Replying from email while logged out

[trobadora]

Title:
Replying from email while logged out

Area:
entries

Summary:
Make it possible to reply to comments from the form in the notification email while logged out.

Description:
Currently you can't reply to comments from the reply form included in email notifications unless you're logged in. I want to suggest that functionality is restored.

Advantages: You don't have to log in on someone else's computer (or at work) just to fire off a quick reply to a comment. And if you have more than one account, you can reply to comments on both equally easily.

Problems: I've been told there are security issues? (I haven't heard of it causing any problems on LJ, though.)

Poll #983 Replying from email while logged out

Open to: Registered Users, detailed results viewable to: All, participants: 42

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
8 (19.0%)

Should be implemented with changes.
11 (26.2%)

Shouldn't be implemented.
15 (35.7%)

(I have no opinion)
7 (16.7%)

(Other: please comment)
1 (2.4%)

Comments

[denise]

The security issue is that if the email contains auth information (which is how LJ does it -- the emails contain an invisible 'key' that lets you post as you, even if you're not logged in as you; not your password, but a one-way authorization) anyone who happens to get a copy of that notification email can use it to reply as you.

So, basically: you get comment email containing cool comment, you forward comment email to friend (saying "oh look at this cool comment"), friend says "oh, I wanted to reply to that comment!", friend uses form in HTML email to reply to comment instead of visiting website directly: friend's comment will display as having come from you.

[trobadora]

Thank you for explaining!

Has this actually caused problems? The functionality's been around for ages, and I've never heard anything (which, granted, doesn't mean much *g*). But still, if there's a better way to do it than just return to how it was before, I'm all for it - so long as there is a way. :)

[denise]

Yes, it's caused some uncomfortable moments on LJ over the years.

I would personally like to have some kind of email-to-comment gateway, where you could email your comment reply (since the technology used to construct the reply-to box in HTML comment email doesn't work in about half the email clients out there), but that has the same issues.

Basically, any instance where you can perform an action as yourself from email without entering your username and password is a security risk. The prevailing opinion on LJ is that if someone's stupid enough to forward a comment email, it's their own fault if someone uses that to comment as them, but I'm uncomfortable using the same argument for Dreamwidth, because it's not something that people immediately and intuitively identify as a security risk (and therefore have their common sense tell them not to do that).

[trobadora]

I see, and I'm sorry to hear that - not being able to reply without logging in is one of the main things that's keeping me from using DW more actively. Is there any chance of a fix for this?

[denise]

I personally can't think of anything that might fix it, but I'm not the only one who's thinking of solutions to this sort of problem! Would it be as annoying if you hit "send" on the form in email and were taken to a page to give your username/pw for a one-time authentication at the time of posting the comment? (ie, not comment-and-log-in, but verify that the comment was from you)?

And I don't know, maybe people don't care about the security implictions -- that's why I let the suggestion through, to see if people value the convenience more than the security; it's always possible we can go for the trade-off. But I wanted to just make sure you knew what the underlying problem was, and why it was changed.

[trobadora]

Would it be as annoying if you hit "send" on the form in email and were taken to a page to give your username/pw for a one-time authentication at the time of posting the comment?

You can already just not tick the "log in" box when you authenticate your comment, can't you? And anything that requires an intermediate page wouldn't really be practically different from what we have now, IMO. Could entering your password on a separate field on the email reply form be made secure?

And I don't know, maybe people don't care about the security implictions -- that's why I let the suggestion through, to see if people value the convenience more than the security; it's always possible we can go for the trade-off.

I'm glad for the explanation! At least now I know why it was disabled. To be honest, it'd never have occurred to me that people would forward comment notifications ... *g*

[denise]

Could entering your password on a separate field on the email reply form be made secure?

Hmm. I'm not sure if email clients support the function in forms that replaces characters with •••• while you're typing to prevent shoulder surfing, but that could work ...

It'd have to be sent unencrypted, though, which might bother some people. Then again, they could just not use it. Hmmmm.

[trobadora]

It'd have to be sent unencrypted, though, which might bother some people.

Yeah, you're right, that's not exactly a security improvement ... *sighs*

[denise]

Yeah -- pretty much no matter what we pick to do is going to have some sort of tradeoff on the security/ease-of-use spectrum, is the problem. When we run into those types of issues, we gather data on where people fall on that spectrum and then make an executive decision -- we're open to re-visiting some of them, but not all of them.

(This is one of the ones upon which my opinion is not entirely set in stone, since it really is a very minor security issue IMO, but ... *waves hands around*)

[trobadora]

You know, thinking about it I actually like the idea of comment reply via email even better. That'd also mean you could reply without having to open the page, wouldn't it? Something similar to email posting, where you can set a specific email address and possibly a PIN to authenticate the reply. That'd be fantastic.

[denise]

Random fact: way back when, in the dawn of time, Brad kept threatening to write a POP3 server for LJ so you'd be able to download your friends' posts etc in your mail client, and reply to posts by replying to emails. It was one of those typical crazy Brad ideas, but I always thought there was a hint of interesting stuff in there.

[trobadora]

Hee! That's cool. Yep, there's definitely something in there!

[zvi]

Would it be as annoying if you hit "send" on the form in email and were taken to a page to give your username/pw for a one-time authentication at the time of posting the comment?

The big problem I see here is not so much the annoyance factor as the 'a major reason for replying from e-mail while logged out is to get around corporate IT website blocking.'

[denise]

That's already an issue, actually -- the email form is submitted via HTTP protocol, so it will trip any corporate firewall already.

[aveleh]

My ideal solution would be to have reply to emails to make a comment, but you (1) have to explicitely turn this option on (so that you get the warning about forwarding these emails, or maybe that can just be in a footer to each email) (2) can also turn on an option that requires you to enter a PIN (but I'm not entirely sure where a safe place to put this would be.)

I definitely want reply-to-email options; it would be awesome with my smartphone.

[trobadora]

That sounds cool! I like it.

With email posts, you can put your PIN in the subject line - could something similar work here?

[azurelunatic]

That opinion on LJ literally caused me to have a yelling, shaking, swearing hour or so of moral freakout. Evidently security by obscurity is literally a religious issue for me.

[zarhooie]

I wish there was a "Whatever Rah thinks is a good idea" option on the poll. Just sayin'.

[adalger]

There is. "(I have no opinion.)" ;)

[susanreads]

Could there be an option to validate your email address as a place to reply to comments from, so that if (in account management somewhere) you've set it as a trusted email address, you could post comments as you from that address? It would default to no, and when you set it there would be security warnings.

[charmian]

Now that I've seen the argument, I can def see the security risk. However, could this be counteracted by other means, such as validated email addresses and/or more information to the user?

[trobadora]

I really hope there is a way!

[kyrielle]

I'd like to see this with a reply-to feature in the email, where individual users can turn on which emails are trusted (so not necessarily your main email - you don't have to enable reply-to commenting if you don't want). However, the complication there is - what if you have 2+ accounts and want to reply to all from the same email? If it can tell which account the comment was to, that would work, tho.

Or, add a field on the comment form that requires - not your password - but a PIN that you set in the UI. If you don't set a PIN, no one can reply from your email comments without being logged in as you. If you set the PIN, they can - if they know the PIN. That way you're not sending your password unencrypted, at least; if someone sniffs it, all they've learned is how to impersonate you replying to email comments, and first they have to get an email comment.

[(Anonymous)]

This functionality would make using DW much more appealing to me. I hate not being able to do this, and it means I don't actually use DW at all to post at present. The security issue seems pretty minor, and I'd personally far prefer to have the function (I don't think I've ever forwarded a comment email to anyone in the years I've been on LJ, and if I was going to tell someone about it I'd copy-paste or send a link to the comment onsite, rather than forward it anyway).

If there was a way that users could acknowledge that they understand the security risk and accept it, and then turn on the functionality, that would be great.

[triadruid]

I don't think the security risk is worth it. I've never forwarded a comment email, but I also don't think it's a good idea to have that loophole. I think DW did the right thing in disabling it, and anything that uses less security than the usual login method isn't right IMO.