views:

62

answers:

3

I'm building a system that allows people to submit text and photos via email in addition to standard access on the website. I'm trying to weight the security advantages of two strategies in particular for verifying submissions from a user. Here they are as follows:

  • To based auth: Create a secret email address per user and present this to the user for submission. This strategy has the advantage that people can send from multiple devices that might be setup with different mail accounts
  • From based auth: Only accept emails from addresses that are registered in the user database. The idea being that it is impractical/difficult to impersonate registered users based on the sending address.

Can you think of other possible solutions? Which strategy of the ones proposed makes the most sense to you?

+5  A: 

I would suggest that you not use From based authentication, at least not without some additional credentials (a passphrase, etc)

It's way too easy to forge, and certainly not difficult if you know someone's email address.

If you echo the email back to the user for confirmation, you can make things a little more difficult, but realize that your service can end up being used as a sort of spamming relay. (I could send 100 upload requests to you, with a forged FROM address, and you'd go ahead and spam the real person with 100 confirmation requests)

Daniel LeCheminant
So it looks like the To based auth is the best solution. The secret (pass phrase like) email address serves as a key and lookup. It's set and forget and works across a number of devices.
Travell Perkins
A: 

The better option is to check the registered email address but add the need for a code within the email subject known to the user. This way if they forge the email from address, they would still need a key to authenticate the incoming email.

Richard
A: 

I would go with "from" + confirmation, to avoid forging.

I.e. receive the email, but send a response with auth token in the subject line (or in the body) back to the "from" address. The user either will need reply, or click a link to confirm the submission.

And you post the content only after confirmation.

Sunny