Security concerns

POP Peeper: Tech support, suggestions, discussion, etc.
Post Reply
Reggorf
Posts: 18
Joined: Mon Oct 21, 2019 12:27 pm

Security concerns

Post by Reggorf »

First, thanks for the app! It's always nice to find old style software, in the good sense of the word.

I'm still exploring, and have a few questions and suggestions.

OAuth flow

(I'm hardly well-versed so could be misinterpreting some details, but anyway...)
  • redirect_uri points to esumsoft.com. Does the authorization code really get there?
    And if intercepted locally, why not use a custom URI scheme?
  • During OAuth login it seems a request is sent to esumsoft.com. That just leaks the user's IP.
  • In services that support it, I would feel more secure if the software allowed copy/paste authorization, to allow using a standalone browser instead of the embedded IE (where nothing prevents the app from grabbing the actual login credentials).
Secure storage

On startup, the app is able to check email even before the admin password is entered. So the tokens/credentials aren't stored protected.
Also, the popup alerts reveal subject lines.

How about:
  • Store the credentials/tokens encrypted with the admin password.
  • On startup require the password before doing anything else. The encryption key is then remembered (not the admin password).
  • Have a setting to control what's shown in notifications when the program is locked/minimized:
    only that there's new email, new email total count, counts per account, full info with subject lines.
And an extra nice to have feature:
  • In memory, store the credentials/tokens encrypted with a random key, to at least protect against casual memory dumping.
User avatar
Jeff
Admin / Developer
Posts: 9225
Joined: Sat Sep 08, 2001 9:46 pm

Re: Security concerns

Post by Jeff »

Welcome to the forums Reggorf.

Regarding Oauth --
I've looked at the code this morning to follow what you're describing. It looks like you're probably following a Yahoo Oauth Consent flow -- it's the only one that uses esumsoft.com in the redirect_uri. Both Google and Outlook provide a uri for native apps, but Yahoo doesn't (or at least it wasn't known at the time; as I recall, Yahoo had little to no documentation at the time that this was implemented), so I used a real URI; which probably shouldn't have made it into the production build. This has been addressed for v5. But, rest assured, the server doesn't do anything on the redirect, it's just an empty page.

As for using a separate browser for the process -- this has issues of its own and I'm not sure how many people would want to do that. I'll consider it for the future, though; but just be aware that this isn't likely something you'll see in the foreseeable future.

Thanks for pointing that out.

Secure storage --
The admin password is just a UI password. You want Ini encryption. For information about enabling that: open the help file (Help / Contents), then navigate to General Information / Ini file encryption.

For the popup alert -- you'll have to consider if the convenience is worth it. There are skins for the skin notifier that do not display any specific message information, so you could use one of those instead. Showing less information when POP Peeper is locked is interesting; but again, I'm not sure how practical it is, since most people are using POP Peeper for the convenience. I think most people will want to see that information most of the time even if POP Peeper is "locked" because that's the normal state that POP Peeper is going to be in even when you're at your computer. Definitely worth considering, though...
Reggorf
Posts: 18
Joined: Mon Oct 21, 2019 12:27 pm

Re: Security concerns

Post by Reggorf »

Thanks.

OAuth: If the request to esumsoft.com over port 80 is simply the redirect from Yahoo, both the user's IP and the authorization code can be watched by intermediate hops. Then, both are probably stored as plaintext in the final server's access log. Anyway, Yahoo supports now "redirect_uri=oob".

Encryption: Yeah, I missed the INI option. :) (Well, it's not in the GUI, and the Admin password option conceptually overlaps it, so I didn't realize there's more.)

I guess there's no way to avoid having two password prompts on startup? Same password.

Popup details: For me at least, the main feature is knowing that there are new emails. Whether or not I see subject lines, I'm likely to proceed by unlocking the app.
User avatar
Jeff
Admin / Developer
Posts: 9225
Joined: Sat Sep 08, 2001 9:46 pm

Re: Security concerns

Post by Jeff »

Yahoo supported oob back when I originally implemented, but it doesn't behave the same. I had tested it again yesterday and it still behaves differently. Specifically, it doesn't put the code in the title of the page, which is where POP Peeper expects to find it.
Reggorf wrote: Mon Oct 21, 2019 4:45 pm Encryption: Yeah, I missed the INI option. :) (Well, it's not in the GUI, and the Admin password option conceptually overlaps it, so I didn't realize there's more.)
It's a pretty specialized feature which was added in v4.5. I know that lakrsrool (moderator) would like gui access to it, too, so maybe someday :)
Reggorf wrote: Mon Oct 21, 2019 4:45 pm I guess there's no way to avoid having two password prompts on startup? Same password.
hmm... I'll have to think about that. My main concern with that is exceptions which could cause a security leak. For example, if POP Peeper is set to start minimized, then you wouldn't want the password to be passed on.
Reggorf wrote: Mon Oct 21, 2019 4:45 pm Popup details: For me at least, the main feature is knowing that there are new emails. Whether or not I see subject lines, I'm likely to proceed by unlocking the app.
I would normally recommend using the desktop alert instead of the windows notification, because it only shows stats. However, in v5, it will show message information, so I wouldn't get used to it. So, for that reason, I suggest downloading the skin notifier and downloading a skin that only shows the stats. The number of skins that would qualify are more limited (although you could edit any skin to remove the extra details).
https://www.esumsoft.com/products/pop-p ... inNotifier
https://www.esumsoft.com/products/pop-p ... fierskins/
Reggorf
Posts: 18
Joined: Mon Oct 21, 2019 12:27 pm

Re: Security concerns

Post by Reggorf »

I suppose Yahoo's oob doesn't really matter since v5 solves it anyway. :)

Didn't know the INI encryption was added recently. Instead of GUI, perhaps it's simpler to just enable it by default, at least when Admin password is set. Manual editing or viewing of INI settings could be useful in special cases, but people could use /IniDecrypt for that.

What sort of exceptions would leak info? (If PP starts minimized, it would just forget the password immediately after decryption.)

Thanks of the suggestions for the notifications popup.
User avatar
Jeff
Admin / Developer
Posts: 9225
Joined: Sat Sep 08, 2001 9:46 pm

Re: Security concerns

Post by Jeff »

The admin password has been around for a very long time, and I don't think that everyone that uses an admin password would necessarily want to encrypt the ini file. I would call the ini encryption still experimental at this stage, but there are plans to make it easier to use in the future (and the "set admin password" would be the most obvious place in the GUI to coordinate that).
What sort of exceptions would leak info? (If PP starts minimized, it would just forget the password immediately after decryption.)
Well, that's the question :) I gave one example of an exception that would need to be specially handled and perhaps there are others. Unfortunately, security and convenience do not always work well together, so if you have to enter the password twice, I think that's better than giving a false sense of security if there's an easy backdoor that wasn't accounted for. That being said, I certainly understand the situation (and one I hadn't considered), so it's something that I've put into my notes for consideration.
Reggorf
Posts: 18
Joined: Mon Oct 21, 2019 12:27 pm

Re: Security concerns

Post by Reggorf »

Do you mean exceptions that lead to crashes? I'm not sure what you mean by "passing on" the password.

Here's how I imagine it might work. I haven't checked any "best practices" so the logic could be faulty, but just a general idea:
  • User enters password, and two things happen immediately.
  • INI: The password decrypts a tokens/credentials key (previously randomly generated on INI creation). Key is kept in memory. When tokens/credentials are needed, they are decrypted for each use, then purged. (Anti casual memory dumping: encrypt key with an on-the-fly generated random 2nd key. Not sure this adds much, but maybe.)
  • GUI: The password, combined with a per-session random element, is turned into a key using hashing/KDF. The key is kept in memory.
  • Password is purged from memory.
BTW, I can understand if that's not stuff you want to discuss. :) I just find it interesting, and it seemed you didn't mind.
User avatar
Jeff
Admin / Developer
Posts: 9225
Joined: Sat Sep 08, 2001 9:46 pm

Re: Security concerns

Post by Jeff »

No, I mean "exceptions" in the term of "special cases"; ie. cases that need to be specifically handled differently simply because of the way POP Peeper is started (or other unknown scenarios).

You can say, "don't require the same password for encryption and opening POP Peeper the first time." But the problem with that logic is that "the first time you open POP Peeper" may not be immediate because PP may start minimized. So, in that case, you would still want to request a password the first time that POP Peeper is opened. That's an exception/special-case. And maybe there are other special cases that I haven't considered, or would ever think about until someone writes me an angry email wondering how I could have missed such an obvious issue and why didn't POP Peeper ask for the password?!?!?

Your scenario doesn't mention the admin password... I think we're talking about 2 different things? This was the quote that I was referring to regarding security leaks:
I guess there's no way to avoid having two password prompts on startup? Same password.
Reggorf
Posts: 18
Joined: Mon Oct 21, 2019 12:27 pm

Re: Security concerns

Post by Reggorf »

Oh, exceptions in the GUI flow. I don't see many options here other than the one mentioned. But the logic could be defensive: default is to show the GUI password prompt, specific special case(s) are for "auto-password".

By "GUI" I mean the "admin password". The special case is implied after that bullet.

Anyway, not super-critical, just nicer to have. Don't want to make anyone angry. :)
Post Reply