Apparently a Firefox extension can do it somehow... Did someone reply with further info on that yet?
On Tue, 05 Dec 2006 00:42:23 +1100, Thomas -Balu- Walter
list+roundcube-dev@b-a-l-u.de wrote:
On Sun, Dec 03, 2006 at 12:46:03AM +0100, Martin Schwartz wrote:
- The session is holding a onetime pad, which has exactly the length of
the password. Sqmail gives a bit of an effort to yield an accaptable entropy for the onetime pad.
- The cookie is holding the password encrypted with the onetime pad.
This means, in order to yield the password one has to have access to the current session and the current cookie.
I like the idea, but what is wrong with storing the password in the session at all? An attacker would need to get access to the server to access it.
If he has this access he is also able to read the onetime pad and the cookie or am I missing something?
Balu