undefined | Better HN

0 pointsdpifke1y ago0 comments

Yes, I clear cookies every time I close my browser, as a layered approach to privacy on top of uBlock Origin and NoScript. There isn't a great way to exclude certain sites from this, other than setting up a dedicated web browser in a container just for Mercury.

I wasn't aware that WebAuthn didn't have this requirement. I prefer TOTP because I actually like having a second factor in addition to a credential stored on my computer's hard drive (whether a password or a private key in my password manager), but I might be willing to reduce my security posture to get rid of this annoyance.

One suggestion: the link would be half as annoying if it was easily cut-and-pasteable rather than a long email-open-tracking link spanning multiple lines. This is what it looks like when I copy it out of my email:

  https://email.mg.mercury.com/c/eJxMzs1u4jAUBeCncXZB9vVfvPACZshoWIwYoiasdgkra2KV_JCGqPTpK-imq7xxx40vlO9IKia6ggL6zUlQHObdF6\
  JI0alRHBWQvWKRuD4loLZxsJSRXZAwfNBQeQWozasdgeWsMyFZozE4RKZ4d151NOFtuq9w6IqLb-d5fGdyzaBmUIdx_NkzqBeacrqXkZaMxGSNQyQmf7_9GW7\
  Hf1cJ8zW9TshAwwba3ccLuN3u_r_PR9j_GkxxxmadDu32c59jMfkYFmKKP0baIT0vzP4ynHN_-yyhZOTy9jmPPQn6gL-VLMfvvIA_XxbywRYhUbZUp0RpVCUC\
  qDsbasJHeObFMZ4YrFw1cAAAD__4XPZXw

I have to manually remove the backslashes and re-combine the lines before pasting into my web browser.

Edit to add: looks like email.mg.mercury.com is hosted by Mailgun. Are you intentionally sharing these authentication tokens with a third party by serving them through this redirect? Do your security auditors know about this?

0 comments

incompatible1y ago

I set Firefox to delete cookies at shutdown, and also an add-on called Cookie AutoDelete, but they both have an option to whitelist a site.

packtreefly1y ago

> I wasn't aware that WebAuthn didn't have this requirement. I prefer TOTP because I actually like having a second factor in addition to a credential stored on my computer's hard drive (whether a password or a private key in my password manager), but I might be willing to reduce my security posture to get rid of this annoyance.

I've seen passkeys support something like what you're after. The browser will produce a QR code you scan with your phone, and then you authenticate with the passkey via the phone, which then authorizes the original browser.

I'm not absolutely certain that this is part of the spec or how it actually works. I'd like to know. It solves a couple different usability issues.

You could always use something like a Yubikey.

dpifkeOP1y ago

> You could always use something like a Yubikey.

This is the option I prefer, but only on sites that allow me to enroll more than one device (primary, and backup for if the primary gets lost or damaged). AFAICT, Mercury only allows a single security key.

I have an encrypted offline backup of my TOTP codes, so if I drop my phone on the ground, I don't get locked out of all my accounts. I keep this separate from the encrypted offline backup of the password manager on my computer, and as far as I know, neither has ever been uploaded to anyone else's "cloud." Malware would have to compromise two completely separate platforms to get into my accounts, rather than just iCloud or whatever credentials.

I understand the desire for phish-proof credentials, but—given that I don't click links in emails—my personal threat model ranks a compromised device (via attack against a cloud service provider, or software supply chain attack against a vendor with permission to "auto-update," or whatever) much higher likelihood than me personally falling victim to phishing. I readily admit that's not true for everyone.

packtreefly1y ago

> my personal threat model ranks a compromised device ... much higher likelihood than me personally falling victim to phishing

I completely understand that. I'd actually be interested in reading anything practical you might have on that topic if you don't mind. I asked some experts who gave a talk on supply chain security last year ... they didn't have a lot of positive things to say. Developing software feels like playing with fire.

1 more reply

MaxGabriel1y ago

> AFAICT, Mercury only allows a single security key.

We allow multiple security keys. You can add more here: https://app.mercury.com/settings/security

1 more reply

watermelon01y ago

Is there a reason that TOTP cannot be used as a second factor when using Passkeys?

Not sure why we suddenly went from 2 factors (password + TOTP) to 1 factor (passkey), even if passkeys themselves are better.

TOTP should at least be an option for the users.

jeremyjh1y ago

You have to send emails through third parties or people won't get them, because you are also always sending them to third parties who host the recipients email and manage their spam. It might be a good reason not to send magic links but here we are talking about a tertiary confirmation, so its useless on its own right?

dpifkeOP1y ago

The link in the email could be a direct link to Mercury's website, rather than one that passes through a third-party HTTP redirect service.

Authentication tokens (even tertiary ones) usually are supposed to have pretty strong secrecy guarantees. I've done multiple security audits for SOC, PCI, HIPAA, etc., and in every case the auditors would have balked if I told them signin tokens were being unnecessarily logged by a third-party service.

(Also: I strongly disagree that the only way to get reliable delivery is via a third-party email service, especially at Mercury's scale, but that's a digression from the topic at hand.)

MaxGabriel1y ago

Oh good find, the link going through Mailgun as a redirect is a recent regression. We have a PR to fix that going live soon.

That said, our security team and I agree there is no security issue here. Mailgun already can see the text of the emails we send.

1 more reply

mbreese1y ago

> passes through a third-party HTTP redirect service

The vendor might not be the only party to use an HTTP redirect service too! My email goes through a security screen by $EMPLOYER, which also rewrites links to get processed through their redirect service. Sure, it's for company-approved reasons, but it's still another party that has access to the login token.

mhitza1y ago

At the very least, you can be creative with workarounds for such issues. A bookmarklet can be convenient.

    javascript:void(window.location.href = window.prompt().replace(/\\\n\s*/g, ''));

thefreeman1y ago

So you are intentionally crippling your browser and ability to access email (you need to ssh to another computer and access via terminal). You also aren’t able to handle emacs wrapping of long lines. And you are complaining that the security in place to prevent stolen credentials is “inconveniencing you”.

adastra221y ago

Pretty sure that is eMacs formatting, not the email itself? Can you kill-copy the URL?

lyime1y ago

What would be a more secure (yet reliable) method for email delivery for such emails?

dpifkeOP1y ago

Make the link in the email https://mercury.com/something instead of https://mailgun.com/something (which then redirects to https://mercury.com/something). Or (in addition to, or instead of, a hyperlink) provide a 6-10 digit numeric or alphanumeric code that could be copied out of the email message into a form field on the signin screen.

MaxGabriel1y ago

> 6-10 digit numeric or alphanumeric code that could be copied out of the email message into a form field on the signin screen.

To be clear this is what we're trying to avoid. An easily typeable code like that can be typed into a phisher's website.

1 more reply

sebastiennight1y ago

My understanding (as CEO of a startup using Mailgun for magic links) is that you're seeing mailgun in the URL because they have click tracking enabled — which, to be fair, is not super useful in the case of verification emails.

They could use a custom subdomain for this click tracking and "hide" the mailgun url from you, but we're finding that for some reason Mailgun doesn't just use a let's encrypt certificate, so some users will complain that the tracking links are "http" (and trigger a browser warning when clicked).

Anyway, even with click tracking disabled and links going straight to mercury.com, the security issue would remain the exact same (since Mailgun logs all outgoing email anyway).

But my understanding is that the contents of that email and its link do not provide "login" capability but "verification" capability. As such, a Mailgun employee accessing your data, or an attacker accessing your Mailgun logs, would only be able to "verify" a login that they had already initiated with your password AND your OTP —which means that's effectively a third hurdle for an attacker to breach, not a one-step jump into your account.

j / k navigate · click thread line to collapse

0 comments

incompatible1y ago

I set Firefox to delete cookies at shutdown, and also an add-on called Cookie AutoDelete, but they both have an option to whitelist a site.

packtreefly1y ago

I'm not absolutely certain that this is part of the spec or how it actually works. I'd like to know. It solves a couple different usability issues.

You could always use something like a Yubikey.

dpifkeOP1y ago

> You could always use something like a Yubikey.

packtreefly1y ago

> my personal threat model ranks a compromised device ... much higher likelihood than me personally falling victim to phishing

1 more reply

MaxGabriel1y ago

> AFAICT, Mercury only allows a single security key.

We allow multiple security keys. You can add more here: https://app.mercury.com/settings/security

1 more reply

watermelon01y ago

Is there a reason that TOTP cannot be used as a second factor when using Passkeys?

Not sure why we suddenly went from 2 factors (password + TOTP) to 1 factor (passkey), even if passkeys themselves are better.

TOTP should at least be an option for the users.

jeremyjh1y ago

dpifkeOP1y ago

The link in the email could be a direct link to Mercury's website, rather than one that passes through a third-party HTTP redirect service.

(Also: I strongly disagree that the only way to get reliable delivery is via a third-party email service, especially at Mercury's scale, but that's a digression from the topic at hand.)

MaxGabriel1y ago

Oh good find, the link going through Mailgun as a redirect is a recent regression. We have a PR to fix that going live soon.

That said, our security team and I agree there is no security issue here. Mailgun already can see the text of the emails we send.

1 more reply

mbreese1y ago

> passes through a third-party HTTP redirect service

mhitza1y ago

At the very least, you can be creative with workarounds for such issues. A bookmarklet can be convenient.

    javascript:void(window.location.href = window.prompt().replace(/\\\n\s*/g, ''));

thefreeman1y ago

adastra221y ago

Pretty sure that is eMacs formatting, not the email itself? Can you kill-copy the URL?

lyime1y ago

What would be a more secure (yet reliable) method for email delivery for such emails?

dpifkeOP1y ago

MaxGabriel1y ago

> 6-10 digit numeric or alphanumeric code that could be copied out of the email message into a form field on the signin screen.

To be clear this is what we're trying to avoid. An easily typeable code like that can be typed into a phisher's website.

1 more reply

sebastiennight1y ago

Anyway, even with click tracking disabled and links going straight to mercury.com, the security issue would remain the exact same (since Mailgun logs all outgoing email anyway).

j / k navigate · click thread line to collapse