[imp] HTTPS login -> HTTP

Dag Nygren dag at newtech.fi
Wed Jan 14 22:50:49 PST 2004


> > Anyway, ALL the mail, sent and recieved, can be read if you're not using
> SSL for
> >  all of Horde and its modules.  Not to mention contact information,
> schedules,
> > etc, etc.  Anyway, it is in your best interest to Secure All of your
> user's
> > data, and NOT just their username and password.  The uname/pass encrypted
> > protects you, sure ; but encrypting the whole thing protects THEM as well,
> and
> > that's your job as an admin.  The CPU cycles you burn doing crypto is
> > negligable for a session and if it's not, well, you should be upgrading.
> 
> I respectfully beg to differ.  My job as a SysAdmin is to provide my clients
> with what he wants, while protecting my networks.  Generally the sysadmin is
> not the decision-maker.  If the client (or other decision-maker) wants
> webmail.hisdomain.com, and he does NOT want to pay $150/yr or more to get an
> SSL cert rolled, and he does NOT want to get security popups from my
> home-rolled certs, then I have no choice but to give him what he wants:
> unsecured webmail.  The least I can do is protect myself by securing his
> login!

As long as he realize what he gets....

> As for wireless networks and packet sniffing - either encrypt your wireless
> network or suffer the consequences - not every program is built to work over
> SSL.

I think the only decent way to do this is to use https all the way. Remember
that the web mail can be contacted from everywhere, not just through a 
wireless network. On the way it will pass numerous routers where it can be 
sniffed.

I have solved the IMP-problem with some rewrite-rules in Apache. Like this:

RewriteRule     ^http://www.newtech.fi/webmail(.*)$     
https://www.newtech.fi/webmail$1        [R,L]
RewriteRule     ^/webmail(.*)$  https://www.newtech.fi/webmail$1        [R,L]

This will force the forgetting user to a https connection and keep it like 
this.

We don't have a SSL-certificate, but are using a self-certified version.
The pop ups are a small problem here.

BRGDS

-- 
Dag Nygren                               email: dag at newtech.fi
Oy Espoon NewTech Ab                     phone: +358 9 8024910
Träsktorpet 3                              fax: +358 9 8024916
02360 ESBO                              Mobile: +358 400 426312
FINLAND




More information about the imp mailing list