
The FastMail Security Mindset - DASD
https://blog.fastmail.com/2017/12/05/the-fastmail-security-mindset/
======
ghouse
I was a very happy FastMail customer until a hacker asked them to reset my
password. After _incorrectly_ answering a handful of questions asked by the
FastMail support, the recovery email address was changed and a password reset
link sent. From there, the hacker attempted password resets on other services.

Initially, FastMail was dismissive that this was a simple "mix-up" and didn't
disable access to the hacker for 7.5 hours after my report.

To their credit, FastMail gave me a list of the email accessed and the message
headers of the messages the hacker sent from my account (and then deleted --
unrecoverable).

Until and unless FastMail addresses the human factor of security, their
technical security mindset is of secondary importance.

~~~
brongondwana
Now to write a more detailed response. If this winds up out of order later, I
first posted:
[https://news.ycombinator.com/item?id=15856609](https://news.ycombinator.com/item?id=15856609)

Again, ghouse, I'm really really sorry about what happened to your account. It
was wrong and we screwed up. As other comments have already noted, it was
during the transition to a new security system which was designed precisely to
remove the human factor from decision making.

I'm an Australian, and I'm a great fan of our "100 points of ID" system, which
is designed to remove the human factor from identifying people.

[https://en.wikipedia.org/wiki/100_point_check](https://en.wikipedia.org/wiki/100_point_check)

While I wasn't aware of your account's issue at the time (and we'll be having
some discussions internally about why not!), FastMail management were all
aware that we needed to get the human factor out of decision making about
account access, particularly since somebody tried to pull a similar swindle on
our domains!

[https://blog.fastmail.com/2014/04/10/when-two-factor-
authent...](https://blog.fastmail.com/2014/04/10/when-two-factor-
authentication-is-not-enough/)

We spent a lot of 2016 and 2017 working on an automated account recovery
system which allows recovery of locked accounts via a carefully audited set of
automated steps, which includes a 24 hour lockout to allow the owner to notice
an attempt on their account.

If this had existed in 2016 then we would have sent you there rather than
having a human make a (poor in this case) judgement call!

[https://www.fastmail.com/help/account/icantlogin.html](https://www.fastmail.com/help/account/icantlogin.html)

~~~
xmodem
> a 24 hour lockout to allow the owner to notice an attempt on their account.

I've been pretty careful to ensure that I don't lock myself out of my account
(multiple U2F keys, strong password saved in password manager with backups)

But if a determined attacker kicks this off just as I'm stepping on a flight
from Sydney to London, 24 hours isn't going to be enough.

(I should add also - I'm a mostly happy Fastmail customer)

~~~
brongondwana
You can't even get to the 24 hour lockout unless you've successfully passed
the security checks.

We add the 24 hour lockout as an additional level of protection for 2fa
accounts (even though they've given two factors of recovery by then) or if we
can't confirm that you are resetting from a computer which has successfully
logged in to that account before.

~~~
tptacek
It sounds like if I use Fastmail, and I go on vacation (and thus go a day
without checking my email), someone can max out the automated system and then
get a human being at Fastmail to potentially reset my recovery email. Is this
the case?

~~~
brongondwana
You can't max out the automated system.

Our procedures have to balance the concerns of very different groups of
people.

Some people have explicitly directed us to enforce stringent account security
requirements by enabling multi factor authentication. For those people, we
assume that they have their own security practices and are diligent in
maintaining them. Those people are aware of the risk of losing access to their
mail if they lose their credentials.

The other, much larger group of our customers, come to use because they want
email that has support. Many of these customers forget their passwords and
still need to get to their email (which is more common than you might imagine
if you are surrounded by a hacker-news demographic!)

Our procedures have to balance between those two sets of needs, and they
evolve over time. This incident came up in a period of transition. It should
never had happened, and it's a great object lesson to us about how to do
better in future transitions.

Having said that, based on this conversation today we are reviewing all our
processes around re-establishing access for regular people who haven't
requested additional security by enabling second factors. We absolutely can
and will do better than we did in 2016.

------
linuxready
I see the usual comment about Fastmail (comparison to Gmail, ProtonMail, web
interface, spam filtering performance, servers in the US, ...) but still
nothing about the TOS, which seems more important to me

So here it is again:

\- Fastmail can immediately cancel your account for any reason: "The Service
Provider may terminate your access to any part or all of the Service and any
related service(s) at any time, with or without cause, with or without notice,
effective immediately, for any reason whatsoever, with or without providing
any refund of any payments."

\- Fastmail can disclose your info/data if it thinks it's in the interest of
the company: "The Service Provider will not monitor, edit, or disclose any
personal information about you [...] unless required or allowed by law, or
where the Service Provider has a good faith belief that such action is
necessary to: [...] (2) protect and defend the rights or property of the
Service Provider; [...] (4) act to protect the interests of its members or
others [...]

By comparison, mailbox.org TOS are much better.

Also mailbox.org offers GPG encryption, which Fastmail doesn't (AFAIK).

~~~
JoshTriplett
> \- Fastmail can immediately cancel your account for any reason: "The Service
> Provider may terminate your access to any part or all of the Service and any
> related service(s) at any time, with or without cause, with or without
> notice, effective immediately, for any reason whatsoever, with or without
> providing any refund of any payments."

Other than the last clause about "without providing any refund", I would
_expect_ this from any service provider, and I'd certainly never want to run a
service that _didn 't_ have this in its terms.

I do agree that the disclosure terms are more permissive than they should be.

~~~
linuxready
>> \- Fastmail can immediately cancel your account for any reason: "The
Service Provider may terminate your access to any part or all of the Service
and any related service(s) at any time, with or without cause, with or without
notice, effective immediately, for any reason whatsoever, with or without
providing any refund of any payments."

> Other than the last clause about "without providing any refund", I would
> expect this from any service provider, and I'd certainly never want to run a
> service that didn't have this in its terms.

You expect from any service that they can cancel your account for any reason
?!? We must not have the same set of requirements. Anyway the point is not
relevant anymore as they have changed the TOS (it's much better now).

~~~
JoshTriplett
> You expect from any service that they can cancel your account for any reason

Yes, absolutely. "We reserve the right to refuse service to anyone." I expect
to be able to do that for any service _I_ run, and I expect others to be able
to do the same.

I _also_ expect that doing so lightly, without a very well-justified reason,
would get reported on and lead to a massive backlash. So, in practice, I
expect such a clause to be used as, effectively, 'if you try to find a
"creative" way to weasel your way out of our specific terms like "don't be
disruptive, don't spam, etc", such that your activity meets the letter of the
ToS but not the spirit, we'll kick you off anyway". Personally, if I were
writing a ToS, I'd write the relevant term along those lines instead.

------
news_to_me
Wow what a coincidence — I switched from Gmail to Fastmail exactly 1 year ago
today.

I couldn't be happier. I mostly use native clients, but the Web client is a
joy to use, and everything I've observed about Fastmail gives me confidence in
their service.

I never used the Gmail-exclusive features like labels, so switching was pretty
easy. I highly recommend it to anyone considering it.

Keep up the good work, guys.

~~~
333c
I'm considering switching (in fact I just registered for the FastMail trial).
I'm especially interested in the ability to use catchall addresses with a
custom domain, which would allow me to give out an address like
<hackernews@mydomain.tld>, and thus determine who shared my email address if I
start receiving spam at that address.

This is partly possible with Gmail, as you can use addresses like
<myname+servicename@gmail.com>, but not all sites support emails with a + in
them.

What differences have you noticed in your year since switching? I'm especially
interested in any downsides. My biggest worry about Gmail is the lack of
privacy from Google.

~~~
gregmac
> which would allow me to give out an address like <hackernews@mydomain.tld>,
> and thus determine who shared my email address if I start receiving spam at
> that address.

I've been doing this for over 15 years, but with a much simpler setup: I just
forward it to another account, which for the last 10-ish years has been an
@gmail address. The mails show up in my Gmail inbox as From: the original
sender and To: the custom domain.

As a caution: don't forward a top-level domain. You'll get all kinds of
dictionary-style spam attacks and it becomes flooded with noise. Instead, use
a sub-domain, so you get for example <*@something.mydomain.tld>.

~~~
nvarsj
The problem with this is SPF reject domains. Which means your legitimately
forwarded email will simply disappear into the void. Hosting your domain at
something like fastmail will not have this problem.

~~~
gregmac
Hmm... I suppose, but I've never not received anything I was expecting. It's
possible I've just not run into anything with SPF reject rules, or that Gmail
is allowing them anyway.

I don't disagree it's better if fastmail (or whatever) can receive directly as
it saves another MX server in the middle, but it's still doable without the
end provider explicitly supporting it.

~~~
distances
I have the same experience. I'm using a mail-forwarding service, so I can't
host it with FastMail. FastMail is my third mail provider I'm forwarding to,
and I'm not aware of any missed e-mail with any of them this far. Then again I
guess I wouldn't be :)

------
gst
> Just as important as what we do do is what we don’t. For example, we don’t
> do full message encryption (e.g. PGP) in the browser. In theory it means you
> “don’t have to trust us”. However in reality, every time you open your email
> you would be trusting the code delivered to your browser. If the server were
> compromised, it could easily be made to return code that intercepted and
> sent back your password next time you logged in; it could even just do this
> for specific users. It is very unlikely that a user would notice.

I don't agree.

I don't want full message encryption because I'm afraid that my email provider
is reading my messages, but because I'm storing years worth of emails in my
mailbox. With a provider such as ProtonMail that encrypts incoming messages
with my personal key I know that if someone manages to get unauthorized access
to my mailbox that person would only be able to read new emails, but none of
my already archived mails. Of course it's possible that the intruder also
manages to change the JS code returned to the client, but that's not the case
for all of the possible scenarios where someone gets access to my mailbox.
Full message encryption does not provide perfect security, but is able to
significantly raise the provided level of security.

~~~
BCM43
For most providers, like Protonmail, the decryption password is the same as
your login password. I'm curious what scenario you see allowing someone other
than the provider to get access to your mailbox but not also your decryption
key.

~~~
arghwhat
The decryption password is _not_ the same as the login password for
ProtonMail. Logging in at minimum requires entering your username, your login
password, and your mailbox password.

The result is security at rest, which fastmail does not have. ProtonMail's web
app is open-source, and can be deployed locally if you wish to remove the
chance of an evil app deployment.

If you use the official deployment, an evil update can obtain your mailbox
password, in which case the the adversary (that is, the one capable of pushing
the update) observe a security level equivalent to if security at rest was not
implemented. However, even in this case, the data on the mail-servers is still
protected from _everyone else_ , so while a single adversary has observed a
security level identical to that of fastmail (i.e. no security at rest),
everyone else still observes a secured mailbox.

Not having security at rest is, in my opinion, dangerous.

~~~
terraforming
That's wrong. You no longer need a third password in protonmail. All you need
to have, in order to login, is the username and a password. If you've 2FA
enabled, you need the 2FA code of-course.

~~~
arghwhat
I think you mean second password rather than third, but as a user of
ProtonMail, I need one username, two passwords and one 2FA token to get in,
with only login username/password being kept in a password manager (and all
password managers get confused by multiple passwords, so I couldn't keep them
all even if I changed my mind and wanted to).

ProtonMail may have the option (I am not aware of this) to have login password
and mailbox password set the same (and not prompt you twice if this is the
case), but they are still separate passwords. You, as user, control whether
you want them to be the same or not. If you chose this, the application then
has an option for convenience to use the same input for both tasks. This is
opposed to a service where they are always the same, so that the password send
to the backend is the same used to decrypt your data.

------
ta98789878
Any lawyers care to comment on this claim of theirs?

 _It has been pointed out to us that since we have our servers in the US, we
are under US jurisdiction. We do not believe this to be the case._

[https://blog.fastmail.com/2013/10/07/fastmails-servers-
are-i...](https://blog.fastmail.com/2013/10/07/fastmails-servers-are-in-the-
us-what-this-means-for-you/)

As a non-lawyer I would expect the US to be able to serve their host with a
warrant to get whatever data the judge said they could have.

~~~
joering2
You are correct but from lawyer perspective (IANAL btw) it is important they
use the word "believe". As I was explained by a friend who is attorney, if you
never had experience with certain law, like in this case perhaps never been
subpoena for records by US, then you have a right to say you "believe"
something is not the case. This is still not deceiving statement. But the
moment you have been proven wrong by US Gov for example, your claim would have
to be removed.

on FastMail alone I did not like how slow it is. I was testing them and
Protonmail at the same time and was very impress how simple it is to setup my
multiple domains/users on Proton and how fast encryption/decryption works. And
Protonmail "[...] is outside of US and EU jurisdiction, only a court order
from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can
compel us to release the extremely limited user information we have.[...] [1]

[https://protonmail.com/security-details](https://protonmail.com/security-
details)

Full disclosure: I don't work for Proton; I'm just their happy mailer :)

EDIT: Slow I mean their GUI comparing to Proton. It might be more the number
of extensions I have to block or limit different shenanigans such as AdBlock
etc.. but needless to say, Proton does not have that problem.

~~~
eridius
What do you mean, how slow it is? I've been using FastMail for a few years now
and it's always struck me as being very fast.

~~~
jnagro
name checks out.

------
polpo
This is an entry in FastMail's series of Advent Calendar blog posts that they
do every year. I'm glad to see them continue the tradition this year, and it's
valuable to get this level of insight into a company that I trust with my
mail. If you're interested in seeing more, check this year's first Advent
Calendar post which has links to their calendars from 2014, 2015, and 2016,
which are all worth reading if you're a FastMail customer or just interested
in how running a mail hosting company works:
[https://blog.fastmail.com/2017/12/01/fastmail-
advent-2017/](https://blog.fastmail.com/2017/12/01/fastmail-advent-2017/)

------
nikon
I've had to dump Fastmail. I was getting 10-15 very (sexually) explicit spam
emails daily slipping through the filter daily even after 100's of training
emails being identified. Queue weird looks at work if I left my mail client
visible.

Moving back to G Suite was painful. I had to manually do it after the G Suite
'Migration' tool missed 1000's of messages. But so happy to have decent search
back!

------
mfgmfg
I use FastMail and love it, but I've noticed that if I use SMTP, it leaks my
IP address in the email headers, whereas using the web client does not.

~~~
amdavidson
That's how RFC2822 defines the email headers. That's not a leak, that's just
how email works. When you send from the web app it uses that client as the
originator.

~~~
justcreated
This would be one of the cases the same text talks about "when users
misunderstand the security characteristics". The journalist example can be
used, but instead of checking an image sending a reply to the e-mail.

I'm unsure how many journalists know that their replies using an e-mail client
will send their ip address, neither if they can understand why there is a
difference between the mail client and their web interface.

I only know one organisation using fastmail services today, and I asked if
they knew about this today, which of course they didn't. There surely are
reasons to not break the RFC as gmail and others did, but the expectations
from users need to be addressed somehow

------
mike-cardwell
They should do PGP on the way in, for people who want it. It's trivial to set
up. All they need to do is let people paste in a public PGP key and encrypt
all incoming email with that key. Here's how I've been doing it for the last 7
years:

[https://www.grepular.com/Automatically_Encrypting_all_Incomi...](https://www.grepular.com/Automatically_Encrypting_all_Incoming_Email)

~~~
dewey
If it would be "trivial to set up" don't you think they would've already done
it and offer it as an option?

~~~
mike-cardwell
Well, it is "trivial to set up" as per my link, and they don't offer it as an
option, so apparently not.

Perhaps they don't think enough people use PGP to make this a worthwhile
option to add. But given the service they are offering, it seems like an
obvious feature and quick win to me.

~~~
dewey
"trivial to set up" on your own mail server with you as the only user is
slightly easier than rolling it out to thousands of customers, testing it,
make sure backups are all working, write documentation for users, collect
public keys of users, ...

You can't just add a single line with your perl script to production and hope
it works for everyone...

~~~
mike-cardwell
If you are already providing complicated features to N customers, then adding
one simple feature for those N customers is trivial.

If that isn't true, then all features are non-trivial to add and you've built
your systems and processes badly.

------
rasengan0
Another data point: I have had a FastMail account before Gmail before Opera
and Kaggle. Why pay for email? when everything was free ...Yahoo, hotmail,
etc. Word of mouth. Reputation. Though times were less sophisticated back then
along with security; Fastmail kept up. I used my YubiKey with them way before
gmail u2f fido support and they fostered my trust over the years keeping it
clean and simple. Nothing is foolproof but at least I know their track record
and commitments to their users despite dropping the ball in some cases. That
said, I'm glad to read about the horror stories, provider alternatives and
fastmail responses; hopefully we are all the better for it.

------
jwn
I don't know if any Fastmail employees read over this, but thanks for finally
adding TOTP to the list of 2FA methods! I had been (uneasily) using SMS and
wishing you guys would up your game, and I'm glad to see that you did.

------
sanjeetsuhag
I only see FastMail and ProtonMail mentioned on Hacker News, never in real
life.

To those who made the switch away from free,conventional mail services like
Gmail and Outlook, what was the appeal ? What's your case for making the
switch ?

~~~
SOLAR_FIELDS
I use ProtonMail for the simple reason that there is less of a chance they are
selling my data and building up a user profile of me for advertisers to
target.

~~~
GlenTheMachine
I use FastMail for exactly that reason.

And, secondarily, because I set up a GMail account for both of my kids when
they were born, and I would occasionally email things to those accounts that I
wanted them to have a record of. Nothing earth-shattering, just stuff I
thought they might like to read when they were older. Then, one day without
warning, Google shut my daughter's account down, for being under-age. I had no
ability to retrieve all of those emails, and there was literally no one I
could contact. Google has NO customer support, because you aren't the
customer. So I decided I would be willing to pay $30 a year just to know that
I could get an actual person on the phone.

------
ryandrake
FastMail is tempting. I'm currently moving over to hosting my own E-mail,
since Gmail is failing to deliver a significant number of important inbound
E-mails to my account, rejecting them as spam (and fails to deliver almost all
of my wife's E-mail). I could be convinced to pay for E-mail, but I'm
concerned with customer support and the "black box" nature of online services.
For something as important as E-mail, I grudgingly feel I finally need to bite
the bullet and do it myself.

------
enraged_camel
The simple reason I haven't switched email providers: all my online accounts,
as well as many offline ones, are tied to my gmail account.

Yes, I can set up forwarding, but that defeats the purpose of switching
providers IMO (for me, the purpose would be to move away from Google
_completely_ ). I don't want Google to read any of my emails period, so
forwarding is not a sufficient solution.

~~~
distances
I think the only way is to start switching gradually. If you don't want Google
to read your email, keeping it as the main accounts isn't really going to
help.

If you do change, get a forwarding service or your own domain so that the same
mistake doesn't happen again.

------
darrmit
Love Fastmail - been a happy customer for several years now. Also look forward
to the Advent blog posts every year.

------
noncoml
IMHO, for the best strategy is to roll your own mail. It is pretty trivial.

