[dev] password security during the session -- what is it?

Chuck Hagenbuch chuck@horde.org
Wed, 20 Dec 2000 16:58:54 -0500


Quoting Michael Bull <mbull@uoguelph.ca>:

> I've had a question regarding "how secure" passwords are that are in use by
> the IMP server.   As in, after I login and type my password, how is made 
> use of / stored? during my session, and what are the security 
> implications.  I'm particularly interested in 2.3 -- I've been continuing 
> to work through the code to get a feeling of how IMP runs start to finish, 
> but any imput as to the best answer to that question from those more 
> familiar with the code would be greatly appreciated.

Action 1: You type your password on the login form and submit it.
Occurs: Once at login.
Security: Entirely dependant on SSL/network conditions. If you are using SSL, 
the password will be secure. If you're on a private network or behind a 
firewall, the password won't be cleartext on the net at large. If you're 
connecting across networks and without ssl, it's the same security as telnet.

Action 2: IMP stores/retrieves the password in your session.
Occurs: Store: Once at login. Retrieve: Every page load.
Security: IMP encrypts the password before putting it into the session store 
(file, database, shared memory), using a key which is either stored in a cookie 
(relatively secure, and very secure if you are using SSL) or based on some 
simple information if you have cookies disabled (guessable, but better than 
nothing). The password is unencrypted in memory, so someone with access to the 
box and the ability to snoop through process memory could potentially find 
plaintext passwords. But if they want you that badly, they can probably find 
easier ways.

Action 3: IMP connects to the IMAP server
Occurs: Every page load that uses IMAP functions.
Security: Entirely dependant on the link between the IMP server and the IMAP 
server. If they are the same machine, the password won't make it out onto the 
network at all and is safe. If you are using imap-ssl or an stunnel between the 
two machines, the password (and entire IMAP session) will be encrypted. 
Otherwise, the password is as secure as the network between the two machines - 
exactly as if the IMP server were a client connecting to the IMAP server.


I don't think I left anything out, but feel free to remind me if I did. Rich, 
if you think this would make a good FAQ entry, please use it (keeping in mind 
that it is entirely specific to IMP 2.3).

-chuck

--
Charles Hagenbuch, <chuck@horde.org>
"If you can't stand the heat, get out of the chicken!" - Baby Blues