[horde] State of security with Horde and Imp

Jens Wahnes wahnes at uni-koeln.de
Tue Apr 12 22:01:24 UTC 2016

On Tue, Apr 12 2016, at 17:07:14 -0400, Louis-Philippe Allard wrote:

> I have a simple question regarding security with Horde and Imp.   
> Currently, Horde is configured to use Imp as its auth backend.  Imp's  
> backends.php is configured to use my Gmail account with SSL and the  
> recommended port from Google.
> That being said, I had an incident last week that required me to have a 
> look at which devices were accessing my account, and I noticed Google is 
> classifying Horde (and imp I assume) as a "device that does not support 
> modern security standards".  Rather insulting but is it true?
> How behind is horde/imp in terms of security when compared to lets say  
> other commercial solutions?  Other question is:  will horde eventually  
> support double authentication, or is there anything else to implement to 
> reinforce the simple SSL protocol used by Imp to connect to Gmail?

I don't know what exactly Google is referring to when talking about
"modern security standards", but a solution could be as simple as using
a newer version of TLS to connect to Google's IMAP servers.  For
instance, if you were currently using a TLS 1.0 connection (or SSL 3.0
even) from your server to Google's IMAP server, then using a connection
with TLS 1.2 including Forward Secrecy (e.g. ECDHE based) would be
considered more modern.  So that would mostly concern the configuration
of the host running your Horde installation.  If it's a typical Linux
box, TLS 1.2 would require at least a recent 1.0.1 version of OpenSSL
(or such) to be used, or better still 1.0.2.  But even with these
prerequisites, the connection may not be using TLS 1.2 right away; you
might have to configure which protocol versions and ciphers are to be
preferred.  In fact, it could turn out to be quite tedious to find the
right place and the right way to make that config change.

If by double authentication you mean two factor authentication, then
that's rather difficult, at least with an IMAP authentication backend,
because the IMAP protocol was not designed with two factor
authentication in mind.  It might be possible to build something that
is in essence a two factor authentication using SASL and authenticate
via IMAP that way, but that's certainly not very easy to accomplish.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.horde.org/archives/horde/attachments/20160413/202383e9/attachment.bin>

More information about the horde mailing list