[imp] Windows XP caches login credentials.

Jan Schneider jan@horde.org
Mon, 22 Jul 2002 10:00:40 +0200


Zitat von Alexander Skwar <ASkwar@email-server.info>:

> So sprach Eric Rostetter am 2002-07-21 um 19:42:54 -0500 :
> > If not, then I would really question the bank's commitment to security.
> > I would expect that my bank, stock broker, etc. would have turned this
> > off.  But then, I've seen how bad the security is on many stock broker
> sites
> > so I guess I wouldn't be surprised there...
> 
> You may question their commitment, but only one of the 5 major banks
> here in Germany has this setting turned off.  The banks which hav not
> turned it off include Deutsche Bank, Postbank, Sparkasse and
> Commerzbank.  I doubt that they are all not security aware.  I'd rather
> think that they don't see it as a security risk - but of course I don't
> know why they do or don't do things.

I hope they use changing passwords for example three randomly selected
cyphers out of a six-cypher pin like the Advance Bank does?!
 
> > I agree with that, but I seriously doubt most of those users will
> receive
> 
> Well, then that's bad.  If you use any other complicated tool (and a
> computer is a seriously complicated tool) you WILL get training or at
> least you WILL read the documentation.  If you don't and then break
> things - well, too bad.

But unfortunately we don't live in an ideal world.
 
> > security was better than most, and sometimes specifically to replace
> other 
> > existing web mail systems which had less security.
> 
> The reason I take the opposite, is that I don't see it as security risk
> where Horde/IMP should take action.  I mean, after all it's just a
> "silly" web mail application.  Compared to banking sites, nothing
> important.

Considered that you might use IMP for business purposes while you're
traveling, it is.
 
> And further - do you also want to force usage of https?  Aft all, if the
> password is transmitted in the clear via http, it's also a security
> risk.  And that's one risk that can only be "cured" on the server side -
> whereas this risk that we're now talking about can only be (safely)
> cured on the client side, by either not saving the password or by using
> a browser which doesn't support this (like Opera, Konqueror, Netscape 4,
> links).

Of course we don't force the use of https. It's the administrator's choice.
And it should be the administrator's choice if we'd implement this
configuration. Of course we can't cure the (browser) world from security
risks but we can help admins to make their site more secure. They have to
deal with their customers whose mail accounts have been napped and they
should decide between security and comfort. Just as they now can take away
certain preferences or other nice-to-haves for their site's policies.

Jan.

--
http://www.horde.org - The Horde Project
http://www.ammma.de - discover your knowledge
http://www.tip4all.de - Deine private Tippgemeinschaft