[horde] Horde and WebVPN/SSLVPN Problem

horde@utheissen.dyndns.org horde at utheissen.dyndns.org
Tue Jul 4 12:18:52 PDT 2006


Hi Ben,

Ben Klang schrieb:
> Hi Ulrich
>
> On Jun 30, 2006, at 10:53 AM, horde at utheissen.dyndns.org wrote:
>
>> problem with them. So specially for you I had a look why this works: the
>> form uses action="compose.php?uniq=...
>> so the the relative path /horde/imp which was rewritten to
>> /http/0/172.16.0.253/horde/imp was used to
>> send the actual email.
>>
>> But as I wrote before I don't want to start  a holy war about the
>> different possibilities
>> to implement certain functions. I don't mind what technique is used as
>> long as it is portable
>> flexible and open for new technologies as WebVPN/SSLVPN.
>>
> I have to agree with the sentiments of the other Horde developers so 
> far.  This product, in my opinion, sets a very bad precedent.  While 
> it might work for many cases (especially statically maintained pages) 
> there are simply too many ways a Website can reference remote content 
> that are beyond the reach of the URL rewiting routines.  You've so far 
> run into a problem with JavaScript.  But what about Java applets that 
> dynamically load information from the server?  Flash interfaces that 
> can do the same?  What about any of a myriad other proprietary browser 
> plugins or ActiveX controls?
>
Well in general you are right, but Java, Flash and ActiveX either does 
not work on every system
or is problematic for other (security) reasons.
>
>
>> I donn't think that I am the only one who might wan't to improve the
>> security using WEBVPN/SSLVPN
>> as Cisco deploys it widely in its IOS-Routers 870series and higher, ASA
>> and VPN-Concentrators.
>> Also openssl-based systems are available and as far as I know work quiet
>> similar.
>>
>
> If you want security there are plenty of SSL VPN products that handle 
> this in a much more graceful way.  Juniper has a product that creates 
> an SSL VPN from a Web browser Java applet or ActiveX control.  I 
> happen to know of that one personally but there are most definitely 
> other competitors with similar products.  I imagine Cisco has one as 
> well.  If you want to stay with the Open Source world then give a look 
> to OpenVPN.  Since all of these SSL VPN tools create network tunnels 
> there is no need for strange voodoo like rewriting links in web 
> pages.  You also have the option of getting improved security by 
> "locking out" all routes except those into/out of the VPN.
Also Cisco provides such a solution with a Javabased SSLVPN-Client which 
has two disadvantages:
1. It only works on Windows
2. It needs Administrator privilege to work (no way in internetcafes or 
business systems).
I think other products have the same disadvantage.
>
>
>> So my question again: Does anyone have a solution for my problem or do
>> the developer know a
>> workaround without a lot of patching?
>>
> Why not just implement HTTPS?  That seems to me to be the most direct 
> route.   If your network architecture won't allow it I would recommend 
> you consider a "real" VPN system like what I referenced above or any 
> IPsec based product.
Yes, but I don't want to have my apache directly exposed to the 
Internet. As my IOS router
is already exposed and my confidence in Cisco is slightly higher then in 
my own skill to
secure an apache.

As already said, I want a simple Mailfrontend and perhaps Horde is too 
advanced for my needs.

Any further suggestions?
>
> Regards,
> /BAK/
> --Ben Klang
> Alkaloid Networks
> bklang at alkaloid.net
> 404.475.4850
> http://projects.alkaloid.net
> --Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>



More information about the horde mailing list