It appears that attempts to log in to my Linode manager from a non-whitelisted IP do not trigger the IP alert. This means that an individual knows that they have the right password if they get the "IP not whitelisted" screen, which is troubling.

The only reason that this is troubling is because you appear to be able to trigger the white-listing using the link from the alert e-mail from outside the whitelisted IP's. So, for example, if IP a.a.a.a is white-listed, and I attempt access from b.b.b.b, I can from b.b.b.b whitelist b.b.b.b. This means that if I intercept the e-mail at any point in transmission, I can whitelist myself, because the link is just a link.

Assuming that the user and Linode are intelligent, their client-server communications are encrypted. But I'm more worried about people snooping server-server communications and just waiting for whitelist notices.

I realize that the new security measures taken with the manager reduce the brute force risk of any given account, but I'm a bit nervous about these links sent in the e-mails, and the complete lack of user verification necessary in order to use them. At the very least I think it bears discussion.

I believe this is not the case.

If you trigger the whitelist email from a.a.a.a, then access it via b.b.b.b, it will only whitelist a.a.a.a. b.b.b.b will never be given access.


Edit: Also if you're worried about someone sniffing traffic between Linode and your email provider's servers, you have a much bigger problem than whitelist emails.

Firstly, I just did it, so it is the case at least here. I admit I have not done extensive testing, but I am confident about the process for this instance. I attempted to log in from a new location, got the "not whitelisted" notice, grabbed the link from my e-mail (from the new location), and whitelisted my account from that new location. I will try this again this evening from a third IP to verify.

Secondly, maybe you should explain why you're so dismissive of packet sniffing network traffic to get the url out of an e-mail? It's a well known technique, available to the public, and I can't think of any reason it wouldn't be applicable here. Just because only a specific portion of the network topology would be able to sniff the packets at a certain point in transmission doesn't make it good security to ignore the hole.

EDIT: I think maybe you misunderstood the process I highlighted above, but I concur that your assertion is correct in the first part of your message. It is, however, unrelated to the problem I'm highlighting. If a.a.a.a triggers the whitelist notice, a.a.a.a can whitelist itself using the link from the e-mail. That is the problem with which I am concerned.

If a.a.a.a is not allowed to click the link to whitelist a.a.a.a then there is potential that you would be locked out from the Linode Manager. An example being cable or DSL access that changes IPs periodically.

Fair. I really don't think it's a complete justification, but then again I'm an absolutist when it comes to security.

But there have to be some possible workarounds. Some kind of security question before you are allowed to whitelist or something.

Or here's an idea. Instead of two options (enable whitelisting/send alerts, disable whitelisting/ do not send alerts) there could be a third option, enable whitelisting/do not send alerts (or send alerts without links), for those of us with static IP's with a hankering for security.

If you get locked out, use Lish.

Not a horrible workaround, although there are a few outstanding issues with lish security as well. Also I don't think everybody has sufficient "console comfort" for that (not that it's any excuse).

Not everything that can be done in the Linode Manager can be performed in Lish.

Yeah I should have put more thought into that one.