[imp] https for login

Chris shai-hulud@chello.at
Mon, 18 Mar 2002 01:30:27 +0100

Next message: SSL on courier-Imap fails
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Additionally it wont save your content otherwise

Am Freitag, 15. März 2002 22:51 schrieben Sie:
-=> On Fri, Mar 15, 2002 at 10:22:25AM -0500, Chuck Hagenbuch wrote:
-=> > > your password will be sniffing after the logging !
-=> > 
-=> > On what information do you pass this assertion?
-=> > 
-=> > Once you log in, your password is stored in your session - which is on the 
-=> > server - and is never sent in between the webserver and browser. It of 
-=> > course is sent to the IMAP server, but SSL on the browser/webserver leg 
-=> > won't help that in any case.
-=> 
-=> This is all true, but the session identifier (in the cookies) is just as good
-=> as a password.  It allows you access to the user's mail without even
-=> requiring you to log in.  So if you SSL the login/password, then run the rest
-=> in HTTP, and someone sniffs the session identifier, you're still sunk.
-=> Either do SSL or don't -- there is no middle ground.
-=> 
-=> Dustin
-=> 
-=> -- 
-=> 
-=>   Dustin Mitchell
-=>   dustin@ywlcs.org
-=> 
-=> -- 
-=> IMP mailing list: http://horde.org/imp/
-=> Archive: http://marc.theaimsgroup.com/?l=imp&r=1&w=2
-=> Frequently Asked Questions: http://horde.org/faq/
-=> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
-=> 
-=>

Next message: SSL on courier-Imap fails
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]