

Dropmyemail's security - laurenceputra
http://blog.geeksphere.net/2012/09/27/response-to-dropmyemails-response/

======
callmebison
Wow, either the author has a serious grudge against them, or isn't willing to
at least fact-check their response.

\- The app checks your email on your behalf.

\- You need the actual password to log into an IMAP server (android also
stores your email passwords in clear text if you aren't using gmail
<http://code.google.com/p/android/issues/detail?id=10809>).

\- They clearly state this in their response, which the article completely
ignores. They try to use OAuth where possible.

\- They store the passwords encrypted via S3. Personally, I'd prefer that to
MySQL on a VPS somewhere.

\- See also: <https://developer.pidgin.im/wiki/PlainTextPasswords>

~~~
laurenceputra
I'm the author.

1) The app downloads your emails into their server.

2) Yes, they store that actual password. Which is ridiculous.

3) Yes, good for them for that, but still there are others where they store
passwords. And that is not acceptable.

4) But that also means that they outsource the security part of things. Which
doesn't lend faith to the idea that they know about security. And if someone
realises how to control their application, all the passwords will be hacked.

5) Pidgin is stored locally. There's a difference. Not that I support it, but
it's still better than someone storing my passwords.

~~~
thaumaturgy
How do you recommend that they regularly backup a user's email messages
without storing that user's login credentials for that email service?

~~~
laurenceputra
they can't, unless the email service gives them oauth.

and even then allowing a 3rd party to backup your emails is a very dangerous
thing to do. they say that credit card is more dangerous, i say no. for credit
cards you can claim fraud.

when your email gets hacked, potentially your whole digital life is gone

~~~
laurenceputra
what they could have done is to allow users to autoforward their emails over
to their servers or something. not impossible, but i'm not their employee and
i'm not responsible for thinking up business strategies for them.

so yea. not necessary

~~~
laurenceputra
and by storing the passwords, they are putting their users at risk. and we are
in an era where email security means more than anything. it means access to
all your services.

they should go think about how they can design a service securely before
offering it.

~~~
phpnode
your argument is similar to: "it is impossible to design a bank that can be
kept 100% secure from bank robbers, therefore we shouldn't use banks"

------
thaumaturgy
This article is nonsense. The author isn't saying anything substantive about
the "security" of this particular company. It should go without saying that
email backup services will currently, in most cases, need to store your email
login information in a retrievable way.

A slightly better post might have been,

"Beware unproven email backup services. Don't forget that if they make a
mistake, potentially all of your email messages can be exposed to someone
else. Since you probably have account credentials for other services stored in
your email box, that situation can get ugly really fast."

~~~
laurenceputra
so you do concede that it can get ugly really fast.

~~~
thaumaturgy
I "concede" that they are doing nothing wrong and you are way out of your
depth here.

I strongly suggest that you drop this before digging yourself an even deeper
hole in front of the people following this from Twitter.

------
nubis
I do believe that all this kurfuffle originates from a 'false package deal'
composed by: factual data (we store passwords), your assumptions about our
incompetence (we're bound to lose them), and your subjective valuation of risk
vs. convenience. You should not feel bad about other people breaking down the
argument in the different topics. I am a Dropmyemail employee who works hands
on with the security of the site, although I'm replying on my personal
capacity. We don't practice security through obscurity so we can discuss the
technicalities of our security measures here. I would appreciate not being
treated as an incompetent goon though, to keep things friendlier. I see on
this thread you accuse someone of being sent by the company I work for to
discredit you personally: They did not, furthermore, I personally see your
article as a valuable service, you will see in our site that we try to be as
transparent as possible, and there's nothing that I could want more than for
people to actually know and understand what Dropmyemail is about. Thanks for
your article.

~~~
laurenceputra
i'm not assuming you are incompetent. what i'm saying is that no system is
fully secure, and by saving the users' passwords, you are risking them.

one of the first rules i learnt in web development is this, you do not store
passwords. ([http://www.codinghorror.com/blog/2010/12/the-dirty-truth-
abo...](http://www.codinghorror.com/blog/2010/12/the-dirty-truth-about-web-
passwords.html)) you never assume that your system will be so secure that no
one can hack it.

~~~
nubis
Indeed, no system is fully secure, and we don't try to hide that fact, that's
one of the reasons Dropmyemail exists in the first place. We offer people an
off-site backup at the cost of trusting a third party with their password.
This is a risk assessment discussion, and I believe although good for raising
awareness about what dropmyemail offers, the original articles fails to make a
distinction between the objective information it provides and what are your
personal valuations on the risk involved (for example, it assumes one of the
worst possible scenarios regarding our competence). Things get a bit confusing
when non security related topics like storage capacity are mixed in though. I
believe you are trying to help people to be safe and choose the better tool to
solve their problem, I do think you are underestimating them a bit, but in
case I'm wrong I repeat how valuable your article is in raising this issues.

~~~
laurenceputra
And again, I am not doubting your competence. What I am saying is that we are
all humans. Google might have hired the best computer scientists around the
world but they still got hacked. It might even be a problem with the
programming language you are using (rmb mass assignment on ROR?)

"We offer people an off-site backup at the cost of trusting a third party with
their password."

Yes, this is my main point. People have to learn that they shouldn't be giving
out passwords to just about anybody.

I think this guy in the comments here
([http://blog.geeksphere.net/2012/09/27/response-to-
dropmyemai...](http://blog.geeksphere.net/2012/09/27/response-to-dropmyemails-
response/#comments)) made a pretty good point. Maybe you might want to answer
his doubts there?

~~~
nubis
I fail to see the point made by that commenter that has not been made yet in
this thread, other than the funny accusation of malice. We don't store
plaintext passwords, and we are very aware of mass assignment bugs. (being
suspected of such naive practices is why I mentioned the incompetence thing
earlier). If security is a chain, then we strive not to be the weakest link.
People have to learn what's the risk involved in giving out their password,
how to evaluate who they give it to, and then make their own choice regarding
whether they want to give it away or not. I get my hopes high when I read that
you wouldn't mind people giving their password to a company that is better
than 'just about anybody'. Convincing people that we are trustworthy was a big
initial challenge for us, and still is as we reach out to more and more users.

~~~
laurenceputra
yea, you are now aware of the mass assignment bugs, but what about previously?
even github got affected by it. are you saying that they are incompetent? what
about bugs that have yet to be revealed?

what i am saying is that there may be some things that you forget about,
because we are all humans. and in order to mitigate the risk from us being
humans, we should not store passwords in a way that is easily recovered.

~~~
prusswan
Have you stopped beating your wife? Are you now aware of the mass assignment
bugs?

Aside from the fallacy, it is a false argument to pose all risk as bad. Given
what is presumed to be your idea of acceptable risk, I would expect you to
surf the net _behind_ _7_ _proxies_ : <http://knowyourmeme.com/memes/good-
luck-im-behind-7-proxies>

------
notthetup
Why does this still happen? Aren't security best practices still not wide
spread enough to dissuade people form doing this?

~~~
phpnode
because there's no way their service could ever work without storing
passwords, a fact that this article completely ignores.

