[imp] HTTPS login -> HTTP
Issac Goldstand
margol at beamartyr.net
Wed Jan 14 14:42:35 PST 2004
> Anyway, ALL the mail, sent and recieved, can be read if you're not using
SSL for
> all of Horde and its modules. Not to mention contact information,
schedules,
> etc, etc. Anyway, it is in your best interest to Secure All of your
user's
> data, and NOT just their username and password. The uname/pass encrypted
> protects you, sure ; but encrypting the whole thing protects THEM as well,
and
> that's your job as an admin. The CPU cycles you burn doing crypto is
> negligable for a session and if it's not, well, you should be upgrading.
I respectfully beg to differ. My job as a SysAdmin is to provide my clients
with what he wants, while protecting my networks. Generally the sysadmin is
not the decision-maker. If the client (or other decision-maker) wants
webmail.hisdomain.com, and he does NOT want to pay $150/yr or more to get an
SSL cert rolled, and he does NOT want to get security popups from my
home-rolled certs, then I have no choice but to give him what he wants:
unsecured webmail. The least I can do is protect myself by securing his
login!
As for wireless networks and packet sniffing - either encrypt your wireless
network or suffer the consequences - not every program is built to work over
SSL.
Furthermore, I think the question is very on-topic, unless you have a way to
provide a single secure login solution for Horde. I've seen 2 requests for
it in the past month, and more previously, and I've yet to see a good
solution.
Issac
More information about the imp
mailing list