undefined | Better HN

0 pointsjamesgeck09y ago0 comments

If a malicious party successfully attacked the Nylas auth servers, how much of my email data would they be able to get? All of it?

0 comments

Fnoord9y ago

The backend speaks SMTP, IMAP, and HTTP. It is basically a glue (or proxy) between SMTP/IMAP (including those protocols over TLS) and HTTP. Nylas Pro talks HTTP to the glue (I assume that is using TLS, so HTTPS). Nylas Mail also talks HTTP to the backend, but the backend runs locally, so you're self hosting the backend. I suppose this has a performance loss. (With Nylas Pro, you can set a separate backend server if you desire but that requires work. That is a really cool feature for a business though.)

So I would assume you are hosed. The passwords need to be stored plaintext.

jamesgeck0OP9y ago

I don't think the free version of Nylas Mail is storing IMAP passwords, plaintext or otherwise. For Gmail, at least.

1. You never enter them into the client. It uses Oauth to authenticate.

2. By the comment here, it seems that they're using Google's Gmail API. https://news.ycombinator.com/item?id=13417904

Fnoord9y ago

Oh, it does save the password.

Oauth makes sense that there's no password saved. A unique key is saved which is authenticated with Google. If this key leaks, you are hosed, too, but at least you can revoke that key.

I tried grep mypasswd ~/.nylas-mail/* and grep said Binary file shared.sqlite matches. This did not occur in ~/.nylas it makes sense and it is inevitable, a client like Thunderbird suffers from the same.

It can be circumvented by saving the password encrypted and decrypting it using a master password. That is akin to how LastPass and Mozilla save their cloud data.

Using containers etc would also lower the threat.

In a way its good the password is saved locally. The engine also runs locally. It moves the threat model to the client, away from Nylas servers. Kudos.

j / k navigate · click thread line to collapse

0 comments

Fnoord9y ago

So I would assume you are hosed. The passwords need to be stored plaintext.

jamesgeck0OP9y ago

I don't think the free version of Nylas Mail is storing IMAP passwords, plaintext or otherwise. For Gmail, at least.

1. You never enter them into the client. It uses Oauth to authenticate.

2. By the comment here, it seems that they're using Google's Gmail API. https://news.ycombinator.com/item?id=13417904

Fnoord9y ago

Oh, it does save the password.

Oauth makes sense that there's no password saved. A unique key is saved which is authenticated with Google. If this key leaks, you are hosed, too, but at least you can revoke that key.

It can be circumvented by saving the password encrypted and decrypting it using a master password. That is akin to how LastPass and Mozilla save their cloud data.

Using containers etc would also lower the threat.

In a way its good the password is saved locally. The engine also runs locally. It moves the threat model to the client, away from Nylas servers. Kudos.

j / k navigate · click thread line to collapse