How can HelloSign be secure without any authentication?

Question

[Note: This is not a duplicate of Are documents truly "signed" by DocuSign?. That page does not have an answer to the specific question I am asking in the final paragraph, below. This page, however, does. Hence, not a duplicate.]

HelloTech has a series of documents they want potential technicians to sign. These are delivered by an email containing a link to their documents in the HelloSign document-signing service. Clicking this link sends the potential technician to a document they can sign, but there is no authentication step to verify that the person that's signing the document is who they say they are.

Since anyone could intercept the unauthenticated email link in transit and impersonate the signer, how could the document-signing service verify that someone who signed a particular document really did so?

This answer about a similar service, Docusign, may hold some answers for you. https://security.stackexchange.com/questions/116896/are-documents-truly-signed-by-docusign — John, Nov 29 '16 at 21:48
This is effectively a duplicate of the DocuSign question. Ultimately, the risk of an email being intercepted by someone who wants to fraudulently sign a document on behalf of the intended recipient, and then that leading into a situation requiring litigation is so remote as to be negligable, and not worth worrying about. *Technically* email is insecure. *Practically*, it's used to transmit massive amounts of data of varying sensitivity on a daily basis, and the overwhelming majority of that data is not illicitly captured or abused. — Xander, Nov 29 '16 at 23:03
The other question about DocuSign does not actually address the specific question I am asking here (unless I am missing something). I already read that question before posting this one. The last paragraph is the real "meat" of the question. — Bill_Stewart, Nov 30 '16 at 00:16
@Bill_Stewart Unless I am missing something it is basically asking the same question but in a different way. Even if the scenario is different you and the Docusign question are still asking how they can validate an unauthenticated, unidentified, or forged signature. — Bacon Brad, Nov 30 '16 at 01:46
This question has the specific answer being asked here; the other question does not have an answer to this specific question. — Bill_Stewart, Nov 30 '16 at 13:49
One example: Suppose a bad actor sends an unauthenticated signing request to a victim, intercepts the link in transit, then signs as the victim. How can the victim prove he or she did not sign? That potential risk is not one I'm willing to take. — Bill_Stewart, Nov 30 '16 at 19:53
@Bill_Stewart your last comment is a very different question from your post. Your comments on the other answers about 'what you're really asking about' are also different. For your *stated question*, it is a duplicate of the Docusign one (point #2 and the 2nd point in the accepted answer). If you are asking something different, then you need to edit your question to be more clear about what your concern is (which is unclear to me right now). — schroeder, Dec 05 '16 at 07:47
I must not be communicating very clearly. The question is similar, yes, but the other question page does not have an answer to the specific question I am asking (see last paragraph of my question). The answer to that specific question is marked as an answer here. My previous comment was a response to another user's comment (which seems to have been deleted) as to how this could be exploited. — Bill_Stewart, Dec 05 '16 at 14:54
So what I am trying to say is that while the _question itself_ is asked as a part of the question on the other page, the other page _does not have an answer to the specific question being asked here_ (I believe I've said this already). — Bill_Stewart, Dec 05 '16 at 15:24
Bill - in reviewing your comments on the answers here, especially on Alex's answer, it seems the question you want to ask is entirely different, and biased by your view that email is insecure for every purpose (which is patently untrue). Either we keep it closed as a dupe, or it will get closed as Unclear What You Are Asking. Either way, I think you have answers that cover this question comprehensively. — Rory Alsop, Dec 06 '16 at 17:26
Re: Email insecure for every purpose--Not sure I said that? I did say that for a signature, I'm not willing to sign through an unauthenticated email (seems very risky, and IMO people should be informed about it). Re: Unclear what I am asking--Please clarify. I read it again and it seems pretty clear? Re: Duplicate--the other Q&A page does not have the answer to the specific question here. This page does (it is marked as an answer). Therefore: not a duplicate. — Bill_Stewart, Dec 06 '16 at 18:56
This problem is no longer theoretical, by the way. I recently received an email containing a link to signed documents I didn't sign. I stand by my assessment that an emailed link is not secure without some other form of authentication. — Bill_Stewart, Aug 01 '17 at 00:28
@Bill_Stewart - I'm having the same question as you did 3 years ago so I'd love to draw from your experience :). I received an email to sign my contract and while I know it's all valid and I will not get into trouble signing it, it bothers me. 1. If my no logging VPN is true to its word, they have no way of tracing that signature back to me. 2. Anyone intercepting that mail could have signed the contract. I don't get how these services don't see that as serious problem. — Lieven Keersmaekers, Dec 16 '20 at 18:00
@LievenKeersmaekers - right - I still don't understand how this is considered in any way "secure". — Bill_Stewart, Dec 16 '20 at 18:46

score 5 · Accepted Answer · answered Nov 30 '16 at 04:20

5

how could the document-signing service verify that someone who signed a particular document really did so?

They don't. They do create a log showing the IP address of the remote computer that issued the "signature"; but they can't identify the legal entity that caused the signature to be made. If the identity of the signer turns out to be in dispute, the parties to the dispute can assemble evidence about that later on.

This sort of functionality is provided in the meat world by a notary public or the medallion signature guarantee system.

answered Nov 30 '16 at 04:20

gbroiles

301
1
7

Very strange that they say that they comply with [eIDAS laws](https://www.cryptomathic.com/news-events/blog/what-is-a-qualified-certificate-for-electronic-signatures-in-eidas). I don't thing that is in any way possible, just look at the requirements. But then I doubt they would dare to blatantly lie on their webpage, because that obviously would sooner or later result in lawsuits. That's confusing. – Josef Nov 30 '16 at 08:58
An e-mailed link that requires no authentication is a bit like a notary that does not check your ID. I would recommend using a more reputable witness. – Bill_Stewart Nov 30 '16 at 11:10
This problem is no longer theoretical, by the way. I recently received an email containing a link to signed documents I didn't sign. I stand by my assessment that an emailed link is not secure without some other form of authentication. – Bill_Stewart Aug 01 '17 at 00:34

score 2 · Answer 2 · edited Nov 30 '16 at 00:43

2

My name is Alex M. and I work in API Support at HelloSign.com. Regarding the legality of HelloSign signatures, there's an explanation on why we believe our esignatures are legal on our website.

HelloSign authenticates document signers so you know who is signing your documents. Any person signing a document via HelloSign must either have login information for HelloSign, or have received in their email account a request for signature.

To protect HelloSign user accounts, all user information transferred is 256-bit SSL encrypted, including usernames and passwords. We also seek to prevent others from accessing or using your account by imposing automated session time-outs, and emailing you every time a contract is sent to, received by, or signed under your account.

You’re right though, one would need access to the email to get the link, and by default there’s no second step - it’s typical SSO. There is also an audit trail provided that lists more details on the signer, like time and date signed as well as IP address used to sign.

Also, API customers could use a kind of two factor authentication by way of a signer pin. This is an alpha-numeric pin that should be sent to the signer in some other fashion (via text or over a phone call or in person - something other than being sent to the same email address as the signature request email).

The usage is in our documentation, and how you include the signer pin depends on a number of factors. For instance though, in the name of answering as much as possible here instead of just including links, in cURL when hitting POST /signature_request/send, you’d include a parameter like this: -F 'signer[1][pin]=1234'

Then when signers clicks the link in their email, they first see a page asking for the PIN to access the document.

If anyone has any additional questions, please reach out to us at apisupport@hellosign.com.

edited Nov 30 '16 at 00:43

Xiong Chiamiov

9,384
2
34
76

answered Nov 29 '16 at 22:27

Alex M

37
1

2

The question here is not about document storage or SSL. We all understand that is secure. The problem is that email is not secure. Anyone can read one of these links in transit (email is clear-text!) and sign as someone else. So I don't see how it's possible that "HelloSign authenticates document signers so you know who is signing your documents" without some form of authentication. – Bill_Stewart Nov 29 '16 at 22:37
1

@Bill_Stewart I actually think this addresses your question: SSO, pin before signing. Someone would have to have the email link, the SSO credentials, and the pin. – schroeder Nov 29 '16 at 22:53
It is good that this is an option, but the vulnerability we're talking about here is that HelloSign allows you to send links that don't require authentication. In an age of identity theft, it is frankly surprising to me that they allow this. It puts anyone who signs something like this at risk. I would never electronically sign something sent to me that does not have some form of authentication. – Bill_Stewart Nov 29 '16 at 22:59
1

@Bill_Stewart So, you know how it works then...What is your question? What you personally would or would not be willing to do is irrelevant, and discussions about whether this is in general terms is "secure enough" or not is ultimately opinion based and therefore off-topic. – Xander Nov 29 '16 at 23:10
"discussions about whether this is in general terms is 'secure enough' or not is ultimately opinion based" - I guess I disagree (?). I don't see how a link emailed over the Internet in a clear-text email can in any way be considered secure (let alone "secure enough"). – Bill_Stewart Nov 30 '16 at 00:13
This problem is no longer theoretical, by the way. I recently received an email containing a link to signed documents I didn't sign. I stand by my assessment that an emailed link is not secure without some other form of authentication. – Bill_Stewart Aug 01 '17 at 00:26

score 1 · Answer 3 · answered Nov 29 '16 at 20:38

1

Is it simply a click? Is there any other sign on or entry of a key that isn't sent in the email?

With a simple email, there is no way to differentiate from the legitimate technician from someone who has intercepted his or her email. They may consider this acceptable, however - considering this reputability worth living with for the simplicity.

It may be, however, there's an extra protection here. If the technician has logged in before this email is sent, there may be data in a site cookie that can be checked on the server, so that they at least can demonstrate that that computer has logged into the technician's account.

answered Nov 29 '16 at 20:38

crovers

6,311
1
19
29

1

No, it is just a link. I tested this by creating a free HelloSign account, uploading a document, and sending to a dummy email address that does not have a HelloSign account. I sent the document to the dummy account requesting a signature, and I copied the link from the email and opened it. I could sign as that person without any account or authentication. I am puzzling over how a company would accept this kind of risk. – Bill_Stewart Nov 29 '16 at 21:20
From an anonymous browser session? Ie, no cookies for that account? If not, I'm not sure what their thought process is there. – crovers Nov 29 '16 at 22:10
Correct; anonymous. Cleared cache and cookies and was able to sign without any authentication whatsoever. – Bill_Stewart Nov 29 '16 at 22:25
Then I guess they are just living with the uncertainty. Seems weird. I guess you could ask them? – crovers Nov 30 '16 at 13:44
1

See answer from 'Alex M' and following comments. – Bill_Stewart Nov 30 '16 at 13:46

How can HelloSign be secure without any authentication?

3 Answers3

Linked