[RCU] Login process encryption
Hugo van der Kooij
hvdkooij at vanderkooij.org
Wed Dec 8 16:17:10 CET 2010
On Wed, 8 Dec 2010 21:20:06 +0700, Minh Nguyen wrote:
My RC use
PLAIN mechanism for IMAP athentication. And it use default (non-SSL)
IMAP port 143.
While log in, I captured the information by WireShark
then I could see the usename and password, warped in a HTTP POST.
If I
change to use SSL with IMAP,
$rcmail_config['default_host'] =
'ssl://mail.mysite.com [1]';
$rcmail_config['default_port'] = 993;
I
still can capture my Username/ Password. So I think the SSL
authentication is just from RC to IMAP server. Not from my PC to RC
server.
I know if I'm using HTTPS, the information send from my PC to
HTTP server will be encrypted.
Is there anyway to encrypt the login
session from my PC to the RC server, except using HTTPS? I mean the
encryption supported inside RC login page.
This is exactly why you
should enforce HTTPS on your webserver for roundcubemail and enforce
IMAPS on your mailserver.
This is how things are designed and why your
webserver with roundcubeemail should be considered a critical component
as far as security is concerned.
Hugo.
--
hvdkooij at vanderkooij.org
http://hugo.vanderkooij.org/
PGP/GPG? Use:
http://hugo.vanderkooij.org/0x58F19981.asc
Links:
------
[1]
http://mail.mysite.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.roundcube.net/pipermail/users/attachments/20101208/8c562cb2/attachment-0001.html>
-------------- next part --------------
_______________________________________________
List info: http://lists.roundcube.net/users/
BT/9b404e9e
More information about the users
mailing list