info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Poorly worded e-mail instruction from mozilla to change passwords, if it is genuine : Fwd: Second notice: LDAP password expiring.
18 views
Skip to first unread message
ISHIKAWA,chiaki
Apr 8, 2016, 12:12:01 PM4/8/16
to dev-pl...@lists.mozilla.org
Hi,
I have no idea where to report
but I have a feeling that dev-planning is where I can point out that the
current
e-mail request sent by mozilla.org for LDAP password change leaves rooms
for improvement so that the improvement can be planned for the future
e-mails.
Here is what happened:
I have received an e-mail that requests LDAP password change from
mozilla.org if I were to believe that it comes from mozilla.org by
looking at the From: line.
If it is genuine, the mail is not worded very clearly
to avoid misunderstanding. Many people may take it as phishing e-mail.
(Possibly that is why I can't find the first notice?)
The following e-mail quoted below came in today and requested me to
change my password at mozilla LDAP database. Initially, I have no idea
if this request e-mail is genuine or not. Why?
Issue 1:
It would be great that mozilla.org has an easy to access webpage on its
website, in its own .mozilla.org domain to make sure that the recipient
can check the authenticity of the e-mail: that mozilla.org does send out
such e-mails periodically to request the change of password with such a
wording, etc.
A single web page would at least assure such requests do come in.
As it stands, it is no different from phishing e-mail from bad guys to
log in to my banking account, etc. to change the password immediately
due to breach incident, etc.
(Also, I don't think I received the first request in the last few weeks?
Maybe I overlooked it somehow. Or it could have gone into spam folder?)
Issue 2:
If every URL involved in the process or in the accompanying text is
within .mozilla.org,
the recipient has more assurance that the e-mail is genuine.
What compounded my uncertainty is this: naturally I wanted to check the
"further instruction" in the mentioned URL
https://mana.mozilla.org/wiki/display/SD/LDAP+Password+Reset+Instructions.
But when I accessed it, although it is supposed to be a wiki page for
MERE BROWSING of the instruction, it requested for me to log in using
the said mozilla LDP account (!) using an EXTERNAL authentication site.
If this is a phishing attempt, a perfect method to obtain the password
of an account holder.
The authentication URL is
https://mozilla.okta.com/login/login.htm?fromURI=%2Fapp%2Fmozillacorp_mana_1%2Fexk17bvb7gwCMzi161d8%2Fsso%2Fsaml%3FSAMLRequest%3DhZJbSwMxEIX%252FypL3NhvdbpfQFuouhUIVqZcHX0qMow3NzUy2Xn692S2V6oM%252BBU7mMOc7zASF0Z7P27i1a3htAWP2brRF3n9MSRssdwIVcisMII%252BS38wvV%252FxsmHMfXHTSaXJi%252BdshECFE5SzJls2UbOr8gtWL82JclixvRmNWVsVFvSiKipVNUVcku4eAaX5Kkj2ZEFtYWozCxiTlrBzkxSCvbtmIn1U8Lx5I1iQGZUXsXdsYPXJKjftUWouh20UxlM5Q4f1RlC74jRFWbBiF9x0bP%252B4fxy9v9eWnYiV7qiiiox0byWpnEbrVf0HKwxCXbQjpHSjjtZIqkmzhgoS%252B6yl5FhqhI7pOpag9fCvzY0fdstZAuIGwVxLu1qsTnhR3%252BA0VXqgBrZ2l3mFcA%252FouAplNutS8Ly3Mflsm9PR3cjiEq0SzbK5dCvzRxTXiH9hOUU%252BD536UxyAsqgSdMFKetzqAiAkthhYInR1W%252Fjy32Rc%253D%26RelayState%3Dhttps%253A%252F%252Fmana.mozilla.org%252Fwiki%252Fdisplay%252FSD%252FLDAP%252BPassword%252BReset%252BInstructions%26SigAlg%3Dhttp%253A%252F%252Fwww.w3.org%252F2000%252F09%252Fxmldsig%2523rsa-sha1%26Signature%3Dd7OenOqyYW7ymUhf2mMArzLMSGdKwmXew4pQVXwh80ZDoekQxBG5soNEP94ZdML358zJj9zdXCcPuINI%252BRQcaoNPriTyXmjdxPVsHK5OgnIuUCXajUwI%252F0lNBytcYs4Sttd67dxsgvtVXFHnZTZme1s%252B8MQnN2meAE72otBrupgIl2smnOot5vLDLMWb7%252F0ZSBhDcU3j9o7TpskGIODsLw%252F%252B8zS1y0GKSNNdTu7%252Ft0u0feJe%252FsVePRHIx8OUMdl0FdzfK5LptiZ1lMH5Tol5QZcy3wJAQsIqUkPdzUDHHp%252FjWHrbGcZ2AJCHyIrPR0OwUcCiZ%252B1bdVzg6pm8DzBguA%253D%253D
(OK, some of you working on a single-signon type of application
immediately notices okta.com name, and think that this is a non issue.
But communication-wise, the current scheme sucks.)
The easy to reach web page which I mentioned in Issue 1 should state
very clearly that
this okta.com site is used for mozilla log in to access (WHAT?) a
simple instruction to
change our LDAP passwords.
I wonder, though, if https://passwordreset.mozilla.org/ can do the
password resetting, why can't a similarsite INSIDE mozilla's domain can
let us log into the wiki page (?).
It is a little difficult to fathom the logic of the workflow, especially
the requirement to log in before one can read the change procedure.
Maybe okta.com usage and such is a widely shared knowledge WITHIN core
mozilla employees, but for volunteer patch submitters, it is not. Well
at least this volunteer does not know it. Thus the announcement web page
discussed in issue 1 above.
Anyway, unless a permanent web page that can be accessed without needing
to log in explains clearly the flow of LDAP password change in a few
sentences and that we need to access certain EXTERNAL authentication
service to read the instruction (!?), a receiver of the request is not
quite sure whether he/she should follow this almost phishing-like e-mail.
The web page discussed in Issue-1 should mention the name of the
external service and URL clearly.
Such additional information that allows one to cross-check the authenticity
goes a long way to trust such an e-mail request from mozilla.org.
WELL, if the following is NOT a genuine request from mozilla.org, I bet
someone is trying to collect the passwords for mozilla account holders :-)
(Just kidding, but are you sure?)
Of course, I checked that okta.com seems to be in business since 2010,
but I have never met someone who uses this service myself. Most of the
cloud services I use engage other authentication services, AND MORE TO
THE POINT, such services EXPLAIN THE USE OF EXTERNAL AUTHENTICATION
GATEWAY IN ADVANCE and in publicly accessible web pages(!).
BTW, I noticed that the first URL, as far as my careful checking goes,
DOES come from mozilla.org domain and so I should be OK (?).
In any case, requiring a login to access the instruction to change
password is a bad design IMHO.
I hope this comment can help someone to re-word the e-mail text and let
someone provide a single one web page for some paranoid account holder
like me to crosscheck the authenticity of the request e-mail to a better
degree.
TIA and thank you for offering the great software products and
infrastructure to work together.
PS: the use of PGP mail text with the PGP public key in a prominent web
page inside
mozilla.org domain might also add to the trust.
------- Forwarded Message --------
Subject: Second notice: LDAP password expiring.
Date: Fri, 8 Apr 2016 09:30:17 +0000 (UTC)
From: no-r...@mozilla.org
To: ishi...@yk.rim.or.jp
Hi,
Please change your LDAP password as soon as possible. The password
change form is available at https://passwordreset.mozilla.org/.
Further instructions on changing your password are at
https://mana.mozilla.org/wiki/display/SD/LDAP+Password+Reset+Instructions. Please remember
to log-out of all your current applications, before you reset your
password. Your current password is set to expire on Thu Apr 14 19:00:00 2016 in 6 days.
Please note that you will be locked out of LDAP based services if you
do not change your password before this period.
Thank you,
Mozilla SysAdmins
p.s: This add-on can help you with changing all of your ldap passwords in
Firefox - https://addons.mozilla.org/en-US/firefox/addon/9652/
I have no idea where to report
but I have a feeling that dev-planning is where I can point out that the
current
e-mail request sent by mozilla.org for LDAP password change leaves rooms
for improvement so that the improvement can be planned for the future
e-mails.
Here is what happened:
I have received an e-mail that requests LDAP password change from
mozilla.org if I were to believe that it comes from mozilla.org by
looking at the From: line.
If it is genuine, the mail is not worded very clearly
to avoid misunderstanding. Many people may take it as phishing e-mail.
(Possibly that is why I can't find the first notice?)
The following e-mail quoted below came in today and requested me to
change my password at mozilla LDAP database. Initially, I have no idea
if this request e-mail is genuine or not. Why?
Issue 1:
It would be great that mozilla.org has an easy to access webpage on its
website, in its own .mozilla.org domain to make sure that the recipient
can check the authenticity of the e-mail: that mozilla.org does send out
such e-mails periodically to request the change of password with such a
wording, etc.
A single web page would at least assure such requests do come in.
As it stands, it is no different from phishing e-mail from bad guys to
log in to my banking account, etc. to change the password immediately
due to breach incident, etc.
(Also, I don't think I received the first request in the last few weeks?
Maybe I overlooked it somehow. Or it could have gone into spam folder?)
Issue 2:
If every URL involved in the process or in the accompanying text is
within .mozilla.org,
the recipient has more assurance that the e-mail is genuine.
What compounded my uncertainty is this: naturally I wanted to check the
"further instruction" in the mentioned URL
https://mana.mozilla.org/wiki/display/SD/LDAP+Password+Reset+Instructions.
But when I accessed it, although it is supposed to be a wiki page for
MERE BROWSING of the instruction, it requested for me to log in using
the said mozilla LDP account (!) using an EXTERNAL authentication site.
If this is a phishing attempt, a perfect method to obtain the password
of an account holder.
The authentication URL is
https://mozilla.okta.com/login/login.htm?fromURI=%2Fapp%2Fmozillacorp_mana_1%2Fexk17bvb7gwCMzi161d8%2Fsso%2Fsaml%3FSAMLRequest%3DhZJbSwMxEIX%252FypL3NhvdbpfQFuouhUIVqZcHX0qMow3NzUy2Xn692S2V6oM%252BBU7mMOc7zASF0Z7P27i1a3htAWP2brRF3n9MSRssdwIVcisMII%252BS38wvV%252FxsmHMfXHTSaXJi%252BdshECFE5SzJls2UbOr8gtWL82JclixvRmNWVsVFvSiKipVNUVcku4eAaX5Kkj2ZEFtYWozCxiTlrBzkxSCvbtmIn1U8Lx5I1iQGZUXsXdsYPXJKjftUWouh20UxlM5Q4f1RlC74jRFWbBiF9x0bP%252B4fxy9v9eWnYiV7qiiiox0byWpnEbrVf0HKwxCXbQjpHSjjtZIqkmzhgoS%252B6yl5FhqhI7pOpag9fCvzY0fdstZAuIGwVxLu1qsTnhR3%252BA0VXqgBrZ2l3mFcA%252FouAplNutS8Ly3Mflsm9PR3cjiEq0SzbK5dCvzRxTXiH9hOUU%252BD536UxyAsqgSdMFKetzqAiAkthhYInR1W%252Fjy32Rc%253D%26RelayState%3Dhttps%253A%252F%252Fmana.mozilla.org%252Fwiki%252Fdisplay%252FSD%252FLDAP%252BPassword%252BReset%252BInstructions%26SigAlg%3Dhttp%253A%252F%252Fwww.w3.org%252F2000%252F09%252Fxmldsig%2523rsa-sha1%26Signature%3Dd7OenOqyYW7ymUhf2mMArzLMSGdKwmXew4pQVXwh80ZDoekQxBG5soNEP94ZdML358zJj9zdXCcPuINI%252BRQcaoNPriTyXmjdxPVsHK5OgnIuUCXajUwI%252F0lNBytcYs4Sttd67dxsgvtVXFHnZTZme1s%252B8MQnN2meAE72otBrupgIl2smnOot5vLDLMWb7%252F0ZSBhDcU3j9o7TpskGIODsLw%252F%252B8zS1y0GKSNNdTu7%252Ft0u0feJe%252FsVePRHIx8OUMdl0FdzfK5LptiZ1lMH5Tol5QZcy3wJAQsIqUkPdzUDHHp%252FjWHrbGcZ2AJCHyIrPR0OwUcCiZ%252B1bdVzg6pm8DzBguA%253D%253D
(OK, some of you working on a single-signon type of application
immediately notices okta.com name, and think that this is a non issue.
But communication-wise, the current scheme sucks.)
The easy to reach web page which I mentioned in Issue 1 should state
very clearly that
this okta.com site is used for mozilla log in to access (WHAT?) a
simple instruction to
change our LDAP passwords.
I wonder, though, if https://passwordreset.mozilla.org/ can do the
password resetting, why can't a similarsite INSIDE mozilla's domain can
let us log into the wiki page (?).
It is a little difficult to fathom the logic of the workflow, especially
the requirement to log in before one can read the change procedure.
Maybe okta.com usage and such is a widely shared knowledge WITHIN core
mozilla employees, but for volunteer patch submitters, it is not. Well
at least this volunteer does not know it. Thus the announcement web page
discussed in issue 1 above.
Anyway, unless a permanent web page that can be accessed without needing
to log in explains clearly the flow of LDAP password change in a few
sentences and that we need to access certain EXTERNAL authentication
service to read the instruction (!?), a receiver of the request is not
quite sure whether he/she should follow this almost phishing-like e-mail.
The web page discussed in Issue-1 should mention the name of the
external service and URL clearly.
Such additional information that allows one to cross-check the authenticity
goes a long way to trust such an e-mail request from mozilla.org.
WELL, if the following is NOT a genuine request from mozilla.org, I bet
someone is trying to collect the passwords for mozilla account holders :-)
(Just kidding, but are you sure?)
Of course, I checked that okta.com seems to be in business since 2010,
but I have never met someone who uses this service myself. Most of the
cloud services I use engage other authentication services, AND MORE TO
THE POINT, such services EXPLAIN THE USE OF EXTERNAL AUTHENTICATION
GATEWAY IN ADVANCE and in publicly accessible web pages(!).
BTW, I noticed that the first URL, as far as my careful checking goes,
DOES come from mozilla.org domain and so I should be OK (?).
In any case, requiring a login to access the instruction to change
password is a bad design IMHO.
I hope this comment can help someone to re-word the e-mail text and let
someone provide a single one web page for some paranoid account holder
like me to crosscheck the authenticity of the request e-mail to a better
degree.
TIA and thank you for offering the great software products and
infrastructure to work together.
PS: the use of PGP mail text with the PGP public key in a prominent web
page inside
mozilla.org domain might also add to the trust.
------- Forwarded Message --------
Subject: Second notice: LDAP password expiring.
Date: Fri, 8 Apr 2016 09:30:17 +0000 (UTC)
From: no-r...@mozilla.org
To: ishi...@yk.rim.or.jp
Hi,
Please change your LDAP password as soon as possible. The password
change form is available at https://passwordreset.mozilla.org/.
Further instructions on changing your password are at
https://mana.mozilla.org/wiki/display/SD/LDAP+Password+Reset+Instructions. Please remember
to log-out of all your current applications, before you reset your
password. Your current password is set to expire on Thu Apr 14 19:00:00 2016 in 6 days.
Please note that you will be locked out of LDAP based services if you
do not change your password before this period.
Thank you,
Mozilla SysAdmins
p.s: This add-on can help you with changing all of your ldap passwords in
Firefox - https://addons.mozilla.org/en-US/firefox/addon/9652/
Daniel Holbert
Apr 8, 2016, 2:35:55 PM4/8/16
to ISHIKAWA,chiaki, dev-pl...@lists.mozilla.org, mpo...@mozilla.com
Thanks for bringing this up!
I think the bottom line here is the following: in emails that go out to
non-MoCo/MoFo employees, we should *never* be linking to Mana (MoCo's
HR/internal-ops wiki).
MoCo employees are familiar with Mana and the Okta authentication site.
But volunteers will not be familiar with them (and don't have access to
them, I believe). So, directing volunteers to Mana for "further
instructions" on a password-reset will make them feel like outsiders &
potentially cause worry about whether they're being phished.
Seems like some or all of this Mana page should move somewhere public
(though probably *not* to a *publicly-editable* wiki, from a security
perspective). That way, non-MoCo employees with LDAP accounts can have
access to it for instructions when they're resetting their LDAP
accounts. And just as important, the template for the LDAP-reset email
needs to be fixed to point to that public resource rather than the
MoCo-internal mana link.
I'm CC'ing mpoessy, who I think can get the right people's attention to
look into this. Thanks again for calling attention to this!
~Daniel
> _______________________________________________
> dev-planning mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-planning
I think the bottom line here is the following: in emails that go out to
non-MoCo/MoFo employees, we should *never* be linking to Mana (MoCo's
HR/internal-ops wiki).
MoCo employees are familiar with Mana and the Okta authentication site.
But volunteers will not be familiar with them (and don't have access to
them, I believe). So, directing volunteers to Mana for "further
instructions" on a password-reset will make them feel like outsiders &
potentially cause worry about whether they're being phished.
Seems like some or all of this Mana page should move somewhere public
(though probably *not* to a *publicly-editable* wiki, from a security
perspective). That way, non-MoCo employees with LDAP accounts can have
access to it for instructions when they're resetting their LDAP
accounts. And just as important, the template for the LDAP-reset email
needs to be fixed to point to that public resource rather than the
MoCo-internal mana link.
I'm CC'ing mpoessy, who I think can get the right people's attention to
look into this. Thanks again for calling attention to this!
~Daniel
> dev-planning mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-planning
ISHIKAWA,chiaki
Apr 8, 2016, 8:07:04 PM4/8/16
to Daniel Holbert, dev-pl...@lists.mozilla.org, mpo...@mozilla.com
Dear Daniel,
Thank you for the comment and clarification.
On 2016/04/09 3:35, Daniel Holbert wrote:
> Thanks for bringing this up!
>
> I think the bottom line here is the following: in emails that go out to
> non-MoCo/MoFo employees, we should *never* be linking to Mana (MoCo's
> HR/internal-ops wiki).
>
> MoCo employees are familiar with Mana and the Okta authentication site.
> But volunteers will not be familiar with them (and don't have access to
> them, I believe).
Right, I don't think I have an access to MoCo.
Believe it or not, I could go past the login window using the
newly reset LDAP account, but instead of seeing an ordinary
Wiki, I was greeted to create MoCo account, but when I followed the
instruction, I was kicked out basically the system says I am not
authorised to use the application, etc. Very confusing.
> So, directing volunteers to Mana for "further
> instructions" on a password-reset will make them feel like outsiders &
> potentially cause worry about whether they're being phished.
Outsiders is OK because we are outsiders :-), but
the doubt whether if we are being phished or not is serious matter.
> Seems like some or all of this Mana page should move somewhere public
> (though probably *not* to a *publicly-editable* wiki, from a security
> perspective). That way, non-MoCo employees with LDAP accounts can have
> access to it for instructions when they're resetting their LDAP
> accounts. And just as important, the template for the LDAP-reset email
> needs to be fixed to point to that public resource rather than the
> MoCo-internal mana link.
This will be much appreciated by those who get confused a few years
after the LDAP account was created and are notified to change LDAP
password by an e-mail.
> I'm CC'ing mpoessy, who I think can get the right people's attention to
> look into this. Thanks again for calling attention to this!
>
> ~Daniel
Thank you again for taking notice.
Until I verified by looking at URL bar, etc. that the first password
reset URL seems to be genuine, I was very worried.
Chiaki
Thank you for the comment and clarification.
On 2016/04/09 3:35, Daniel Holbert wrote:
> Thanks for bringing this up!
>
> I think the bottom line here is the following: in emails that go out to
> non-MoCo/MoFo employees, we should *never* be linking to Mana (MoCo's
> HR/internal-ops wiki).
>
> MoCo employees are familiar with Mana and the Okta authentication site.
> But volunteers will not be familiar with them (and don't have access to
> them, I believe).
Believe it or not, I could go past the login window using the
newly reset LDAP account, but instead of seeing an ordinary
Wiki, I was greeted to create MoCo account, but when I followed the
instruction, I was kicked out basically the system says I am not
authorised to use the application, etc. Very confusing.
> So, directing volunteers to Mana for "further
> instructions" on a password-reset will make them feel like outsiders &
> potentially cause worry about whether they're being phished.
the doubt whether if we are being phished or not is serious matter.
> Seems like some or all of this Mana page should move somewhere public
> (though probably *not* to a *publicly-editable* wiki, from a security
> perspective). That way, non-MoCo employees with LDAP accounts can have
> access to it for instructions when they're resetting their LDAP
> accounts. And just as important, the template for the LDAP-reset email
> needs to be fixed to point to that public resource rather than the
> MoCo-internal mana link.
after the LDAP account was created and are notified to change LDAP
password by an e-mail.
> I'm CC'ing mpoessy, who I think can get the right people's attention to
> look into this. Thanks again for calling attention to this!
>
> ~Daniel
Until I verified by looking at URL bar, etc. that the first password
reset URL seems to be genuine, I was very worried.
Chiaki
0 new messages