[imp] Windows XP caches login credentials.

Stephen Samuel samuel@bcgreen.com
Mon, 22 Jul 2002 08:22:44 -0700


Jan Schneider wrote:
> Zitat von Alexander Skwar <ASkwar@email-server.info>:

> Of course we don't force the use of https. It's the administrator's choice.
> And it should be the administrator's choice if we'd implement this
> configuration. Of course we can't cure the (browser) world from security

That having been said, do the IMP installation docs STRONGLY suggest
to the installer that they put things onto an HTTPS site (A pointer
to docs on how to enable HTTPS on apache might be a good idea too)

I'm guessing that some people just don't stop to thing about it
long enough to realize that sending email passwords (which sometimes
are also login passwords) over clear channels might be an unacceptable
security risk.

It's sometimes easy to try and justify it by saying that "If the
email's not encrypted, then the same people who can read your
passwords have had access to your email on the way in". That is,
however, not always true. Internal emails are often (usually?)
composed entirely within a company's intranet, and sometimes
even done directly on the email server. This means that
transmission to the final recipient might actually be the
only time that data sees hostile fibre.

It also should also be considered that sometimes people
read remote email in fully or semi-hostile environments
that the 'enemy' may fully controll.  Incomming email
often goes over relatively random paths. The closer it
gets to your email server, the more control you're likely
to have over the security of the data (unless the instant
'enemy' is also your ISP, or their provider).

It's relatively common that someone uses a 'guest' connection
to grab/send email while at the site of a customer, partner
or even competitor. It's not that hard to configure a
cisco switch to put one port in 'diagnostic' mode -- or add
a hub (as opposed to a switch) at an opportune location.

These are not kinds of things that users (or even administrators)
generally think about when they use webmail. It is, however,
a threat that people should be aware of when setting up
and administerng a mail server and *especially* a webmail server.
-- 
Stephen Samuel +1(604)736-2266                samuel@bcgreen.com
		   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.