Click the comments link on any story to see comments or add your own.
Subscribe to this blog
24 Jan 2019
I'm moving some of my financial accounts to Lively, a fintech startup. We've had the usual chit-chat about details of where the money is coming from on the messaging system on their web site. It works fine, when there's something new they send me a note saying to log in and check my messages. Except that today they sent me a message through a third party "secure" messaging service. To protect the guilty, we'll call it Hubri.
I got a message from Lively which they sent through Hubri. It had a big block of stuff that sort of looks like PGP:
--- START PROTECTED MESSAGE TDF 0 --- PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pgo8dGRmOlRydXN0ZWREYXRhT2JqZWN0IHhtbG5zOnRkZj0idXJuOnZpcnRydTp0 ... TnJUMFRSZEZ3PTwvdGRmOkJhc2U2NEJpbmFyeVBheWxvYWQ+CjwvdGRmOlRydXN0ZWREYXRhT2JqZWN0Pg== --- END PROTECTED MESSAGE ---
It had a link to the Hubri web site, which told me that it was loading their special decoder, then asked whether my address was the one it had sent the message to (uh, yes), and it said OK, we'll send you a secret code.
The code arrived at the same address as the original message, and when I cut and pasted it into their web page, it showed me the message. What exactly is their security model? Anyone who could interecept the original message could intercept the followup with the code, so how is this different from sending plain text?
The Hubri page offered me the opportunity to send Lively an equally secure response, which I did. It said to look at the messages on their web site to see my answer. You'd expect the message they sent via Hubri also to be in their internal messaging, but no such luck.
comments... (Jump to the end to add your own comment)
Add your comment...
Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.
My other sites
© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.