[horde] State of security with Horde and Imp

Louis-Philippe Allard lp.allard.1 at gmail.com
Sat Apr 16 16:51:17 UTC 2016 

  Quoting Jens Wahnes <wahnes at uni-koeln.de>:

> On Tue, Apr 12 2016, at 17:07:14 -0400, Louis-Philippe Allard wrote:
>
>> I have a simple question regarding security with Horde and Imp. 
>> Currently, Horde is configured to use Imp as its auth backend.  Imp's
>> backends.php is configured to use my Gmail account with SSL and the
>> recommended port from Google.
>>
>> That being said, I had an incident last week that required me to have a
>> look at which devices were accessing my account, and I noticed Google is
>> classifying Horde (and imp I assume) as a "device that does not support
>> modern security standards".  Rather insulting but is it true?
>>
>> How behind is horde/imp in terms of security when compared to lets say
>> other commercial solutions?  Other question is:  will horde eventually
>> support double authentication, or is there anything else to implement to
>> reinforce the simple SSL protocol used by Imp to connect to Gmail?
>
> I don't know what exactly Google is referring to when talking about
> "modern security standards", but a solution could be as simple as using
> a newer version of TLS to connect to Google's IMAP servers.  For
> instance, if you were currently using a TLS 1.0 connection (or SSL 3.0
> even) from your server to Google's IMAP server, then using a connection
> with TLS 1.2 including Forward Secrecy (e.g. ECDHE based) would be
> considered more modern.  So that would mostly concern the configuration
> of the host running your Horde installation.  If it's a typical Linux
> box, TLS 1.2 would require at least a recent 1.0.1 version of OpenSSL
> (or such) to be used, or better still 1.0.2.  But even with these
> prerequisites, the connection may not be using TLS 1.2 right away; you
> might have to configure which protocol versions and ciphers are to be
> preferred.  In fact, it could turn out to be quite tedious to find the
> right place and the right way to make that config change.
>
> If by double authentication you mean two factor authentication, then
> that's rather difficult, at least with an IMAP authentication backend,
> because the IMAP protocol was not designed with two factor
> authentication in mind.  It might be possible to build something that
> is in essence a two factor authentication using SASL and authenticate
> via IMAP that way, but that's certainly not very easy to accomplish.
>
> Jens

Hello Jens,  thanks for the details.  That helps me understand how it  
works, and that the security protocol mostly remains within my hands  
since I run the server where horde is installed.

For the two factor auth, I read at several places that it got defeated  
rather easily by mobile clients?  It may not be worthwhile to  
implement this in Horde, but the devs may decide otherwise..

Thanks, for now I will read a bit more on the security standards to  
get my head clear if I need to do something more than what centos  
provides out of the box.
  Louis-Philippe Allard
lp.allard.1 at gmail.com
Sent from Horde Groupware - GNU/Linux

More information about the horde mailing list