[imp] Windows XP caches login credentials.

Oliver Schulze L. oliver at samera.com.py
Mon Feb 17 13:48:35 PST 2003 

Hi all,
sorry about being too late on the subject, but these are my points:

- Horde should force, (yes force) a security policy on its user. This 
statement
   refer only to this issue. Keep reading ...
- Autocomplete is interpreted by IE 5+ and Mozilla 1+
- IE has in most cases 95% market share, in worst cases 60%
- IE and Mozilla default behavior is to save *all* user/password
   when visiting Horde. And both browser make it easy to another user
   to login as another user using the save computer. IE shows you a 
dropdown
   list of users, Mozilla shows you a pop-up window. You just have to 
choose
   which user you want to login as.
- Yahoo Mail and Other sensitive sites(like Banks) have the security as a
   top priority and they use the autocomplete feature. Hotmail does not use
   the autocomplete feature but has an radio button to select if you are 
using
   a public computer.
- From all the users that replyied to this topic, more than 50% wants the
   autocomplete option enabled or at least as a configurable option.
- Having the autocomplete feature enabled(or as an option) makes Horde
   more secure out of the box. If you are a plain user, Horde takes care 
of the
   security for you. If you are a poweruser, you can make an xhtml 
compliant
   page and disable the autocomplete feature.
- Horde still can include this option in IMP 3.2 and make more than 50% of
   its users happy. :-)

I don't want to start another long discusion. But I think this issue is 
crucial,
beacuse Horde is meant to be a Public Mail Client(as I see it), but is not
secure enough at the login page.(Maybe the most sensitive page regarding 
security)

So, I vote for the autocomplete option to be enabled by default and to 
be a configurable
option. If that can not happend, I vote to make it a configurable option.

I posted a 2 line patch for resolving this issue in IMP as an example on 
how easy
it is to configure it.

Regards
Oliver

Jon Parise wrote:

>On Fri, Jul 19, 2002 at 08:13:46AM -0400, Joseph Brennan wrote:
>
>  
>
>>>>Alright - anyone have any problems adding this to the various Horde login 
>>>>forms?
>>>>        
>>>>
>>That should definitely be the default.   Autocomplete is very bad.  Many
>>PCs are not single-user and autocompletion could be a nasty surprise to
>>some people.  
>>    
>>
>
>I disagree on the grounds that this is a client-side issue.  If the
>behavior was not configurable then I could see an argument for us
>doing something to help the situation, but this is trivial to disable
>in the browser.  Users should handle this one on their own.
>
>Besides, some users may want to use this feature.  We have no place in
>dictating its use.
> 
>  
>
>>Possibly configurable per imp installation, but with a warning.
>>    
>>
>
>I think this would add unnecessary configuration overhead.
>
>  
>

-- 
Oliver Schulze L.
<oliver at samera.com.py>

More information about the imp mailing list