Force SSL

[Gmailuser]

Facebook was just an example, and I didn't even talk about privacy, just security.

I don't care about the Facebook privacy policy, I just asked whether Fastmail has that cookie sniffing security hole posed by the author of Firesheep a few days ago.

Since looks like the unencrypted login method has been the default since 10 years, it raised the question whether you implement SSL session 100% correctly, or not.

I just suggested to read the linked article, and examine whether your system has those security holes mentioned in that article, or not. Because respected and high trafficked sites (not just Facebook) do have this security issue, it is totally possible that maybe Fastmail has this issue, too.

Did you verify that Fastmail doesn't have that issues mentioned in the article? http://codebutler.com/firesheep-a-day-later

[Sherry]

Quote:

Originally Posted by Gmailuser

Facebook was just an example, and I didn't even talk about privacy, just security.

I also was only mentioning Facebook as an example since you did bring them up with other big sites.

Quote:

Did you verify that Fastmail doesn't have that issues mentioned in the article? http://codebutler.com/firesheep-a-day-later

Since I can't answer that I'll back off now and let others (FM if they want) to respond to your concerns.

Sherry

[neilj]

Quote:

Originally Posted by Gmailuser

I don't care about the Facebook privacy policy, I just asked whether Fastmail has that cookie sniffing security hole posed by the author of Firesheep a few days ago.

I just checked and it looks like we don't currently set the cookie to be secure only; I've emailed Rob, Bron & Richard and asked them to fix this (I don't touch that bit of the code). Just to let you know: we've been discussing authentication recently and I've written a new protocol that very clearly specifies all authentication cookies should be HTTPS only, however I didn't realise we don't already do this; we should fix this now not just wait for the new protocol to be implemented.

Cheers,

Neil.

[Gmailuser]

I am not a developer, but looks like HTTP Strict Transport Security is an easy (probably the easiest?) solution. Firefox 4 and Chrome 4+ support this. Implement it in Opera, and then this feature is ready to go

[MagicDavid]

The standard, non SSL login should be kept as an option. Too many corporate proxies block fastmail.fm. The SSL cert is tied to fastmail.fm therefore rendering the whole service unusable for those people going through corporate firewalls. OTP can be used as a less secure alternative for these users.

Thanks

David

[neilj]

Quote:

Originally Posted by neilj

I just checked and it looks like we don't currently set the cookie to be secure only; I've emailed Rob, Bron & Richard and asked them to fix this.

This has now been fixed.

Neil.

[amadsen]

and i like it but it will not work with fastmail's
new default ssl login; i am having to use firefox
to access my email account on fastmail.

not good.

[neilj]

Quote:

Originally Posted by amadsen

and i like it but it will not work with fastmail's
new default ssl login; i am having to use firefox
to access my email account on fastmail.

not good.

I can't seem to reproduce this; Opera works just fine for me. Perhaps try deleting your cookies in it?

Neil.

[alirezanasibi]

Quote:

Originally Posted by MagicDavid

The standard, non SSL login should be kept as an option. Too many corporate proxies block fastmail.fm. The SSL cert is tied to fastmail.fm therefore rendering the whole service unusable for those people going through corporate firewalls. OTP can be used as a less secure alternative for these users.

Thanks

David

+1
I can't use Fastmail under SSL login ,and non-SSL is my only choice!

[Gmailuser]

So Fastmail is no longer vulnerable to HTTP Session Hijacking? Even when using public wifis?

I think then all Fastmail users should change their passwords NOW. Especially because it turned out that the unsecure login has been the default for years.

I think you should redirect http://fastmail.fm/ to http://www.fastmail.fm/ permanently. Now you don't redirect it, and this causes not only SEO problems, but I bet this could cause other (security) problems, too. Fastmail could be a great target of phishing attacks, because the login screen is accessible via a lot of different URLs, and they are not redirected to one master URL (http://www.fastmail.fm).

Note on using the unencrypted login: I think one time passwords, SMS passwords, or Yubikey don't protect you at all in this situation. Let's say you login with Yubikey. Now if someone steals your session, it does not matter that you used Yubikey! So I think two-factor authentication is a false sense of security, if you use the unencrypted login. But correct me if I am wrong.

And I wonder how is it possible that proxies block fastmail.fm? Why do they block it?
I guess not very many people has this problem, that they cannot use Fastmail with SSL.

So the unsecure login should not be so visible, just because the 0,1% of users have problem with the secure login.

[Bamb0]

In some cases SSL might not work..

I cant use gmails SSL for example w/o having to REFRESH every page (Which is a pain)