[horde] Horde and WebVPN/SSLVPN Problem

[Ben Klang]

Hi Ulrich

On Jun 30, 2006, at 10:53 AM, horde at utheissen.dyndns.org wrote:

> problem with them. So specially for you I had a look why this  
> works: the
> form uses action="compose.php?uniq=...
> so the the relative path /horde/imp which was rewritten to
> /http/0/172.16.0.253/horde/imp was used to
> send the actual email.
>
> But as I wrote before I don't want to start  a holy war about the
> different possibilities
> to implement certain functions. I don't mind what technique is used as
> long as it is portable
> flexible and open for new technologies as WebVPN/SSLVPN.
>
I have to agree with the sentiments of the other Horde developers so  
far.  This product, in my opinion, sets a very bad precedent.  While  
it might work for many cases (especially statically maintained pages)  
there are simply too many ways a Website can reference remote content  
that are beyond the reach of the URL rewiting routines.  You've so  
far run into a problem with JavaScript.  But what about Java applets  
that dynamically load information from the server?  Flash interfaces  
that can do the same?  What about any of a myriad other proprietary  
browser plugins or ActiveX controls?



> I donn't think that I am the only one who might wan't to improve the
> security using WEBVPN/SSLVPN
> as Cisco deploys it widely in its IOS-Routers 870series and higher,  
> ASA
> and VPN-Concentrators.
> Also openssl-based systems are available and as far as I know work  
> quiet
> similar.
>

If you want security there are plenty of SSL VPN products that handle  
this in a much more graceful way.  Juniper has a product that creates  
an SSL VPN from a Web browser Java applet or ActiveX control.  I  
happen to know of that one personally but there are most definitely  
other competitors with similar products.  I imagine Cisco has one as  
well.  If you want to stay with the Open Source world then give a  
look to OpenVPN.  Since all of these SSL VPN tools create network  
tunnels there is no need for strange voodoo like rewriting links in  
web pages.  You also have the option of getting improved security by  
"locking out" all routes except those into/out of the VPN.


> So my question again: Does anyone have a solution for my problem or do
> the developer know a
> workaround without a lot of patching?
>
Why not just implement HTTPS?  That seems to me to be the most direct  
route.   If your network architecture won't allow it I would  
recommend you consider a "real" VPN system like what I referenced  
above or any IPsec based product.

Regards,
/BAK/
-- 
Ben Klang
Alkaloid Networks
bklang at alkaloid.net
404.475.4850
http://projects.alkaloid.net