[imp] Windows XP caches login credentials.
Alexander Skwar
ASkwar@email-server.info
Mon, 22 Jul 2002 08:59:45 +0200
So sprach Eric Rostetter am 2002-07-21 um 19:42:54 -0500 :
> If not, then I would really question the bank's commitment to security.
> I would expect that my bank, stock broker, etc. would have turned this
> off. But then, I've seen how bad the security is on many stock broker si=
tes
> so I guess I wouldn't be surprised there...
You may question their commitment, but only one of the 5 major banks
here in Germany has this setting turned off. The banks which hav not
turned it off include Deutsche Bank, Postbank, Sparkasse and
Commerzbank. I doubt that they are all not security aware. I'd rather
think that they don't see it as a security risk - but of course I don't
know why they do or don't do things.
> don't exist in IMP. Should we implement these security flaws just becaus=
e 2
> major web mail sites have them?
No, of course not.
> I agree with that, but I seriously doubt most of those users will receive
Well, then that's bad. If you use any other complicated tool (and a
computer is a seriously complicated tool) you WILL get training or at
least you WILL read the documentation. If you don't and then break
things - well, too bad.
But I see your point. And that's why I agree that there might/should
be a warning that saving passwords might be a security risk.
> That's a valid opinion. I take the opposite.
Agreed ;)
> security was better than most, and sometimes specifically to replace othe=
r
> existing web mail systems which had less security.
The reason I take the opposite, is that I don't see it as security risk
where Horde/IMP should take action. I mean, after all it's just a
"silly" web mail application. Compared to banking sites, nothing
important.
And further - do you also want to force usage of https? Aft all, if the
password is transmitted in the clear via http, it's also a security
risk. And that's one risk that can only be "cured" on the server side -
whereas this risk that we're now talking about can only be (safely)
cured on the client side, by either not saving the password or by using
a browser which doesn't support this (like Opera, Konqueror, Netscape 4,
links).
Alexander Skwar
--
How to quote: http://learn.to/quote (german) http://quote.6x.to (english)
Homepage: http://www.iso-top.biz | Jabber: askwar@a-message.de
iso-top.biz - Die günstige Art an Linux Distributionen zu kommen
Uptime: 5 days 12 hours 12 minutes