[imp] Windows XP caches login credentials.

Alexander Skwar ASkwar@email-server.info
Mon, 22 Jul 2002 08:59:45 +0200

Previous message: [imp] Windows XP caches login credentials.
Next message: [imp] Windows XP caches login credentials.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

So sprach Eric Rostetter am 2002-07-21 um 19:42:54 -0500 :
> If not, then I would really question the bank's commitment to security.
> I would expect that my bank, stock broker, etc. would have turned this
> off.  But then, I've seen how bad the security is on many stock broker si=
tes
> so I guess I wouldn't be surprised there...

You may question their commitment, but only one of the 5 major banks
here in Germany has this setting turned off.  The banks which hav not
turned it off include Deutsche Bank, Postbank, Sparkasse and
Commerzbank.  I doubt that they are all not security aware.  I'd rather
think that they don't see it as a security risk - but of course I don't
know why they do or don't do things.

> don't exist in IMP.  Should we implement these security flaws just becaus=
e 2
> major web mail sites have them?

No, of course not.

> I agree with that, but I seriously doubt most of those users will receive

Well, then that's bad.  If you use any other complicated tool (and a
computer is a seriously complicated tool) you WILL get training or at
least you WILL read the documentation.  If you don't and then break
things - well, too bad.

But I see your point.  And that's why I agree that there might/should
be a warning that saving passwords might be a security risk.

> That's a valid opinion.  I take the opposite.

Agreed ;)

> security was better than most, and sometimes specifically to replace othe=
r 
> existing web mail systems which had less security.

The reason I take the opposite, is that I don't see it as security risk
where Horde/IMP should take action.  I mean, after all it's just a
"silly" web mail application.  Compared to banking sites, nothing
important.

And further - do you also want to force usage of https?  Aft all, if the
password is transmitted in the clear via http, it's also a security
risk.  And that's one risk that can only be "cured" on the server side -
whereas this risk that we're now talking about can only be (safely)
cured on the client side, by either not saving the password or by using
a browser which doesn't support this (like Opera, Konqueror, Netscape 4,
links).

Alexander Skwar
-- 
How to quote:	http://learn.to/quote (german) http://quote.6x.to (english)
Homepage:	http://www.iso-top.biz     |    Jabber: askwar@a-message.de
   iso-top.biz - Die günstige Art an Linux Distributionen zu kommen
                       Uptime: 5 days 12 hours 12 minutes

Previous message: [imp] Windows XP caches login credentials.
Next message: [imp] Windows XP caches login credentials.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]