Do you have an email doppelganger?

As Shakespeare once famously penned, “what’s in a name?” And while this isn’t a tale of star-crossed lovers, it is a precautionary tale of email security.

A recent article in The Age talks about the rise of the email doppelganger, a situation where people send you emails intended for someone else with the same name as you.

Many of us have received emails not intended for our inbox. This is usually down to human error, such as selecting the wrong name from an address list. But what if you were continually receiving emails that were really meant for the ‘other you’? Your so-called ‘virtual doppelganger’.

This raises a number of privacy and security issues. The most obvious being that if someone sends you an email by mistake – believing it’s going to someone else of the same name – then you may be privy to information of a sensitive nature. And while you may have received an email unintentionally, you would generally need to read it first to realise it’s not for you.

Alternatively you might believe a genuine email is nothing more than spam and that the sender’s address is part of a phishing scam. Then there’s also the simple fact that some people may never be receiving email messages intended for them, whether these be personal or business related.


How to avoid becoming an email doppelganger

One of the best ways to ensure people reach the ‘real you’ is to use your own domain. This reduces the possibility of your emails going to someone else by mistake.

If you have registered a business, or even personal, domain (e.g. ‘greatdesigns.com’) you can then use FastMail to setup email addresses at this domain, which means people will always be emailing the right ‘samanthajones@greatdesigns.com’. Creating your own email domain makes it very unlikely that someone will accidentally give your email address as their own. It also means that if you mistype your address somewhere it’s unlikely to go to someone else. Let’s contrast this to having the email address ‘joebloggs@fastmail.fm’, which might only be a small typo away from accounts with very similar email addresses.

You can host the email for your domain(s) with FastMail, providing you have an Enhanced/Premier personal account, or a business/family account.


Use an alias

You can also add a number of email aliases to your inbox. This allows you to have different email addresses which all deliver to your one FastMail account, without the need to purchase multiple accounts.

For example, while your email address might be ‘samanthajones@greatdesigns.com’ you could also add ‘info@greatdesigns.com’ and ‘sales@greatdesigns.com’ too.

FastMail supports catch-all aliases on your domain, so that any email that is sent to ‘@yourdomainname’ will come to you, even if that specific alias doesn’t exist.

Using aliases and your own domain are two great ways to help reduce the chance of your emails going to someone else. And while there aren’t always complete safeguards against human error – for example, someone might have two friends with the same or similar name in their address book – it’s good to know there’s still plenty you can do to protect your email self.

Posted in Uncategorized. Comments Off on Do you have an email doppelganger?

FastMail is not required to implement the Australian metadata retention laws

Summary: We have reviewed the recently passed Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 and have received additional legal advice confirming that the new metadata retention regime will not apply to FastMail. This means that FastMail is not obligated to retain metadata relating to email sent/received by our users, nor are we required to provide Australian law enforcement agencies with access to such metadata without a warrant. As such, there are no changes to our privacy policy.

For those interested, there are significantly more details below.


Some users have asked us what the recently passed metadata retention laws mean for FastMail, and in particular the privacy of their data. We’ve now reviewed the new laws as passed in the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 and worked with a lawyer to get a confirmed interpretation.

The most important provision in the Bill for our purposes is the new section 187A(3) which defines who the laws actually apply to. There are 3 separate parts that must all apply for an entity to be subject to the metadata retention requirements. Quoting the actual bill:

(3) This Part applies to a service if:

   (a) it is a service for carrying communications, or enabling communications to be carried, by means of guided or unguided electromagnetic energy or both; and

   (b) it is a service:

      (i) operated by a carrier; or

      (ii) operated by an internet service provider (within the meaning of Schedule 5 to the Broadcasting Services Act 1992); or

      (iii) of a kind for which a declaration under subsection (3A) is in force; and

   (c) the person operating the service owns or operates, in Australia, infrastructure that enables the provision of any of its relevant services;

but does not apply to a broadcasting service (within the meaning of the Broadcasting Services Act 1992).

We do meet the requirements for (a), however none of (b) nor (c) apply to us, so the laws as a whole to not apply to us.

Digging into these into more detail:

Section 187(3)(a)

As an email service, FastMail clearly enables "communications" to be "carried" (as those two terms are defined in the Telecommunications (Interception and Access) Act 1979 ("TIAA").

Section 187(3)(b)

(i) FastMail is not a "carrier" as defined in section 5 the TIAA because:

  • we are not the holder of a "carrier licence" as defined in section 7 of the Telecommunications Act 1997 ("TA"); and
  • we are not a "carriage service provider" as defined in section 87 of the TA because:
    • the definitions in sections 87(1), (2), (4) and (5) require a carriage service provider to be a person supplying a "listed carriage service", which is defined in section 16 of the TA to mean a "carriage service" between two or more points where at least one point is in Australia – as none of FastMail’s servers are physically in Australia, we only ever connect our servers to a network outside of Australia, and therefore only ever carry communications between non-Australian locations;
    • the definition in section 87(3) applies to carriage services that are supplied as a secondary purpose for a network whose principal use is by a defence organisation, transport or electricity providers, or similar – none of these uses are relevant to FastMail’s services;

(ii) FastMail is not an "internet service provider" within the meaning of Schedule 5 to the Broadcasting Services Act 1992, because we do not supply an "internet carriage service" (meaning a listed carriage service (as defined in the TA) that enables end-users to access the internet) to the public; and

(iii) no declarations made under subsection (3A) are in force.

Although the argument regarding FastMail only ever carrying communications between non-Australian networks is quite technical, we’ve not been able to find any cases or commentary which support nor contradict that argument. However, having reviewed the rest of the wording in section 87 (including the definitions of "network unit", "line link", "line" and "designated radiocommunications facility", none of which FastMail seem to have in Australia), it seems unlikely that FastMail could be defined at a "carriage service provider".

In any event, an analysis of part (c) as discussed below, it’s of little consequence whether 3(b) applies or not.

Section 187(3)(c)

The biggest question here is what "infrastructure" means. Section 5 of the TIAA (see page 29 of the Bill) includes a definition as follows:

infrastructure means any line or equipment used to facilitate communications across a telecommunications network

We don’t have any lines or equipment (servers) in Australia, and therefore do not have "infrastructure" in Australia.

As an additional confirmation, the explanatory memorandum for the Bill makes this point even clearer:

Definition of ‘infrastructure’

417.           This item inserts a definition for the term infrastructure into subsection 5(1) of the TIA Act. It defines infrastructure, as it is used in paragraph 187A(3)(c), to mean any line or equipment used to facilitate communications across a telecommunications network.

418.           The term infrastructure is used as part of the three limb test in paragraphs 187A(3)(a), (b) and (c) which defines a relevant service. ‘Equipment’ is defined in section 5 of the Act, which states equipment means any apparatus or equipment used, or intended for use, in or in connection with a telecommunications network, and includes a telecommunications device but does not include a line. Section 5 of the Act, defines ‘line’ by reference to the definition in the Telecommunications Act. Section 7 of the Telecommunications Act states a line is a wire, cable, optical fibre, tube, conduit, waveguide or other physical medium used, or for use, as a continuous artificial guide for or in connection with carrying communications by means of guided electromagnetic energy.

419.           Servers used to operate an ‘over the top’ service such as VoIP would fall within the definition of infrastructure. However, ‘infrastructure’ is not intended to include business premises. For example the headquarters of a company, taken in isolation, would not satisfy the definition of ‘infrastructure.’

420.           Importantly, a piece of equipment or line meeting the definition of infrastructure does not automatically satisfy paragraph 187(3)(c). For instance, a computer used by an employee in a company’s headquarters or marketing office is not directly involved in the provision of a relevant service and therefore does not satisfy paragraph 187(3)(c).

421.           This item implements recommendation 11 of the 2015 PJCIS Report by defining the term ‘infrastructure’ in greater detail for the purposes of paragraph 187A(3)(c).

Therefore, it’s clear that part (c) does not apply to FastMail, as the only equipment in Australia is employees and their work computers, there are no servers running any FastMail services or storing any email in Australia.

Therefore section 187A(3), which imposes the metadata retention obligations, does not apply to FastMail.

We had some additional queries regarding the wording of “owns or operates, in Australia”. Since that’s two separate parts, if you take the "own in Australia" part, does that mean "the infrastructure is physically in Australia" or does it mean "the infrastructure is legally owned by an entity in Australia"? It has been made clear to us that the wording of part (c) of section 287(3) applies to the location of the infrastructure, rather than whether the person or entity that owns the infrastructure is Australian. If this wasn’t the case, part (c) would need to phrased so that the reference was to an "Australian person" or "Australian entity" owning infrastructure (or there’d be a definition to bring in this connection). By using the words "in Australia", the reference can only be to the physical location of the lines and equipment

As an aside from actually determining if the law applies to us, we regard the actual need for this law as poorly thought out. There’s no evidence that large scale metadata retention will actually lead to improved policing, and in an insane situation, you actually have the communications minister for the government that’s passing this law recommending ways to work around the law! All this bill does is impose excessive additional regulations and burdens on Australian businesses. It actively discourages us from investing in servers and infrastructure in Australia and encourages us to put them elsewhere in the world to ensure that the law continues to not apply to us. Forcing an Australian company to reduce IT infrastructure investment in Australia and creating an inferior experience for Australian customers, while providing no proven law enforcement benefit for anyone feels like a massive mistake to us.

Posted in News. Comments Off on FastMail is not required to implement the Australian metadata retention laws

Increased user security, upgrading Diffie-Hellman parameters to 2048 bits

For non-technical users, the short version is that if you’re using a modern, up-to-date web browser, mobile device or mail client to access FastMail, then there’s nothing you need to do.

If you’re using old or unusual software to access or send via FastMail, you might be affected and should read on.

What’s happening?

On 30 March 2015 we will be increasing the size of the DH parameters for DHE ciphers to 2048 bits. This will cause connection problems for old software that cannot handle DH parameters greater than 1024 bits.

1024-bit RSA crypto is generally being phased out as insecure and has been for at least the last five years.

Breaking DH parameters is generally understood to require the same amount of computation as a RSA key of equivalent size. Therefore, the recommendation is to increase the size of DH parameters in step with the size of RSA keys.

If we don’t upgrade our crypto to 2048 bits for the general case, we’re compromising the security of all our users for a few that have old clients. We don’t consider that to be acceptable.

Will this affect me?

The main software we’re aware of that will be affected is iOS 5 and Java 6 and 7 (which often means business software that sends through our authenticated SMTP service).

If you’re unsure if you’re affected, you can test right now by pointing your software at https://beta.fastmail.com/ (web) or betamail.messagingengine.com (everything else). These servers are using the new config that will be rolled out on the 30th. Note that you shouldn’t use these names permanently; this is a test service and does not have the same redundancy as the main FastMail services.

If you can access your mail as normal using these servers, then you have nothing to worry about.

If you can’t connect through the beta servers but can through the main servers then its quite likely that you are affected and you will need to either upgrade or reconfigure your software, or switch to our “insecure” services at https://insecure.fastmail.com/ (web) or insecure.messagingengine.com (everything else). Using the insecure service is not recommended as it uses encryption that is known to be weak or broken.

Please note that we’re unable to help you upgrade or reconfigure your software, particularly for those Java business apps. You’ll need to contact your software vendor for that.

Further reading

If you’d like to read more about perfect forward secrecy and DH param lengths, the following technical articles may be interesting to you:

Posted in Technical. Comments Off on Increased user security, upgrading Diffie-Hellman parameters to 2048 bits

XMPP security improvements

We’ve just rolled out an update to our XMPP service to give it the same level of TLS encryption support that you’ll find in our IMAP, POP3 and SMTP services. It now supports TLS 1.2 with modern ciphers. The changes mean we now get an A rating on the XMPP security test.

If you didn’t know we had an XMPP service, or if you don’t know what any of this means, then you can ignore it. Everything should just continue to work!

Our XMPP service has lagged behind our other services for a while because our XMPP server, djabberd, has problems with TLS >1.0 due to deficiencies in Perl’s TLS libraries, and has resisted our best efforts to fix it. We’re hoping to replace it with another server in the next year or two so to avoid having to do a bunch of work that we’d eventually throw out, we decided to follow the same model that we use for IMAP, POP3 and SMTP. We added XMPP support to nginx’s mail proxy, and then let it do authentication and encryption termination, both tasks which it excels at.

Most importantly, nginx is well known as a highly stable and secure TLS server and receives a constant stream of updates. Any improvements we roll out in the future will automatically be applied to the XMPP service as well.

More information about the actual implementation in nginx is at http://robn.io/nginx-xmpp/.

We’re quietly working on modernising our XMPP service. If that’s something you’re interested in then keep an eye on this blog over the next few months.

Posted in Feature announcement. Tags: , , . Comments Off on XMPP security improvements

Know how to identify genuine email from FastMail

Recently, we’ve seen an upswing in the number of attempts by criminals to steal FastMail accounts. We’re working hard to maintain our high security and keep them at bay, but we’ve also got three simple tips you can follow to keep your account secure.

1. Know how to identify genuine email from FastMail

All genuine email from FastMail is displayed with a white tick in a green circle next to the sender’s name in both the mailbox list and on the message itself. It looks exactly like this in the mailbox:

Green tick next to sender name in mailbox list

And like this on the message:

Green tick next to sender name in message view

If the email doesn’t have the green tick, it’s not from us.

Please note, we can only do this in our web interface and apps; it will not appear in other email clients. It will also not appear in our classic interface; we recommend users upgrade to our current interface for increased security.

Always look for the green tick before trusting emails supposedly from FastMail.

2. Look for the green badge before logging in

When logging into our webmail, always look for a green badge in the address bar of your browser with the text “FastMail Pty Ltd”. Phishing sites (scam websites that try to steal your login details) can easily clone the look and feel of our website, however they can’t clone the green badge.

The badge looks like this in Google Chrome:

Green EV SSL badge reads FastMail Pty Ltd

And like this in Mozilla Firefox:

Green EV SSL badge reads FastMail Pty Ltd

And like this in Safari:

Green EV SSL badge reads FastMail Pty Ltd

And like this in Internet Explorer:

Green EV SSL badge reads FastMail Pty Ltd

And like this in Opera:

Green EV SSL badge reads FastMail Pty Ltd

If you don’t see the badge, you’re not at the genuine FastMail website.

3. Never reuse your FastMail password at another service

Your email is the key to your digital life. Almost every web service you use, such as Amazon, Facebook or Twitter, allows you to reset their password by sending a link to your email address. It’s vitally important to keep your email password secure, as it provides access to everything else!

When you reuse your FastMail password at other sites, you’re making it much easier for attackers to potentially break in to your account. Other sites often don’t have the same high security measures as FastMail (such as compulsory HTTPS, locked-down servers, etc.), which makes them much easier for criminals to break in to. If they hold your email address and the same password that you use for FastMail, the attacker can then access your email account and get into everything else you use online.

Always use a unique password for FastMail that you don’t use elsewhere.

Follow these three simple tips, and you’ll be protected against the vast majority of attacks we see.

Posted in News. Comments Off on Know how to identify genuine email from FastMail

FastMail app for Intel-based Android devices now available

Today I pushed an update of the FastMail app that works on Intel-based Android devices. We’ve had a few requests for this as more and more Android devices are now running on Intel CPUs. Happily, the Crosswalk browser engine we use in the app has had Intel support for a long time, so it was just a matter of adjusting our build system to be able to build two different versions of the app.

As usual, its available from the Google Play Store.

Posted in Feature announcement. Comments Off on FastMail app for Intel-based Android devices now available

Dec 24: Working at FastMail

This blog post is part of the FastMail 2014 Advent Calendar.

The previous post on 23nd December was the open protocol, JMAP. And this is the end!

Technical level: low

FastMail has been around for 15 years now, via a short detour as part of Opera Software and then back to being our own company again.

Some History

I was hired in 2004 as the fourth member of a small technical team in Melbourne. Rob M was living overseas at the time, so I worked with Jeremy (one of the original founders, he’s moved on to other things now) and Richard. We had no office, but I would catch the train and tram to Port Melbourne and work with Jeremy in his lounge room.

After working for a big corporate where (no joke) I couldn’t have a server to do my work for the 6 months I was seconded to New Jersey, because they needed longer than that to plan things, and where I only managed to wrangle a desktop computer to make into a server because my laptop had been purchased in Australia and wasn’t in their database… it was a breath of fresh air to be asked to specify the laptop that I wanted and have it delivered and waiting for me when I started.

Jeremy also had another company, and we moved in with them when they got some space of their own. We shared a house in Port Melbourne where we set up desks in the bedrooms, and then later a proper office in Melbourne CBD until they were sold in 2008. We moved to a serviced office on the 50th floor of one of the tallest buildings in Melbourne. The view was fantastic, though my ears always popped in the elevator! Jeremy stayed with ODG, so it was just the three of us working together.

After the sale to Opera, we doubled the size of the team and took a larger office on the same floor. I was lucky enough to get a transfer to head office in Norway in 2011-2012, and while I was away the team in Australia grew further and moved to our current office on William St in the Melbourne CBD (interestingly, our datacentre in New York is also on a William St — it hasn’t caused any misdirected mail yet). We have a great office of our own now, with plenty of space.

Office environment

We work in rooms with 2-4 people, with doors that can be closed (though they usually aren’t) and a boardroom that’s big enough for the entire team to get together for our weekly status meeting. If anyone is remote (working from home, travelling, etc) they join via video conference. We’ve been using AppearIn from our friends at Telenor.

IMG_20141223_082104

We have a huge open breakout area with couches, table tennis table and kitchen.

IMG_20141223_120108

The nice thing about working on computers on the other side of the world is that it really doesn’t matter where you are. We don’t treat the office network specially, everybody’s laptop makes its own VPN connection anyway – so we can do our work anywhere. Most of the team have children, and many of us work from home one or two days per week.

When we are in the office together, we frequently gather around whiteboards to nut out ideas. The great thing about smartphones is that everyone has a camera, so we all take a photo of the end result and keep it with us as we go back to our individual tasks.

A Small Business

The great thing about FastMail is that it’s a blend of startup and small business. We have the best bits of startup culture — flexible working hours, free coffee, snacks and drinks in the fridge, table tennis table, cake on Fridays (often shared with our friends at ODG, we still stay in touch). This is matched with the best bits of a profitable company — consistent revenue, existing infrastructure, decent salaries, and people who understand the business side of things as well as the tech.

My first question when I interviewed with FastMail was “do you have someone who knows how to run a business”, because I worked for a dotcom that went bankrupt due to poor business planning. I didn’t want to live through that mess again. FastMail has had steady growth every year for the last 15 years, thanks to our fantastic users who appreciate our product and stay with us.

Jobs at FastMail

As with any business, if the right person appears, sometimes you adjust things to create a role for them. Our tasks aren’t that fixed, we split the work between us to get the required jobs done.

Having said that, we have two specific positions opening up in our Melbourne, Australia office for early 2015:

These two people will be working on both our FastMail product and building the reference open-source implementations for JMAP.

If you have the skills we need, and the right to work in Australia (sorry, we can’t help with visas or sponsorships), then drop us a line at jobs@fastmail.com.

Thanks!

Thank you to everyone who has been following this series, reading what we write. More than anything, people want to know they are bringing value to others. One of the best things about working at FastMail is that code we write is out there making people’s lives better almost immediately — that’s a great feeling. The positive feedback we’ve been receiving has made all the effort worthwhile, even last-minute scramble to get posts finished on the weekends!

Extra special thanks to all our customers. It’s your ongoing support that allows us to continue our passion of building email, calendar and contacts done right.

Wishing everybody a happy and safe holiday season.

Posted in Advent 2014. Comments Off on Dec 24: Working at FastMail
Follow

Get every new post delivered to your Inbox.

Join 6,392 other followers