Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.
We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.
For the vast majority of users who use gmail, hotmail or other services, this was never an issue.
Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.
Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!
>We had a specific problem....
Most of the people here work in technology. Your response sounds a bit hand-wavy, as if you're alluding to some great complexity when the described "hack" is so incredibly rudimentary it would be the first thought of anyone making such a solution. The parts in this mechanism are trivial.
We've all done the "well...the packets they..uh...confluence of...ECC..."
>trying to stay a step ahead of hackers
Be wary of false confidence. I would wager that you've stayed a step ahead simply because you haven't gotten their attention yet. It's a classic "low security", non-scalable start-up approach. A "we'll deal with that once we're big enough that people notice it" approach.
>Over the past 2 years, we've developed robust spoof detection ip
Beyond using SPF and DomainKeys, I would be surprised if you have anything that could accurately get called "IP" in the realm of email. It's a long, long trodden ground.
Here's a posterous I just created: http://john-tfk88.posterous.com/ that I have not claimed.
The 'Claim this site' link goes to http://posterous.com/main/register?hash=Bu5fX3lRT2rYPURl7axZ...
If you view source that you'll find that my email address is 'hidden' in the page:
<input id="user_mail" name="user[mail]" type="hidden" value="jgc@jgc.org" />
Oh look: http://www.google.co.uk/search?hl=en&q=%22claim+this+sit...
We have looked into this issue and have confirmed this is not a security hole. No personal information is revealed to users other than through obscure links that are only available to the true site owner.
This url is only available:
1. In the emails we send to users to claim their site. So only the true owner receives these 2. On the Posterous site itself but only when we know it's the site owner (based on cookies and other tests)
That Google search does include a bunch of unclaimed sites. However, none of those sites will include the secret hash, and therefore none will expose the email address.
The fact that we include the email address in the form is definitely odd, and we're removing that now. But nonetheless, it's only visible to the person who created that site, behind obscure URLs.
We're very confident in the system we have built. While making things super simple for the common user, we never forget that our users care a lot about keeping their information secure.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!
I'll leave my original post intact as an example of what happens when you get 3 hours sleep and then shoot your mouth off.
as an EDUCATED user YOU accept it, i'm not sure most of the posterous users understand and would make the same decision to user posterous if they did.
this is like saying car companies could sell shitty locks on their cars because they mostly wont be tested anyway, and the driver will have an easier time getting into the car. it's VERY unlikely my mothers car will be broken into just statistically speaking, but hey even if it happens its just one person. not a big deal.
im pretty sure if posterous made it clear how easy this is many users would stay away, just like many people would not buy toyotas if they came with shitty locks, no matter how little they expected to be broken into.
If some random idiot posts a link to a Nigerian scam on your blog, you just delete it and get on with your life.
Edit — More extensive list here: http://posterous.com/explore/moreblogs
That's the problem with minimizing security: you're making it so that there can't (or shouldn't) be trust between users because there's no reliable way to know who is making the post.
"Hey, just a quick note to let you know I tried <apple app link> and I love it! Grab it now!"
Or, more dangerously, someone could post a phishing link and because the context is different, people's trained safeguards ("BE WARY OF E-MAIL!") aren't as wary to blog links.
So yes, there are sometimes tradeoffs between security and ease of use. But I think trust is more important to posterous than you credit.
and what happens when the idiot who posts the nigerian scam on your blog scams your mother who is reading your blog and assumes it's from you? no big deal? move on with your life? try and be a little imaginative with the things that could be done here...
if it's not a big deal, posterous should make it clear to users what they give up for convenience. again, i really don't think users would make the same choice they are to user posterous if they understood the implication. whether or not it matters to you.
and more importantly, there are a ton of people suggesting pretty viable alternatives that wouldn't make it harder to post and would still allow a lot more security.
Further, I think if you made the downsides of everything abundantly clear to people then they would just be really scared. Everything, including posting to hackernews, has horrific potential consequences. But generally as long as bad things don't happen, people don't pay much attention to them. Where there's no smoke, there's no fire.
It's the typical false assumption non-technical users have about security: who would be interested in hacking me anyway? Automated scripts, that is who.
Also, how are the email posts interpreted by posterous - is it possible to post custom html snippets and javascripts via email? This would be scammer's heaven, as they could probably even hide that a blog has been spammed.
I can imagine quite a lot of spammers who would love to have a blog-post on an otherwise reputable blog. If spammers manage to abuse this system they could get their blogposts, filled with links and instructions to buy medication, all over all posterous blogs.
Posterous does a good job of keeping them out, I think, because I've never seen a spam post.
If spammers already have a list of "valid" email addresses, how long before they start randomly hitting post@postereous.com with spoofed headers on a regular basis?
So, you'd need some 12 million blog posts that look real enough to fool a user's reader to get one conversion.
And it's not like Posterous isn't aware of the insecure nature of email. As some have suggested, they can just turn on pre-approval of submissions and this whole thing would be moot.
Put it another way: if you were to compete against them, would you create a blog-by-email service that focuses on being secure? Or ease of use? I imagine the latter has a lot more value to users. As Schneier always says, security is all about trade-offs and choosing to handle "what-if" scenarios tend to be less nice than handling "this-is-what-is-going-on-for-real" scenarios
E-mail spammers might need to send out millions of messages to get a conversion, but a more carefully crafted scam on a popular blog might be profitable with significantly less views.
Edit: Seen in other comments -- cool thing would be for Posterous to support SPF. Definitely techie oriented and not for general folks, but in a system like Posterous, it should be baked in from day one. It would protect quite a bit of folks while majority of them not even realizing or even knowing what SPF is.
If you want to keep security simple enough that it doesn't strangle the service then hand out a unique email like post-45h231sxax23s1@posterous.com and have the user add that to their address book - viola, you've managed to add a layer of obscurity to posterous' posting mechanism at least, even though it's still not really a strong one.
On the surface, what you say makes sense, but the real life data doesn't back it up.
Compare to: http://www.schneier.com/blog/archives/2010/05/why_arent_ther...
2) I don't understand the need to post by e-mail. What does that gain me? Is there any use in that other than gimmick? Wouldn't a nice site offer me more chances for formatting, etc? What is the difference between typing info into a site and into an e-mail? What is the benefit? Can't a site be easier to use than e-mail?
3) Security is not a concern? I hope you are happy with the size of your company since it can not grow, because once you become any kind of force in the market, you will have to deal with things that you may not have to deal with now.
If you can't think of any scenarios in which this is a problem, let me enlighten you: - Lawsuits because an angry ex/employee/anyone posts items on a blog. (Yes, this can happen with other systems, but a lack of security is different from being hacked/people stealing passwords, etc). - Competitors who want to cause you problems. - Unhappy customers who find their site "hacked" including support time and money. Now that the "hack" is discovered, expect more. Security through ignorance is gone once the ignorance is gone.
When you ignore warning signs because nothing bad has happened YET, get ready. Look at BP. Over 700 violations they shrugged off because it didn't affect them. Now it does and their stock, company name, and the well-being of many they affected is in the toilet.
This is your wake up call. Listen to it: don't ignore it. Security matters.
If the email doesn't include the passkey, the user would receive a "click link to publish" email.
Simple.
I think Posterous hasn't grown to a point where they have to worry about it yet, but look at the exploits on Wordpress. They're much more advanced and hackers continually attempt to break in for fun or for abusive reasons. It's naive to assume that you can simply keep this convenience as a security trade off as the product gains the attention of the world.
I disagree that it's not possible to stay ahead of them. That's our job.
If something offensive appears on your posterous under your name, will anyone believe you when you claim it's a hack?
On the other hand, maybe it provides a convenient excuse if you post something dumb and want to disown it . . .
The compromise I suggested here addresses both concerns (ease of use and security)
That solves the issue for me, but not for most (less tech-savvy) people. I think what Posterous needs is the ability to require confirmation by email when a post is made by email. I get that you can do this by setting your blog to 'anyone can post', but that seems counterintuitive, and most people don't understand how easy it is to spoof emails. As long as the confirmation can be done by email, I don't think it'd be much of an inconvenience.
There's nothing stopping Posterous keeping it working exactly the same way, but providing an additional layer of protection for users who want to lock down their blog.
1.) Don't publish emails unless they passed DKIM
2.) Don't publish emails unless they passed SPF
3.) Don't publish emails unless they contain a secret password
4.) Don't publish emails unless they're signed with my PGP key.
Any of the above would be enough. It's all about choice.
That would be the ideal scenario for me personally...
edit:
It looks like this is already standard functionality (if turned on, and even if not there is still an email sent with a delete link).
I don't think dustin does a good job explaining why "It is OK" in this blog post, but I think I agree with his conclusion, this doesn't seem like a big deal if a user has opted for the more optimistic workflow rather than the more precautionary one.
And this happens absolutely everywhere. And it's true. But this problem won't go away until we start FORCING people to adapt, by adopting stricter measures everywhere.