3 new feature ideas.

Jim Pingle lists at pingle.org
Fri Dec 29 23:41:35 CET 2006


Paul Waring wrote:
> Michael Phillips wrote:
>> I would like to add some functionality to roundcube.
>> 1. The ability to check box to automatically sign in next time  or to
>> just save the login.  The information would be stored in a cookie that
>> expired in like 30 years,  if people on the development team think its
>> ok to store the password it would be done in a hash obviously but
>> everyone's imap/pop client would have to support the hash then.
> 
> I think that this would be a useful option to have as well - Thunderbird
> can remember my IMAP username/password if I want it to and I would like
> to see the same functionality in Roundcube at some point. Plenty of
> sites already have this sort of feature, so I don't think it's too
> difficult to implement, though it may be necessary to save the IMAP
> username/password as plaintext in the database (or using two-way
> encryption) to support this.

I suppose you could generate a fairly random string and encrypt the password
stored in the database against it, and store the string itself in a cookie
on their PC. Not perfect, but better than plaintext or two-way encryption
with a static key.

>> 3. GnUPG support, I would like to add the ability sign or encrypt
>> messages.  A user could paste their private key into a form that then
>> saved it on the server in sql.  There is probably a huge security
>> issue with saving private keys on a server.  I don't know of a php
>> API, I would most likely use exec();
> 
> I don't bother encrypting email myself, but I can see this being a
> useful feature to have for people who do use GPG. I'm not sure how you'd
> handle the security implications of storing private keys in the database
> though.

If the key was encrypted with a sufficiently secure passphrase, it wouldn't
be as much of a security risk as storing the key unencrypted. Of course if
people have a weak passphrase, there's not much you can do to help them.

Even if you don't encrypt messages, gnupg can be useful for checking
signatures to be sure that messages are authentic.

Jim





More information about the Dev mailing list