOTP. 4. TOTP is at least semi-workable (phone app or hardware token) but the old printed OTP was superior imho, because it meant you didn't have to carry an electronic gadget with you. I wouldn't bring a smartphone on international travel because of border checks etc. A keychain token is slightly ok, but a slip of paper that I can rip up and throw away before entering the airport is best. 5. TOTP is a pain to leave turned on all the time if you log in a lot like I do. It would be great to be able to whitelist specific IP addresses, which would at least cut back to 1 TOTP entry per session. Right now there's a "don't require for later sessions" but that's done with a browser cookie, not good if you clear cookies all the time. 6. There's imho a bug(?) in the implementation of "view and log out existing sessions". The cookies last for a month but you can only view the past 2 weeks of sessions. So there could be a 3 week old active cookie out there with no way to kill it. In fact I usually have 100s of active sessions (unkilled cookies) because I typically log out by closing the browser or clearing all cookies, so killing them one by one is impractical. It seems like a security obstacle that there's no button to log out ALL the old sessions in one shot. Here's the latest in the string of border search stories that makes me prefer printed OTP to TOTP, U2F, or travelling with a smartphone: https://vc.gg/blog/so-its-been-a-while.html |