View Issue Details

IDProjectCategoryView StatusLast Update
0000612Main CAcert Websitemy accountpublic2015-01-29 20:41
Reporterrcpao1 Assigned ToNEOatNHNG  
PrioritynormalSeverityfeatureReproducibilityhave not tried
Status needs review & testingResolutionopen 
Product Version2008 
Target Version2014 Q2 
Summary0000612: Add IP address and time stamp to someone viewed your lost password questions notice.
DescriptionHi Roger,

ok interesting. We'll take time to take care of this after the
move+audit things

would you please add the requested feature at

http://bugs.cacert.org

Best regards,
Guillaume

> > I would like to suggest adding IP address and time stamp to this
> > notice. I believe it's a correct notice, but with the IP address and
> > time stamp I would be sure.
> >
> > Thank you,
> > rcpao
> > __
> >
> > support@cacert.org wrote:
> >
>> >> Hi Roger,
>> >> You are receiving this email because you or someone else
>> >> has viewed your lost password questions.
>> >> Best regards
>> >> CAcert.org Support!
TagsNo tags attached.
Reviewed byBenBE
Test InstructionsView your account details+password OR query lost password questions on account. You should receive a mail message showing someone looked at your account. This message should include an IP and a timestamp. More in note 4994.

Relationships

related to 0001129 needs reviewjanmaco When SE reveals the five secred questions and answers no warning is sent to the member 
related to 0000223 confirmed Auditor Interface 
related to 0000408 confirmed Improve the 5 QA warning message sent to the user on 5 QA set access 
related to 0001135 closedegal Extend database table AdminLog et al 
related to 0001138 closedNEOatNHNG Implement to log the SE activity 

Activities

felixd

2014-06-14 22:57

updater   ~0004828

I have a patch for this bug here:

https://github.com/yellowant/cacert-devel/tree/bug-612

felixd

2014-06-14 23:07

updater   ~0004829

The patch was updated to use a consistent dateformat.

Eva

2014-08-05 21:31

updater   ~0004916

Last edited: 2014-08-06 06:03

View 3 revisions

I viewed the PW-Q&A for obelix@acme.com.

Then I loged into said account.

The Admin-Log showed the line:
"2014-08-05 21:27:48 SE view lost password information"

The Admin Log of the admin when viewing said account shows the line:
"2014-08-05 21:27:48 SE view lost password information s20140415.1 Admin Katzi"

I could not find a mail send to said account about the support-action.
-> maybe this should lead to a mail as well.

I logged into an account, looked at the PW-Q&A of the account.
- got a mail with IP and timestamp.
-> ok

=> ok

But please see my next post!

Eva

2014-08-05 21:40

updater   ~0004917

Last edited: 2014-08-06 06:04

View 3 revisions

edit:
I missunderstood the bug and was thinking about the PW-Q&A-view of the supporters. I think this action should lead to a mail as well, but this would probably be another bug.

Nontheless:
I'm strictly against sending IPs to members, even if it may be their own.

The important information is THAT and maybe when someone took a look at the PW-Q&A.

Either there was a good reason or not to take such a look.

In most cases acting person would be the owner of the account where there is no reason to send the IP in a plain mail.

If it was somebody else than the owner of the account, there is reason for an Arbitration case as only one of four alternatives will be the case:

a) The owner gave away the access to the account to someone else
b) A supporter hijacked the account and looked at the Q&A on an order of an Arbitrator in an Arbitration case
c) A supporter hijacked the account and took the look without an order of an Arbitrator
d) There is a bug in the software that was exploited

In case b) there should be no need to break the privacy of the person helping Arbitration. If the Arbitrator is doing wrong this should lead to an appeal.

In case c) this should lead to an arbitration case because it would be reasonable to clarify possible consequences for a supporter acting like this, so that the supporter can be stopped to act like this, further.

In case d) there is a need to search for the bug and possible other exploits, possibly inform the users and take actions against the exploiter form the side of CAcert.

In case a) the user either has a security issue or has violated the CCA. There is no reason for a user to make the decision: "Yes, that IP was not mine but should have access as well." So even in this case the information of the IP is not relevant for the owner of the account.

An Arbitrator in such an Arbitration case would have the authorisation to ask for the IP _if_needed_(!) in such a case and to provide it to the owner of the account if there is a good reason to give it to the owner.

Privacy relevant data as IPs should NOT be send automatically and not per plain mail, without due authorisation and control.

BenBE

2014-08-19 21:19

updater   ~0004973

The sent IP address should be anonymized in the following way:
- IPv4: round to /16 or /24
- IPv6: only present the /48 subnet of the IPv6
This information is sufficient to protect privacy AND tell oneself apart from someone else trying to access the information.

INOPIAE

2014-08-19 21:27

updater   ~0004974

Last edited: 2014-08-19 21:30

View 2 revisions

I recieved a mail while looking at my own secrets Q&A => ok (old IP style)

I recieved no mail for a user while looking at the secrets Q&A as SE => fail
related to Bug 1129

reinhardm

2014-09-08 17:46

updater   ~0004994

You should receive an automatic generated message from testserver showing that someone had a look at your account. This message should include your IP you used and the exact timestamp.

reinhardm

2014-09-08 18:23

updater   ~0004995

Last edited: 2014-09-08 18:26

View 2 revisions

I checked this bug by two tries:

a) i logged in and had a view on my own details and secrets questions without editing. Then i closed the session.
I received an automatically generated message with my full IP adress and the exact timestamp.

b) i changed my account details and set the support flag (in Test Mgmt System). I logged into my account and viewed the secret questions using the support interface and logged out.
I received an automatically generated email showing my full IP adress and the exact timestamp.

RESULT:
Test failed because the IP adress should be shown in /16 format.

BenBE

2014-09-09 22:12

updater   ~0004999

Updated patch to include anonymisation of IP addresses.

Eva

2014-10-21 19:44

updater   ~0005065

My points are not answered by the anonymisation.

INOPIAE

2014-10-21 19:47

updater   ~0005066

When looking at my own secret Q&A I receive a mail with the anomynized IP XX.0.0.0/16. => ok
If looking at the secret Q & A over the SE interface I get no mail. => ok

=> ok

janmaco

2014-12-23 21:50

updater   ~0005197

Last edited: 2014-12-23 23:36

View 2 revisions

I looked at my own Q&A and I received a mail with an correctly anonymized /16 ip and the exact time
=> OK

Testing this over the support interface isn't working, see bug 1129.

Eva

2014-12-24 00:15

updater   ~0005201

Please consider to remove the IP address from this mail, completely.

The timestamp AND number of mails one gets, should be enough to know if someone else looked up the account or not. There is no reason at all to explicitely send any part of any IP address to members, outside of Arbitration cases or under the direct control of critical team.

If such information is really needed it could be put into the account log. There was NO reason given at all, WHY (partial) ip addresses are needed to tell own accesses apart from others. One should know if one had tried to access the pw-details, or not. One should also have an idea how often this was the case and when one tried to do so. Any additional mail shows that there was someone else trying to access this information. This alone should be enough to contact support that someone was trying to access this information. The knowledge about (partial) IP addresses would not change what action the member should take.

BenBE

2015-01-28 08:03

updater   ~0005282

The (anonymized) IP in the mail to the user is an aid to the user to determine if the access has been by himself or an unauthorized user. While you don't need to know your exact IP you usually know the rought subnet your provider allocates IPs for you in. Given this information you can locate the access only on city-level, but not the individual user. Thus the access, while providing a rough hint, does not allow you to (uniquely) "identify" the person who accessed the account.

Providing the (partial) IP helps the user to compare it to its own IP and thus provides a valuable hint to those who understand the hint. And given the privacy considerations above it doesn't hurt either.

Another point is support: While we have only few supporters even the anonymized IP could be used to determine the support engineer. Thus completely hiding the IP with support is fine.

Eva

2015-01-29 20:41

updater   ~0005298

But where is the additional information that is provided by the IP address?

Either the user HAD checkt the questions, or the user did not. The user already has that information. No IP or partial IP is needed to check this.

This and ONLY this information is the important one.


There is no need to send information about the whereabouts (or if they use some tools like TOR or any other such information) of the users per open mail, every time when one checks if one remembers the questions, correctly or when one wants to change those.

Currently we should assume that that is ALWAYS(!) done by the user. Because support has no need to do it this way and we think that our software is not exploited. (At least I hope that you do!)

Sure, the user may have lost control over his credentials. But we do not assume that they do so, anywhere else, so we should not do so here. Yes, this feature to identify wrong acces, but that is all.

(Also IF someone has got unauthorised control to the account the person obviously does not need to look at those questions. The only need would be to make it harder for the original user to access the account themself.)


The information of the IP is not needed to identify something like this. The number of mails and the time mentioned within them are a lot better to identify unauthorised access on the side of the user. The partial IP does not give more helpful information.

Also the next step would be to go to support, anyway and by this an IP could be found out (with the help of critical, but if there are a lot of such incidents, software could also add some function within the support area, for this).



Just the fact, that somebody requests something and somebody else provides a patch does not give reason to just go for it.

Issue History

Date Modified Username Field Change
2008-09-15 21:49 rcpao1 New Issue
2012-12-18 14:37 Werner Dworak Relationship added related to 0001129
2012-12-20 18:39 Werner Dworak Relationship added related to 0000223
2013-01-07 23:51 Werner Dworak Relationship added related to 0000408
2013-01-09 15:18 Werner Dworak Relationship added related to 0001135
2013-01-11 15:19 Werner Dworak Status new => needs work
2014-04-29 20:53 INOPIAE Relationship added related to 0001138
2014-06-14 22:57 felixd Note Added: 0004828
2014-06-14 23:07 felixd Note Added: 0004829
2014-06-14 23:32 BenBE Assigned To => BenBE
2014-06-14 23:32 BenBE Status needs work => fix available
2014-06-15 00:05 BenBE Source_changeset_attached => cacert-devel testserver-stable 43da17db
2014-06-15 00:05 felixd Source_changeset_attached => cacert-devel testserver-stable 9fdea3c0
2014-06-15 00:05 felixd Source_changeset_attached => cacert-devel testserver-stable 65c1e579
2014-06-15 00:06 BenBE Reviewed by => BenBE
2014-06-15 00:06 BenBE Assigned To BenBE => NEOatNHNG
2014-06-15 00:06 BenBE Status fix available => needs review & testing
2014-06-15 00:06 BenBE Product Version => 2008
2014-06-15 00:06 BenBE Target Version => 2014 Q2
2014-08-05 21:31 Eva Note Added: 0004916
2014-08-05 21:34 Eva Note Edited: 0004916 View Revisions
2014-08-05 21:40 Eva Note Added: 0004917
2014-08-06 06:01 Eva Note Edited: 0004917 View Revisions
2014-08-06 06:03 Eva Note Edited: 0004916 View Revisions
2014-08-06 06:04 Eva Note Edited: 0004917 View Revisions
2014-08-19 21:19 BenBE Note Added: 0004973
2014-08-19 21:27 INOPIAE Note Added: 0004974
2014-08-19 21:30 INOPIAE Note Edited: 0004974 View Revisions
2014-09-08 17:46 reinhardm Test Instructions => open your account on the testserver and query your settings and password, then close. You should receive an automatic generated message from testserver showing that someone had a look at your account. This message should include your IP you used and the e
2014-09-08 17:46 reinhardm Note Added: 0004994
2014-09-08 17:50 BenBE Test Instructions open your account on the testserver and query your settings and password, then close. You should receive an automatic generated message from testserver showing that someone had a look at your account. This message should include your IP you used and the e => View your account details+password OR query lost password questions on account. You should receive a mail message showing someone looked at your account. This message should include an IP and a timestamp. More in note 4994.
2014-09-08 18:23 reinhardm Note Added: 0004995
2014-09-08 18:26 BenBE Note Edited: 0004995 View Revisions
2014-09-09 22:10 BenBE Source_changeset_attached => cacert-devel testserver-stable c5375599
2014-09-09 22:10 BenBE Source_changeset_attached => cacert-devel testserver-stable 5a0a64af
2014-09-09 22:10 felixd Source_changeset_attached => cacert-devel testserver-stable 2bf16840
2014-09-09 22:10 felixd Source_changeset_attached => cacert-devel testserver-stable 556cd846
2014-09-09 22:12 BenBE Note Added: 0004999
2014-10-21 19:44 Eva Note Added: 0005065
2014-10-21 19:47 INOPIAE Note Added: 0005066
2014-12-23 21:50 janmaco Note Added: 0005197
2014-12-23 23:36 janmaco Note Edited: 0005197 View Revisions
2014-12-24 00:15 Eva Note Added: 0005201
2015-01-28 08:03 BenBE Note Added: 0005282
2015-01-29 20:41 Eva Note Added: 0005298