elgg email integration' mike jett #ecsf
Post on 22-Feb-2017
3.958 Views
Preview:
TRANSCRIPT
©
Approved for Public Release: 12-‐1298
Elgg Email IntegrationMichael Jett <mjett@mitre.org>
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
HandshakeThursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
What is Handshake?
business networking prototype built on top of the elgg platformcreated to support relationships between current employees, industry, vendors, academia, sponsors, former employees, and other FFRDCs
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
Email Integration?
A feature which allows users to communicate directly with the elgg platform from their email client
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
Why?
Increased accessibility (mobile, box-top)Familiar ground for veteran usersList-serv transitionConvenience
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
Not a new concept
facebookmoodleWordPressBlogger
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
Basic FlowSystem issues a user a special email address
User sends an email to this special address
System receives email and performs an action
my.special.email@domain.com
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
Concerns
SecurityServer resource consumptionMaintenanceStorage
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
Security Threats
Email address spoofingUnintentional forwarding of email secretsMaliciously flooding server with email traffic
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
Security Specifics?
Tokens, Keys, Specials
Where do we Embed, Issue, or Store
them?
Do they expire?
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
Security Approaches
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
User Expired
User is issued a special email address to perform an actionUser may regenerate a new email address if they feel it has been compromisedeg (my.silly.email@elggbook.com)
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
User Expired
Manageable
Usable
Advantages Disadvantages
Requires IP Monitoring
Requires Extensive logging
silly.email.address@elggbook.com
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
System Expired
System automatically expires email address within a specific time frame.
valid.for.30.days@elggbook.com
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
System Expired
Security is more centralized
Disadvantages
Requires extra system resources to validate expired emails
Advantages
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
Our Approach
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
Our Approach
System ExpiredSignature embedding to thwart spoofing attemptsAction embedding
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
Huh? Example Please!?create.comment.123+8vFBxhiU@elggbook.com
Do?
What?
Where?
Security!
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
Acquisition
Automatically embedded in notifications
How does a user obtain one of these “special” email addresses?
To: billy@bob.comFrom: no.reply@elggbook.com
Someone commented on your discussion topic
Email a reply href=”mailto:create...
Thursday, April 12, 2012
©
Approved for Public Release: 12-‐1298
Conclusion
Thursday, April 12, 2012
top related