New JQM Smartphone & Tablet Portal - Available Now

[Nathan @ BodyMods]

Hi there. Is there a way to add an icon on my BlackBerry for access to EYEZ-ON, vs. having to use the link in my email?

Thanks guys!

[smyers119]

On most phones you can bookmark the link then make a shortcut to that bookmark on your phone.

[Nathan @ BodyMods]

Fantastic lead, I got it sorted, thanks!

[telecomgeek]

The mobile site does NOT ask you to login. If someone can guess the URL string or write a script to guess the URL ... they will be able to monitor my alarm system and see if anybody is home and if the system is armed!!!! Heck the script kiddy next door that sniffs the cable modem line or any proxy server you go through or any smart kid that is wi-fi sniffing at the local Starbucks can drop out your URL. At that point they have full access to monitor my alarm. Not good!!!

When will the site require logging in before people can access this sensitive data?

Failure to Restrict URL Access
https://www.owasp.org/index.php/Top_10_ ... URL_Access

[smyers119]

I do partially agree with you. It is a security risk but I do not agree with a user and password. There is ways where you can enable a particular device such as a phone or computer and only that device has access. If you ever lose this device you would have the ability to disable that particular device. I believe in order for them to accomplish this they would need to make a application as oppose to just having a mobile link though.

[bwalter]

Is there a way to get the hash without having it sent via email, perhaps instead displaying it somewhere in the main portal?

Email is not encrypted during transport and may be stored along the way. As a result, the hash can be intercepted or even remain stored somewhere after you delete the email, so the concerns about not requiring a username/password for the mobile portal are valid.

HTTPS encrypts the URL so there's no concern when actually accessing the site using the hash, it's obtaining the hash securely that's the issue.

[smyers119]

Most email servers do use encryption...it would be up to eyez on to send it encrypted then it would be up to you to connect to your imap or pop account encrypted

[bwalter]

Every mail server along the way would need to use valid certificates and verify them so even if eyez on uses encryption to connect to their mail server, there's no guarantee that any and all intermediate mail servers also use encryption. It's still common for email to be passed between servers as plain text without additional security.

When sending email, one should assume it is insecure and if security is required the contents should be encrypted. This is different from using a secure connection to the mail server, the purpose of which is to protect your password, not the email contents.

[smyers119]

"Transport Layer Security (TLS). It is coupled with Simple Authentication and Security Layer (SASL), which confirms the target router's identity. This ensures that unintended servers don't end up with a copy of the email, which happens frequently in the course of normal correspondence. This method is the only method that is completely transparent to end-users and does not require the creation of individual certificates for each user. Gmail adopted TLS on outgoing mail in October 2011. Other major webmail providers such as Yahoo! and Hotmail have yet to announce any plan to adopt TLS on outgoing mail."

^^^^^^^^^^^^^^^^^^^^^^^^^

So you were saying?

[bwalter]

"Transport Layer Security (TLS). It is coupled with Simple Authentication and Security Layer (SASL), which confirms the target router's identity. This ensures that unintended servers don't end up with a copy of the email, which happens frequently in the course of normal correspondence. This method is the only method that is completely transparent to end-users and does not require the creation of individual certificates for each user. Gmail adopted TLS on outgoing mail in October 2011. Other major webmail providers such as Yahoo! and Hotmail have yet to announce any plan to adopt TLS on outgoing mail."

^^^^^^^^^^^^^^^^^^^^^^^^^

So you were saying?

I'm saying TLS isn't widely enough adopted to consider email secure. There is also no way to ensure TLS is used along the entire route. If some node along the way doesn't support it, your email will not be rejected, instead it will be transmitted in clear text. That is to say, even if I knew eyez on used TLS to send the message to their outgoing mail server, and I knew I used a secure way of connecting to my email server, I have no idea what may have happened along the route.

http://security.stackexchange.com/quest ... -providers

The important part is:

Any time you are sending/receiving e-mail which is not protected by S/MIME, PGP, or a similar end-to-end encryption solution, you must assume that the message has been transmitted or stored in the clear, or in another form readable by a third-party, somewhere.