'Elgg email integration' Mike Jett #ECSF

3,982 views

Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

'Elgg email integration' Mike Jett #ECSF

  1. 1. © Elgg Email Integration Michael Jett <mjett@mitre.org> Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  2. 2. © Handshake Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  3. 3. © What is Handshake? business net working prototype built on top of the elgg platform created to support relationships bet ween current employees, industry, vendors, academia, sponsors, former employees, and other FFRDCs Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  4. 4. © Email Integration? A feature which allows users to communicate directly with the elgg platform from their email client Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  5. 5. © Why? Increased accessibility (mobile, box-top) Familiar ground for veteran users List-ser v transition Convenience Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  6. 6. © Not a new concept facebook moodle WordPress Blogger Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  7. 7. © Basic Flow System issues a user a my.special.email@domain.com special email address User sends an email to this special address System receives email and performs an action Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  8. 8. © Concerns Security Server resource consumption Maintenance Storage Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  9. 9. © Security Threats Email address spoofing Unintentional for warding of email secrets Maliciously flooding ser ver with email traffic Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  10. 10. © Security Specifics? Where do we Embed, Issue, or Store them? Do they expire? Tokens, Keys, Specials Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  11. 11. © Security Approaches Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  12. 12. © User Expired User is issued a special email address to perform an action User may regenerate a new email address if they feel it has been compromised eg (my.silly.email@elggbook.com) Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  13. 13. © User Expired Advantages Disadvantages Manageable Requires IP Monitoring Usable Requires Extensive logging silly.email.address@elggbook.com Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  14. 14. © System Expired System automatically expires email address within a specific time frame. valid.for.30.days@elggbook.com Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  15. 15. © System Expired Advantages Disadvantages Security is more Requires extra system centralized resources to validate expired emails Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  16. 16. © Our Approach Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  17. 17. © Our Approach System Expired Signature embedding to thwart spoofing attempts Action embedding Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  18. 18. © Huh? Example Please!? create.comment.123+8vFBxhiU@elggbook.com Do? Where? Security! What? Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  19. 19. © Acquisition How does a user obtain one of these “special” email addresses? Automatically embedded in notifications To: billy@bob.com From: no.reply@elggbook.com Someone commented on your discussion topic Email a reply href=”mailto:create... Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012
  20. 20. © Conclusion Approved  for  Public  Release:  12-­‐1298Thursday, April 12, 2012

×