View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000612||Main CAcert Website||my account||public||2008-09-15 21:49||2015-01-29 20:41|
|Priority||normal||Severity||feature||Reproducibility||have not tried|
|Status||needs review & testing||Resolution||open|
|Target Version||2014 Q2|
|Summary||0000612: Add IP address and time stamp to someone viewed your lost password questions notice.|
ok interesting. We'll take time to take care of this after the
would you please add the requested feature at
> > I would like to suggest adding IP address and time stamp to this
> > notice. I believe it's a correct notice, but with the IP address and
> > time stamp I would be sure.
> > Thank you,
> > rcpao
> > __
> > email@example.com wrote:
>> >> Hi Roger,
>> >> You are receiving this email because you or someone else
>> >> has viewed your lost password questions.
>> >> Best regards
>> >> CAcert.org Support!
|Tags||No tags attached.|
|Test Instructions||View your account details+password OR query lost password questions on account. You should receive a mail message showing someone looked at your account. This message should include an IP and a timestamp. More in note 4994.|
|related to||0001129||needs review||janmaco||When SE reveals the five secred questions and answers no warning is sent to the member|
|related to||0000223||confirmed||Auditor Interface|
|related to||0000408||confirmed||Improve the 5 QA warning message sent to the user on 5 QA set access|
|related to||0001135||closed||egal||Extend database table AdminLog et al|
|related to||0001138||closed||NEOatNHNG||Implement to log the SE activity|
I have a patch for this bug here:
||The patch was updated to use a consistent dateformat.|
I viewed the PW-Q&A for firstname.lastname@example.org.
Then I loged into said account.
The Admin-Log showed the line:
"2014-08-05 21:27:48 SE view lost password information"
The Admin Log of the admin when viewing said account shows the line:
"2014-08-05 21:27:48 SE view lost password information s20140415.1 Admin Katzi"
I could not find a mail send to said account about the support-action.
-> maybe this should lead to a mail as well.
I logged into an account, looked at the PW-Q&A of the account.
- got a mail with IP and timestamp.
But please see my next post!
I missunderstood the bug and was thinking about the PW-Q&A-view of the supporters. I think this action should lead to a mail as well, but this would probably be another bug.
I'm strictly against sending IPs to members, even if it may be their own.
The important information is THAT and maybe when someone took a look at the PW-Q&A.
Either there was a good reason or not to take such a look.
In most cases acting person would be the owner of the account where there is no reason to send the IP in a plain mail.
If it was somebody else than the owner of the account, there is reason for an Arbitration case as only one of four alternatives will be the case:
a) The owner gave away the access to the account to someone else
b) A supporter hijacked the account and looked at the Q&A on an order of an Arbitrator in an Arbitration case
c) A supporter hijacked the account and took the look without an order of an Arbitrator
d) There is a bug in the software that was exploited
In case b) there should be no need to break the privacy of the person helping Arbitration. If the Arbitrator is doing wrong this should lead to an appeal.
In case c) this should lead to an arbitration case because it would be reasonable to clarify possible consequences for a supporter acting like this, so that the supporter can be stopped to act like this, further.
In case d) there is a need to search for the bug and possible other exploits, possibly inform the users and take actions against the exploiter form the side of CAcert.
In case a) the user either has a security issue or has violated the CCA. There is no reason for a user to make the decision: "Yes, that IP was not mine but should have access as well." So even in this case the information of the IP is not relevant for the owner of the account.
An Arbitrator in such an Arbitration case would have the authorisation to ask for the IP _if_needed_(!) in such a case and to provide it to the owner of the account if there is a good reason to give it to the owner.
Privacy relevant data as IPs should NOT be send automatically and not per plain mail, without due authorisation and control.
The sent IP address should be anonymized in the following way:
- IPv4: round to /16 or /24
- IPv6: only present the /48 subnet of the IPv6
This information is sufficient to protect privacy AND tell oneself apart from someone else trying to access the information.
I recieved a mail while looking at my own secrets Q&A => ok (old IP style)
I recieved no mail for a user while looking at the secrets Q&A as SE => fail
related to Bug 1129
||You should receive an automatic generated message from testserver showing that someone had a look at your account. This message should include your IP you used and the exact timestamp.|
I checked this bug by two tries:
a) i logged in and had a view on my own details and secrets questions without editing. Then i closed the session.
I received an automatically generated message with my full IP adress and the exact timestamp.
b) i changed my account details and set the support flag (in Test Mgmt System). I logged into my account and viewed the secret questions using the support interface and logged out.
I received an automatically generated email showing my full IP adress and the exact timestamp.
Test failed because the IP adress should be shown in /16 format.
||Updated patch to include anonymisation of IP addresses.|
||My points are not answered by the anonymisation.|
When looking at my own secret Q&A I receive a mail with the anomynized IP XX.0.0.0/16. => ok
If looking at the secret Q & A over the SE interface I get no mail. => ok
I looked at my own Q&A and I received a mail with an correctly anonymized /16 ip and the exact time
Testing this over the support interface isn't working, see bug 1129.
Please consider to remove the IP address from this mail, completely.
The timestamp AND number of mails one gets, should be enough to know if someone else looked up the account or not. There is no reason at all to explicitely send any part of any IP address to members, outside of Arbitration cases or under the direct control of critical team.
If such information is really needed it could be put into the account log. There was NO reason given at all, WHY (partial) ip addresses are needed to tell own accesses apart from others. One should know if one had tried to access the pw-details, or not. One should also have an idea how often this was the case and when one tried to do so. Any additional mail shows that there was someone else trying to access this information. This alone should be enough to contact support that someone was trying to access this information. The knowledge about (partial) IP addresses would not change what action the member should take.
The (anonymized) IP in the mail to the user is an aid to the user to determine if the access has been by himself or an unauthorized user. While you don't need to know your exact IP you usually know the rought subnet your provider allocates IPs for you in. Given this information you can locate the access only on city-level, but not the individual user. Thus the access, while providing a rough hint, does not allow you to (uniquely) "identify" the person who accessed the account.
Providing the (partial) IP helps the user to compare it to its own IP and thus provides a valuable hint to those who understand the hint. And given the privacy considerations above it doesn't hurt either.
Another point is support: While we have only few supporters even the anonymized IP could be used to determine the support engineer. Thus completely hiding the IP with support is fine.
But where is the additional information that is provided by the IP address?
Either the user HAD checkt the questions, or the user did not. The user already has that information. No IP or partial IP is needed to check this.
This and ONLY this information is the important one.
There is no need to send information about the whereabouts (or if they use some tools like TOR or any other such information) of the users per open mail, every time when one checks if one remembers the questions, correctly or when one wants to change those.
Currently we should assume that that is ALWAYS(!) done by the user. Because support has no need to do it this way and we think that our software is not exploited. (At least I hope that you do!)
Sure, the user may have lost control over his credentials. But we do not assume that they do so, anywhere else, so we should not do so here. Yes, this feature to identify wrong acces, but that is all.
(Also IF someone has got unauthorised control to the account the person obviously does not need to look at those questions. The only need would be to make it harder for the original user to access the account themself.)
The information of the IP is not needed to identify something like this. The number of mails and the time mentioned within them are a lot better to identify unauthorised access on the side of the user. The partial IP does not give more helpful information.
Also the next step would be to go to support, anyway and by this an IP could be found out (with the help of critical, but if there are a lot of such incidents, software could also add some function within the support area, for this).
Just the fact, that somebody requests something and somebody else provides a patch does not give reason to just go for it.
|2008-09-15 21:49||rcpao1||New Issue|
|2012-12-18 14:37||Werner Dworak||Relationship added||related to 0001129|
|2012-12-20 18:39||Werner Dworak||Relationship added||related to 0000223|
|2013-01-07 23:51||Werner Dworak||Relationship added||related to 0000408|
|2013-01-09 15:18||Werner Dworak||Relationship added||related to 0001135|
|2013-01-11 15:19||Werner Dworak||Status||new => needs work|
|2014-04-29 20:53||INOPIAE||Relationship added||related to 0001138|
|2014-06-14 22:57||felixd||Note Added: 0004828|
|2014-06-14 23:07||felixd||Note Added: 0004829|
|2014-06-14 23:32||BenBE||Assigned To||=> BenBE|
|2014-06-14 23:32||BenBE||Status||needs work => fix available|
|2014-06-15 00:05||BenBE||Source_changeset_attached||=> cacert-devel testserver-stable 43da17db|
|2014-06-15 00:05||felixd||Source_changeset_attached||=> cacert-devel testserver-stable 9fdea3c0|
|2014-06-15 00:05||felixd||Source_changeset_attached||=> cacert-devel testserver-stable 65c1e579|
|2014-06-15 00:06||BenBE||Reviewed by||=> BenBE|
|2014-06-15 00:06||BenBE||Assigned To||BenBE => NEOatNHNG|
|2014-06-15 00:06||BenBE||Status||fix available => needs review & testing|
|2014-06-15 00:06||BenBE||Product Version||=> 2008|
|2014-06-15 00:06||BenBE||Target Version||=> 2014 Q2|
|2014-08-05 21:31||Eva||Note Added: 0004916|
|2014-08-05 21:34||Eva||Note Edited: 0004916||View Revisions|
|2014-08-05 21:40||Eva||Note Added: 0004917|
|2014-08-06 06:01||Eva||Note Edited: 0004917||View Revisions|
|2014-08-06 06:03||Eva||Note Edited: 0004916||View Revisions|
|2014-08-06 06:04||Eva||Note Edited: 0004917||View Revisions|
|2014-08-19 21:19||BenBE||Note Added: 0004973|
|2014-08-19 21:27||INOPIAE||Note Added: 0004974|
|2014-08-19 21:30||INOPIAE||Note Edited: 0004974||View Revisions|
|2014-09-08 17:46||reinhardm||Test Instructions||=> open your account on the testserver and query your settings and password, then close. You should receive an automatic generated message from testserver showing that someone had a look at your account. This message should include your IP you used and the e|
|2014-09-08 17:46||reinhardm||Note Added: 0004994|
|2014-09-08 17:50||BenBE||Test Instructions||open your account on the testserver and query your settings and password, then close. You should receive an automatic generated message from testserver showing that someone had a look at your account. This message should include your IP you used and the e => View your account details+password OR query lost password questions on account. You should receive a mail message showing someone looked at your account. This message should include an IP and a timestamp. More in note 4994.|
|2014-09-08 18:23||reinhardm||Note Added: 0004995|
|2014-09-08 18:26||BenBE||Note Edited: 0004995||View Revisions|
|2014-09-09 22:10||BenBE||Source_changeset_attached||=> cacert-devel testserver-stable c5375599|
|2014-09-09 22:10||BenBE||Source_changeset_attached||=> cacert-devel testserver-stable 5a0a64af|
|2014-09-09 22:10||felixd||Source_changeset_attached||=> cacert-devel testserver-stable 2bf16840|
|2014-09-09 22:10||felixd||Source_changeset_attached||=> cacert-devel testserver-stable 556cd846|
|2014-09-09 22:12||BenBE||Note Added: 0004999|
|2014-10-21 19:44||Eva||Note Added: 0005065|
|2014-10-21 19:47||INOPIAE||Note Added: 0005066|
|2014-12-23 21:50||janmaco||Note Added: 0005197|
|2014-12-23 23:36||janmaco||Note Edited: 0005197||View Revisions|
|2014-12-24 00:15||Eva||Note Added: 0005201|
|2015-01-28 08:03||BenBE||Note Added: 0005282|
|2015-01-29 20:41||Eva||Note Added: 0005298|