Paul Waring wrote:
Michael Phillips wrote:
I would like to add some functionality to roundcube.
- The ability to check box to automatically sign in next time or to
just save the login. The information would be stored in a cookie that expired in like 30 years, if people on the development team think its ok to store the password it would be done in a hash obviously but everyone's imap/pop client would have to support the hash then.
I think that this would be a useful option to have as well - Thunderbird can remember my IMAP username/password if I want it to and I would like to see the same functionality in Roundcube at some point. Plenty of sites already have this sort of feature, so I don't think it's too difficult to implement, though it may be necessary to save the IMAP username/password as plaintext in the database (or using two-way encryption) to support this.
I suppose you could generate a fairly random string and encrypt the password stored in the database against it, and store the string itself in a cookie on their PC. Not perfect, but better than plaintext or two-way encryption with a static key.
- GnUPG support, I would like to add the ability sign or encrypt
messages. A user could paste their private key into a form that then saved it on the server in sql. There is probably a huge security issue with saving private keys on a server. I don't know of a php API, I would most likely use exec();
I don't bother encrypting email myself, but I can see this being a useful feature to have for people who do use GPG. I'm not sure how you'd handle the security implications of storing private keys in the database though.
If the key was encrypted with a sufficiently secure passphrase, it wouldn't be as much of a security risk as storing the key unencrypted. Of course if people have a weak passphrase, there's not much you can do to help them.
Even if you don't encrypt messages, gnupg can be useful for checking signatures to be sure that messages are authentic.
Jim