
Show HN: A minimal web-based IMAP client for use on untrusted machines - dividuum
https://github.com/dividuum/one-time-mail
======
dividuum
I wanted to have a way of accessing parts of my email account from untrusted
machines (e.g. from an internet cafe while on vacation). I didn't find a
simple way to do this, so I wrote my own tool. It's a python/flask/gevent
based server and a very minimal read-only frontend to display mails. It only
allows access to a configured set of mailboxes using one times passwords or a
YubiKey.

Feedback welcome.

------
cyphar
Definitely a cool idea. Though I feel like I would want to be able to have
more flexible rules than "folder" to decide what the account can access. For
example, "all unread emails newer than 1 day and containing the string
'registration'" would be quite useful. To be fair, it would be a bit of a pain
to implement but it might be useful for the usecase of wanting to just get a
single email.

It's also quite annoying that you have to set up the keys beforehand. Though,
obviously if you could connect to the server to create keys then you wouldn't
need to use this. :/

~~~
dividuum
Thanks for your feedback. I've updated the code to be more flexible: You can
now specify an IMAP search
([https://tools.ietf.org/html/rfc3501#section-6.4.5](https://tools.ietf.org/html/rfc3501#section-6.4.5)).
You can also create multiple "views" that use different searches for the same
IMAP folder. So your example should be doable now.

~~~
cyphar
Awesome! :P

------
Jtsummers
[https://tools.ietf.org/html/rfc6238](https://tools.ietf.org/html/rfc6238)

Have you considered something like TOTP paired with Google Authenticator or
the like instead of just the Yubikey for one-time passwords?

EDIT: I know you don't _just_ use Yubikey. But, unless I'm not reading this
correctly, the other tokens are pre-specified and can be exhausted.

~~~
dividuum
I have. But TOTP is a bit tricky: A generated password isn't single use by
design (as it's valid for 30 second window). So you'd have to make sure a
single password can be only used once on the server side. Additionally the
default 6 digit code seems a bit weak. It seems that 6 digits is fixed in
Google Authenticator at the moment: [https://github.com/google/google-
authenticator/wiki/Key-Uri-...](https://github.com/google/google-
authenticator/wiki/Key-Uri-Format#digits).

HOTP might also be possible, but then you also have to store state (the
counter) on the server side. Additionally that also seems to be limited to 6
digits in Google Authenticator.

My current approach is: Don't exhaust the tokens before you return from
vacation :-)

~~~
Jtsummers
Fair approach. Just a thought. Good point on the 30 second window, would
suggest that (without ensuring the server only accepts it once) that someone
else could gain access (though it being read-only they'd have limited access).

I'm not familiar with Yubikeys other than that they exist. How're you using
them for authentication? Do they not have the potential password reuse issue
(seems they include TOTP support among other methods of authentication)?

Also, I'm fairly new to TOTP and was a bit surprised that Google Authenticator
didn't allow for longer keys. That seems like it ought to be easy, to this
layman, to implement for them.

    
    
      ===EDIT===
    

Found my answer to the Yubikey question. Read their documentation on how their
OTP works. My initial confusion was based on a cursory read through where I
saw they supported TOTP, but they have another method that's not time-based.
So, yeah, not sure a good solution to the TOTP password reuse problem, but
might spend more time looking into using Yubikey for myself.

