Internet and e-mail policy and practice
including Notes on Internet E-mail


2019
Months
Jan

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Internet

24 Jan 2019

What's wrong with this security model? Internet

I'm moving some of my financial accounts to Lively, a fintech startup. We've had the usual chit-chat about details of where the money is coming from on the messaging system on their web site. It works fine, when there's something new they send me a note saying to log in and check my messages. Except that today they sent me a message through a third party "secure" messaging service. To protect the guilty, we'll call it Hubri.

I got a message from Lively which they sent through Hubri. It had a big block of stuff that sort of looks like PGP:

--- START PROTECTED MESSAGE TDF 0 ---
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pgo8dGRmOlRydXN0ZWREYXRhT2JqZWN0IHhtbG5zOnRkZj0idXJuOnZpcnRydTp0
 ...
TnJUMFRSZEZ3PTwvdGRmOkJhc2U2NEJpbmFyeVBheWxvYWQ+CjwvdGRmOlRydXN0ZWREYXRhT2JqZWN0Pg==
--- END PROTECTED MESSAGE ---

It had a link to the Hubri web site, which told me that it was loading their special decoder, then asked whether my address was the one it had sent the message to (uh, yes), and it said OK, we'll send you a secret code.

The code arrived at the same address as the original message, and when I cut and pasted it into their web page, it showed me the message. What exactly is their security model? Anyone who could interecept the original message could intercept the followup with the code, so how is this different from sending plain text?

The Hubri page offered me the opportunity to send Lively an equally secure response, which I did. It said to look at the messages on their web site to see my answer. You'd expect the message they sent via Hubri also to be in their internal messaging, but no such luck.


  posted at: 15:28 :: permanent link to this entry :: 0 comments
Stable link is https://jl.ly/Internet/sosecret.html

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
It turns out you don’t need a license to hunt for spam.
4 days ago

A keen grasp of the obvious
Italian Apple Cake
563 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

My Mastodon feed



© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.