[imp] https for login

Dustin Mitchell dustin@ywlcs.org
Fri, 15 Mar 2002 15:51:27 -0600

Previous message: [imp] https for login
Next message: Fwd: [core] problème d'entrée à IMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Mar 15, 2002 at 10:22:25AM -0500, Chuck Hagenbuch wrote:
> > your password will be sniffing after the logging !
> 
> On what information do you pass this assertion?
> 
> Once you log in, your password is stored in your session - which is on the 
> server - and is never sent in between the webserver and browser. It of 
> course is sent to the IMAP server, but SSL on the browser/webserver leg 
> won't help that in any case.

This is all true, but the session identifier (in the cookies) is just as good
as a password.  It allows you access to the user's mail without even
requiring you to log in.  So if you SSL the login/password, then run the rest
in HTTP, and someone sniffs the session identifier, you're still sunk.
Either do SSL or don't -- there is no middle ground.

Dustin

-- 

  Dustin Mitchell
  dustin@ywlcs.org

Previous message: [imp] https for login
Next message: Fwd: [core] problème d'entrée à IMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]