SSL certificates updated again

A few days ago we updated our SSL certificates. The algorithm used to sign these certificates (SHA256) presented problems with some older clients and operating systems, notably WebOS and Nokia devices. To fix this we got our CA (DigiCert) to re-sign the certificates using the older SHA1 algorithm, which should work pretty much everywhere. These certificates are now live on all of our domains.

Most users should not notice any change. If you are on a device or client where you’ve had to install the DigiCert root certificate in the last few days, you may need to do this again as these certificates are signed from a different root certificate. If that affects you, the root certificate is available from DigiCert’s root certificate page and is called “DigiCert High Assurance EV Root CA”. If you also need the intermediate cert, its available from the same page with the name “DigiCert High Assurance CA-3″.

Posted in Technical. Comments Off

Please update your FastMail password

We’ve just sent the following announcement email to all FastMail users.


Dear FastMail User

You may have heard of a recent security bug in the OpenSSL library (that has been called ‘Heartbleed’) used by two-thirds of the Internet including ourselves and other major sites like Amazon, Google, Yahoo, etc. FastMail was quick to update its servers to fix this bug and issue new SSL certificates as soon as we were made aware of it.

We have no reason to believe any of our servers were targeted or exploited by this security flaw, but given the nature of the flaw it’s impossible to know if this bug was being exploited before it was announced.

Because of this, we are recommending that all FastMail users logout of all existing sessions and change their account passwords.

Again, there’s no evidence our servers or your password have been compromised, but we’re recommending this as a precautionary measure.

If you hate remembering passwords, we recommend you use a password manager program to remember them for you. Most modern browsers (e.g. Firefox, Chrome, etc) have a password manager built in and will offer to remember your passwords for you. LastPass and 1Password are also popular choices.

When you choose a new password, it’s important that you do not use the same password elsewhere and choose a password with reasonable complexity.

Your email is often the key to your online world. Many sites let you reset your password by sending a reset code to your email address. When you reuse your FastMail password at other sites, you’re making it much easier for attackers to potentially break in to your email account. Other sites often don’t have the same high security measures as FastMail (such as compulsory HTTPS, locked-down servers, etc.), which makes them much easier for criminals to break in to. If they hold your email address and the same password that you use for FastMail, the attacker can then access your email account and get into everything else you use online.

If you’re using alternative logins already, we recommend you delete and re-add them with any base password changed.

To change your password and log out of all existing sessions, you can use these steps.

Change password in current interface

  1. Log in to your FastMail account using the web interface
  2. From the menu at the top left, select ‘Password & Security’
  3. Enter your existing password where directed
  4. Enter your new password where directed. Re-enter again to make sure we got it right
  5. In the ‘Logged in Sessions’ section, click ‘Log out’ next to each existing session
  6. Click ‘Done’ to dismiss the panel
  7. From the menu at the top left, select ‘Log out’
  8. Now log in to your account again with your new password. This is often useful as a password manager will now prompt you to remember your password at this point.

Change password in ‘classic’ interface

  1. Log in to your FastMail account using the web interface
  2. Select the ‘Account’ item at the top right
  3. Select the ‘Password/Security Settings’ item
  4. Enter your new password where directed. Re-enter again to make sure we got it right
  5. Enter your existing password where directed
  6. Click ‘Update Password’
  7. Click ‘Logged In Sessions’ in the sidebar on the left
  8. Click ‘Delete’ next to each existing session
  9. Click ‘Log out’ at the top right
  10. Now log in to your account again with your new password. This is often useful as a password manager will now prompt you to remember your password at this point.

Again, this is a highly precautionary measure. FastMail is extremely concerned about security and has always tried to be highly pro-active with keeping our customer’s accounts and data as secure as possible.

Regards,

The FastMail Team

Posted in News. Comments Off

When two-factor authentication is not enough

TL;DR: This is the story of a failed attempt to steal FastMail’s domains.

We don’t publish all attempts on our security, but this one stands out for how much effort was put into the attack, and how far it went.

We’ve had a handful of minor attack attempts recently. Targetted phishing emails to staff trying to steal credentials. An NTP-based DDOS which was quickly mitigated by NYI, our excellent hosting service.

These sorts of attacks are the “background radiation” of the internet. Along with port scans and entries in the web server logs from malware trying us out to see if we’re vulnerable to old PHP bugs (hint, we’re not). It’s the reality of being on the internet.

This blog post was first drafted before the Heartbleed fiasco. Sometimes, no matter how careful you are, you get a nasty surprise. We responded very quickly, as always. Anyway, on with this story.

About a month ago, our hostmaster@fastmail.fm account suddenly wound up subscribed to hundreds of mailing lists. All these mailing lists failed to use double or confirmed opt-in, so someone was simply able to enter the email address into a form and sign us up, no confirmation required. This really is poor practice, but it’s still pretty common out there. A special shout-out goes to government and emergency response agencies in the USA for their non-confirmation signup on mailing lists. Thanks guys.

The upshot was that the hostmaster address was receiving significant noise. Rob Mueller (one of our directors) wasted (so we thought) a bunch of his time removing us from those lists one by one, being very careful to check that none of the ‘opt-out’ links were actually phishing attempts. This turns out to have been time very well spent.

Internet identities

At FastMail, our security is central to the safety of our users. Given access to an email account, an attacker could reset passwords on other sites, including those which allow spending real money.

We take this responsibility very seriously, and we’re always looking for ways to improve our security.

Two factor authentication (2FA)

The Domain Name System is one thing that’s even lower layer and more central to identity security than the email server itself.

Based on recent articles in the tech press, we really wanted to have ALL our domains protected by two factor authentication.

Our domains were historically spread amongst multiple registrars. We chose to consolidate with Gandi because they have a great slogan (“no bullshit”), they support 2FA, and they support all the top level domains we require.

Robert Norris, one of our sysadmins, was in charge of the migration. He set up a corporate account with Gandi to get assistance in transferring the domains, and set up two-factor authentication at the same time.

Gandi uses the popular OATH TOTP (also known as “Google Authenticator”) mechanism. Rob wrote a small TOTP client and placed it with the key on our management servers in the secure storage area where we also keep our SSL certificates. The account password itself was encrypted in our password manager, which is stored separately.

Only a small number of trusted people have access to the credentials for our Gandi account. We are satisfied that this level of security is strong enough.

The attempt

On March 19th, this came to hostmaster@fastmail.fm:

From: Gandi Corporate Team
To: hostmaster@fastmail.fm
Subject: [RN1374-GANDI] Email address update request
Date: Wednesday, March 19, 2014 8:27 PM

Hello,

We received an email update request for the account RN1374-GANDI.

Previous email address: hostmaster@fastmail.fm
New email address: fastmail.fm@qq.com

If you are opposed to this modification, thank you for letting us know
only by replying to this email.

If you can read this message, then you can recover the password of your
account, and thus modify the email address of the handle. In that case,
we won't take care of your request.

Without any reply from your side, we will proceed within 24 hours.

Best regards,

Gandi Corporate

The hostmaster alias actually forwards to three of us, and we were all hyper-alert, so we thankfully noticed this email.

Within twenty four hours.

One day.

Gandi assure us that their fraud detection systems would have detected this, but for the 2 weeks it took from this email until we had full control over our account again, we were worried.

This request had completely bypassed our two-factor protection.

Forged source addresses

There is a well known problem in network security. You can’t trust the source address of an IP packet – they are trivially forged.

It’s the reason why we have source port randomisation, sequence number randomisation… all the things designed to stop an attacker being able to forge both an initial SYN packet and also the response to an ACK packet to bring up a TCP connection.

While they can falsify the source of a request, an attacker without full network control can not receive the response to their forged packet and continue the handshake.

This is why this email was such a surprise. Like the poor quality mailing lists mentioned above, it didn’t require a confirmed opt-in. We had to reply to say that we didn’t want the contact email address changed.

This means that a forged source address was sufficient. Even though the attacker couldn’t read email to hostmaster@fastmail.fm, they didn’t need to. All they needed was for us to not read it.

To Gandi’s credit, they responded very quickly to our “NO, DON’T CHANGE IT” email, and locked our account to stop any further shenanigans while they investigated and collected more documents from us.

Falsified documents

We discovered that Gandi received a paper email change form (pdf) claiming to be from a “Robert NORRIS” (the name which appears on our whois data), along with pictures of a passport of said “Robert NORRIS” and company registration documents also claiming to be for FastMail Pty Ltd.

At the time of writing, we are still in debate with the Gandi Legal Department about whether they can even show us these documents. They claim that French Law forbids them from showing us documents which purport to be from us. This is something to be aware of when choosing an vendor – different companies operate in different jurisdictions. There’s also a certain degree to which the conservatism of legal departments (protect the company as much as possible) conflicts with the corporate motto (“no bullshit”). The first response we got was certainly bullshit – “in order to meet a legal or regulatory obligation”. We challenged them to give an actual legal obligation and were given Article 226-15 of the French Criminal Code, along with rough English translation as follows:

“The act, committed in bad faith, of opening, deleting, delaying or diverting correspondence, whether or not it arrived at its destination, and addressed to a third party, or to fraudulently gain knowledge thereof, is punishable by one year of imprisonment and a fine of 45,000 EUR.”

We don’t believe that law is relevant – it’s the “no interception” law that exists everywhere, and doesn’t forbid anyone from quoting documents in replies to the purported source of those documents. If the law really was as Gandi Legal seem to be interpreting it, it would be illegal to quote an email in your response unless you were certain that the source address hadn’t been faked.

Was this a “security flaw”?

Security is built in layers, and I would definitely say that the fact that we received that email means one of the layers was weaker than it should be. Partly it’s poor choice of wording (Gandi claim that they would not necessarily have changed the email within 24 hours, depending on other investigations).

It still would have been necessary to either disable or reset the two-factor authentication on our account as well for the attacker to get full control. That’s difficult, but not necessarily impossible. After the fact, there’s no way to know how it would have gone down. We certainly weren’t willing to take the risk of doing nothing and seeing what happened!

What we do know is that the attacker was very determined, and willing to go as far as forging documents while simultaneously generating noise to make us less likely to notice the attack. They must have figured they had a chance.

Improving security for the future

A disadvantage of adding something like two-factor authentication after the fact is that you may miss the interactions with your existing processes. Gandi’s paper “email reset” form makes a lot of sense in the world where most of their customers are individuals or small businesses with one or two domains, and using addresses that they may lose access to. With no other factors, if they lose access to the email address and forget their password, there needs to be a process to regain access.

It’s always great to have a consistent process. Having a consistent process means that attackers can’t just try their luck until they find someone who is more trusting than average. Australia has a fantastic system called the 100 point check for authenticating people. We like process, consistently applied.

The problem we have is that we didn’t expect that the account email address could be changed without any reference to our two factors at all. Maybe nobody at Gandi realised either. That’s a security flaw – even if it doesn’t mean everything is totally broken.

We have had some very frank discussions with Gandi over the past week, and they agreed to make all three of the improvements we proposed as a result of these events:

  • the setting “disable password resets via email” was not on the security settings page of their website. Because of this, we hadn’t discovered and enabled it. They are moving it to the security page.
  • if an account has 2FA enabled, a red flag will automatically be raised against the request, meaning significant extra investigation will be done.
  • if an account has 2FA enabled, then an active confirmation will be required from the owner of the account before changing the email address. This means it will be harder to regain access if you lose all your factors, but that’s a good thing! Turning on 2FA means you want it to be hard for anyone who doesn’t have those two factors to gain access.

These steps will make attacks against Gandi accounts even more difficult in future, and we applaud their efforts to improve security and willingness to listen to our concerns.

There is one other measure that we have suggested which is still under discussion. Requiring the TOTP code to be entered on the password reset form, rather than using a secret question. We believe secret questions are bogus security, and we have an appeal to authority to back us up.

Gandi have blogged about this as well, and also given some general advice on keeping your account with them secure.

Conclusion

FastMail came out of this attack unscathed. Our domains are now even more secure, because Gandi has tons of proof on file about who we are and who our company is. Also Gandi’s processes have become more secure as a result of our experiences, so we are confident that we can safely keep our domains with them.

An important lesson learned is that just because a provider has a checkbox labelled “2 factor authentication” in their feature list, the two factors may not be protecting everything – and they may not even realise that fact themselves. Security risks always come on the unexpected paths – the “off label” uses that you didn’t think about, and the subtle interaction of multiple features which are useful and correct in isolation.

Posted in Technical. Comments Off

All SSL certificates updated

Based on a recent security issue in the OpenSSL library, we’ve updated all our server software and taken the precaution of replacing all of our SSL certificates. Most users shouldn’t notice any difference, but if your email client/xmpp client/ldap client/etc reports a certificate issue, this is probably the reason why.

Posted in News. Comments Off

FastMail housekeeping – removing little used features and simplifying others

In maintaining a large system like FastMail, we often find ourselves coming across code or configurations that’s can be harder to modify and update than we expect because of the way they interact with some particular feature or features. Normally this just means finding a different way of doing it. However in some cases, the feature itself is used by such a small number of people and the original reason it was useful is no longer so important that we’ve decided to retire a few rarely used features or update them to work differently than they have traditionally.

Below we describe the features we’re removing or changing, the rationale, and an alternative if available.

We plan to roll out what changes we can on beta over the next month, and fully roll them out everywhere on April 30.

Update: These changes are taking longer than expected to complete, so only some have been done so far. Details inline below.

Removing WAP

We’ve had a WAP server at http://wap.fastmail.fm for many years. WAP was a vastly reduced markup and display system designed for accessing internet content on early feature phones that didn’t have the power or bandwidth to render full HTML pages.

With the rise of smartphones and full HTML browsers, the use of WAP has dwindled to only a couple of users. Because of that, and because in most cases Opera Mini (which can access the HTML classic UI) will run on the phones people are using WAP on, we’ve decided to completely shutdown WAP.

Update: May 8, the WAP server has now been removed.

Removing Email reflector

The email reflector was an interesting attempt to provide an alternative to email forwarding. Basically the idea arose because some work places didn’t like employees logging into webmail accounts at work. So what you could do was “reflect” your FastMail email to your work address, and when you replied to the email from your work account, it would reflect back via FastMail and all the email addresses and headers would be rewritten to make it look like it came from your FastMail account!

In theory this was a really neat idea, however in practice it never quite worked as reliably as we liked. It was always marked as “in early stages of development” and was prone to “leaking” strange email addresses or creating extremely bizarre results if reflected and non-reflected email addresses somehow ended up being used together (e.g. someone accidentally added a “reflected” address into their work address book and used that with a non-reflector email address). Internally the code and configuration to make it all work is complex and messy.

Additionally these days, many people with work places with restrictive web policies have a personal smartphone they can easily configure to access any email account they want. They seems a much more natural solution to the problem.

On April 30, we’ll remove all reflector rules for any people who still have them still setup. We recommend you manually remove them before then so you’re more in control.

Removing SMS Sending via the web interface or SMTP

It’s currently possible to send SMS messages directly from the FastMail compose screen. You have to buy some SMS credits first, but after that, you just include a number@sms email address in your to/cc/bcc addresses and it’ll convert the first 160 chars into an SMS to that number. This also works via SMTP, you send to number@sms.messagingengine.com. You also have to set an originator phone number for the personality you are using to send from. In theory, this is the phone number the SMS will appear to come from.

When this was first implemented almost 10 years ago, it was a really useful feature. Most people had feature phones that were slow to type SMS’s on. Using this feature, you could quickly type a message in the web interface/email client, and to the recipient it would appear to have come from your phone, so if they replied to it, the reply would go to your phone.

Since then though, the usefulness of this has dropped significantly. Most people have smartphones where it’s now much easier to tap out a quick message. Also, mobile operators became much more strict about setting arbitrary originator numbers and now most block such messages. In it’s current state, most messages sent from FastMail now appear to come from a fixed number, not the originator number people have set the personality to, so if someone replies to the SMS, the reply disappears rather than going to the original sender.

On top of this, this feature has been an ongoing source of fraud issues for us. We still regularly see accounts signed up with stolen credit cards for the sole purpose of sending SMS spam, even with our heavy rate limiting.

Because of these flaws, we’re going to remove the ability to send arbitrary messages to SMS numbers altogether. Note that this will NOT affect SMS forwarding rules or SMS two factor authentication. Both of those are definitely being kept and will continue to work.

Update: May 8, the SMS sending via web interface/SMTP has been removed

Simplifying Pop Link retrieval

One of the features Pop Links have is the ability to set scheduled retrievals (every 1, 2, 3 or 12 hours, daily, or weekly). The minimum you can set is based on your current service level. In addition in the classic interface, you can perform additional manual retrievals from the action menu on demand. The fact the current interface doesn’t have this feature is regularly cited by a number of users as a reason not to switch interfaces.

The original reason for the different retrieval schedule limits was because we feared retrieval might be a resource intensive process with many users. What we’ve found is that almost all Pop Links are set to retrieve on the shortest interval possible for that service level and that they consume relatively negligible resources.

So what we’re going to do is remove the ability to schedule different retrieval periods, and instead just have a simple “manual” or “auto” mode switch. Respectively these will:

  • “manual” mode
    - No automatic checks
    - Classic UI: Can select from the action menu to manually retrieve
    - Current UI: (Update: This bit added based on user feedback, matches what the auto mode also does. If you don’t want this, you can still manually disable a pop link to stop this happening) If you click on a folder to go to that folder or ‘refresh’ the current folder, then any pop links that file into that folder get checked at that moment. Can go to the Advanced -> Pop Links screen to manually retrieve.
  • “auto” mode
    - Automatically checks every 1 hour
    - While logged into and active on either web interface, checks every 5 minutes (active is defined as performing actions which cause your browser to communicate with our server)
    - Classic UI: Can select from the action menu to manually retrieve.
    - Current UI: If you click on a folder to go to that folder or ‘refresh’ the current folder, then any pop links that file into that folder get checked at that moment. Can also go to the Advanced -> Pop Links screen to manually retrieve.

We believe this fits much better with what people actually want. Namely that emails are regularly retrieved from a remote service, that retrieves occur more frequently while you’re actually logged in and using the web interface, and that there’s an explicit way to perform a retrieve if you absolutely want to do one then and there.

Update: June 2, the “click on a folder to activate pop links filing into that folder” has been rolled out, the remaining changes will be rolled out soon.

Update: June 5, the remaining features have been rolled out and the Pop Links screen updated to allow “manual” or “auto” mode selection, as well as allowing an explicit “fetch” of a pop link along with the previous “test” of a pop link

Simplifying Personalities

SMTP FROM Envelope

Personalities have a option “SMTP FROM Envelope”. The fact that option says “Advanced: SMTP MAIL FROM envelope address to use. Leave blank unless told to” gives you some idea that this is a very rarely used option. Basically the point of it was to avoid SPF failures when sending email made to look like it came from an external service.

Realistically the amount of email blocked due to SPF failures is extremely low these days. SPF never really fixed any particular email problems (and added some really nasty ones like breaking forwarding without using a horrible hack) and ended up just becoming another scoring marker of little value in the overall judgement of an email’s spamminess.

The correct solution to this issue is to use the actual external server for that domain to send as that domain. In that case, the From address (in the header) and the SMTP MAIL FROM address (in the SMTP protocol) are the same, and so only the Email address field of personalities is required and is what will also be used for the SMTP MAIL FROM envelope.

Update: June 5, the SMTP FROM Envelope feature has been removed from the Personalities screen and disabled on sending

Signatures

Currently there’s a separate signatures screen for setting your signatures. You then select which signature to associate with with each personality.

Most people don’t work this way and find this extra level of indirection annoying or confusing. So we’re going to remove the signatures screen and just allow setting/editing of signatures on the personalities screen.

The one thing this will affect is the classic compose interface. In the advanced section you can choose which signature you want to use separate to the current personality. This option will be removed. If you want to use separate custom signatures, we recommend putting them in the Notepad and using the “Insert note” feature before sending.

Conclusion

Well that took longer than I expected. In some ways it’s sad to see some of these go (I wrote most of the code behind them!), but realistically the things being removed are little used and the proposed changes are small but neaten up some strange legacy edges and result in a better overall product for the majority of users.

Posted in News. Comments Off

Improved default search behaviour in classic interface

When we introduced the current interface, one of the features we were really happy with was our vastly improved searching. Basically we implemented a full text index that allowed you to search the headers and content of all your email in all folders for any words in a few seconds (in IMAP parlance, this uses the FUZZY SEARCH extension)

At the time, we decided to leave the search on the classic interface as it was (by default, search from/to/cc/subject headers but not the message content and search on substrings rather than whole terms).

However the general consensus from classic users is that they’d really like the improved search that the current interface comes with. So today we’ve rolled out a change that better unifies the search syntax on both the classic and current interfaces.

So now on both interfaces if you do a search:

dinner john

It will do a fast indexed search of the from, to, cc, bcc and subject headers as well as the message body content for messages that contain both “dinner” and “john”. This search is done on words/terms with stemming where possible, not sub-strings. This searches the current folder by default on classic, and across all folders by default on the current interface. On classic, you can check the “All” checkbox to search across all folders.

If you want to revert to the historical sub-string searching of headers, you can use the substr: modifier. Some more examples:

  • example – fuzzy search from/to/cc/bcc/subject headers and message bodies for the word “example”
  • body:example – fuzzy search message bodies for the word “example”
  • to:example – fuzzy search to/cc/bcc headers for the word “example”
  • onlycc:example – fuzzy search cc header for the word “example”
  • substr:example – search from/to/cc/subject headers (but not body content) for the substring “example”
  • substr:(dinner john) – search from/to/cc/subject headers for both substrings “dinner” and “john”
  • substr:(body:example) – search message body content for the substring “example” (warning: likely very slow!)
  • substr:(to:example) -  search to/cc/bcc headers for the substring “example”
  • substr:(onlycc:example) -  search cc header for the substring “example”

A complete list of all the search options can be found on our mailbox searching help page.

Posted in News. Comments Off
Follow

Get every new post delivered to your Inbox.

Join 4,997 other followers