Security risk found in RiseUp's email technology

Tacosarabes a posé une question...
I user various different servers for various different projects, and one of the more secure servers has a policy built-in to its email system that logs out any users if his/her IP address changes. This is a highly secure feature, which prevents an interested party from intercepting packets because if the session ID and IP address do not match (in other words, if it's not a uniquely secure session made from one device) then the server doesn't allow any emails to be read or sent.

I noticed that this feature is NOT present with RiseUp's webmail interface.

Does RiseUp have any plans on implementing this higher security policy/configuration?
Vote | 0
Owen a répondu...
NB I'm not a riseup admin, just commenting as another user.

I can see at least 2 problems with this suggestion:

1. It would require riseup to log IP addresses, which I imagine they would prefer not to do (and which many of us would prefer them not to do).

2. It would not work well with Tor, which changes to a different exit node every 10 minutes or so. Anyone trying to use a system like this through Tor would have to deal with the frustration of constantly being logged out (since from the server's point of view it looks like you change IP address every 10 minutes).

As an aside, I can't see how the system you outline actually offers any extra protection against 'intercepting packets' beyond what https or onion encryption already provide. It DOES makes session hijacking more difficult, but reduces anonymity in the process.

So I would actually advise against such a system.
Vote | 0
62b1ce96f9241943
Wxl a répondu...
This ticket has been open for a long time with no reply. Therefore, we will assume that your issue is resolved or no longer relevant. That said, we will now close this ticket.

If there is still a need, please reply back with the relevant information we need to further diagnose and/or troubleshoot this and we'll do everything we can to help.

in solidarity,
riseup collective
Vote | 0