I would like to add some functionality to roundcube.
just save the login. The information would be stored in a cookie that expired in like 30 years, if people on the development team think its ok to store the password it would be done in a hash obviously but everyone's imap/pop client would have to support the hash then.
simply changes the css or a high contrast theme. I think it would also be neat to use flite (http://www.speech.cs.cmu.edu/flite/doc/index.html) for text to speech. There would be a link that could be enabled which when clicked would let them save the message as a wav file, then play it back in audio form. I already do this for captchas on my websites. I'm sure most visually impaired people already have software on their computer do this, but they are probably all windows people. this could allow visually impaired people in linux or other less supported OSs to get an audio version of their email. Some web applications sport a logo indicating compliance with http://www.section508.gov/.
messages. A user could paste their private key into a form that then saved it on the server in sql. There is probably a huge security issue with saving private keys on a server. I don't know of a php API, I would most likely use exec();
Please email me any comments, questions or concerns.
Michael Phillips
Item #3 sounds like a great idea! Not that the other ones aren't, just that 3 really sticks out to me.
On Fri, 29 Dec 2006 14:09:37 -0600, Michael Phillips mphill@mphill.org wrote:
I would like to add some functionality to roundcube.
- The ability to check box to automatically sign in next time or to
just save the login. The information would be stored in a cookie that expired in like 30 years, if people on the development team think its ok to store the password it would be done in a hash obviously but everyone's imap/pop client would have to support the hash then.
- For visually impaired people, have a selector for font size that
simply changes the css or a high contrast theme. I think it would also be neat to use flite (http://www.speech.cs.cmu.edu/flite/doc/index.html) for text to speech. There would be a link that could be enabled which when clicked would let them save the message as a wav file, then play it back in audio form. I already do this for captchas on my websites. I'm sure most visually impaired people already have software on their computer do this, but they are probably all windows people. this could allow visually impaired people in linux or other less supported OSs to get an audio version of their email. Some web applications sport a logo indicating compliance with http://www.section508.gov/.
- GnUPG support, I would like to add the ability sign or encrypt
messages. A user could paste their private key into a form that then saved it on the server in sql. There is probably a huge security issue with saving private keys on a server. I don't know of a php API, I would most likely use exec();
Please email me any comments, questions or concerns.
Michael Phillips
Hi,
- GnUPG support, I would like to add the ability sign or encrypt
messages. A user could paste their private key into a form that then saved it on the server in sql. There is probably a huge security issue with saving private keys on a server. I don't know of a php API, I would most likely use exec();
Please email me any comments, questions or concerns.
I've looked on PEAR php classes and did not find anything about GPG. But there's a Webmail that is implementing this sort of thing : http://www.ilohamail.org/ They're using an exec()-like way to call the gpg binary. The problem is that on a lot of configurations, php exec() call is disabled for security reasons.
Hi
There is experimental extension for gnupg for php:
http://es2.php.net/manual/en/ref.gnupg.php http://pecl.php.net/package/gnupg
I dont know if its a good idea implement experimental extension, but it would work on more installations instead of using exec()
On 12/29/06, Pierre Mauduit pierre.mauduit@gmail.com wrote:
Hi,
- GnUPG support, I would like to add the ability sign or encrypt
messages. A user could paste their private key into a form that then saved it on the server in sql. There is probably a huge security issue with saving private keys on a server. I don't know of a php API, I would most likely use exec();
Please email me any comments, questions or concerns.
I've looked on PEAR php classes and did not find anything about GPG. But there's a Webmail that is implementing this sort of thing : http://www.ilohamail.org/ They're using an exec()-like way to call the gpg binary. The problem is that on a lot of configurations, php exec() call is disabled for security reasons.
Michael Phillips wrote:
I would like to add some functionality to roundcube.
- The ability to check box to automatically sign in next time or to
just save the login. The information would be stored in a cookie that expired in like 30 years, if people on the development team think its ok to store the password it would be done in a hash obviously but everyone's imap/pop client would have to support the hash then.
I think that this would be a useful option to have as well - Thunderbird can remember my IMAP username/password if I want it to and I would like to see the same functionality in Roundcube at some point. Plenty of sites already have this sort of feature, so I don't think it's too difficult to implement, though it may be necessary to save the IMAP username/password as plaintext in the database (or using two-way encryption) to support this.
- GnUPG support, I would like to add the ability sign or encrypt
messages. A user could paste their private key into a form that then saved it on the server in sql. There is probably a huge security issue with saving private keys on a server. I don't know of a php API, I would most likely use exec();
I don't bother encrypting email myself, but I can see this being a useful feature to have for people who do use GPG. I'm not sure how you'd handle the security implications of storing private keys in the database though.
Paul
Paul Waring wrote:
Michael Phillips wrote:
I would like to add some functionality to roundcube.
- The ability to check box to automatically sign in next time or to
just save the login. The information would be stored in a cookie that expired in like 30 years, if people on the development team think its ok to store the password it would be done in a hash obviously but everyone's imap/pop client would have to support the hash then.
I think that this would be a useful option to have as well - Thunderbird can remember my IMAP username/password if I want it to and I would like to see the same functionality in Roundcube at some point. Plenty of sites already have this sort of feature, so I don't think it's too difficult to implement, though it may be necessary to save the IMAP username/password as plaintext in the database (or using two-way encryption) to support this.
I suppose you could generate a fairly random string and encrypt the password stored in the database against it, and store the string itself in a cookie on their PC. Not perfect, but better than plaintext or two-way encryption with a static key.
- GnUPG support, I would like to add the ability sign or encrypt
messages. A user could paste their private key into a form that then saved it on the server in sql. There is probably a huge security issue with saving private keys on a server. I don't know of a php API, I would most likely use exec();
I don't bother encrypting email myself, but I can see this being a useful feature to have for people who do use GPG. I'm not sure how you'd handle the security implications of storing private keys in the database though.
If the key was encrypted with a sufficiently secure passphrase, it wouldn't be as much of a security risk as storing the key unencrypted. Of course if people have a weak passphrase, there's not much you can do to help them.
Even if you don't encrypt messages, gnupg can be useful for checking signatures to be sure that messages are authentic.
Jim
- GnUPG support, I would like to add the ability sign or encrypt
messages. A user could paste their private key into a form that then saved it on the server in sql. There is probably a huge security issue with saving private keys on a server. I don't know of a php API, I would most likely use exec();
Please email me any comments, questions or concerns.
Squirrelmail, another webmail client has a gpg plugin which provides encryption and signing. Maybe this could be used as a starting point?
http://www.squirrelmail.org/plugin_view.php?id=153
Regards, Roland
Michael Phillips wrote:
I would like to add some functionality to roundcube.
- The ability to check box to automatically sign in next time or to
just save the login. The information would be stored in a cookie that expired in like 30 years, if people on the development team think its ok to store the password it would be done in a hash obviously but everyone's imap/pop client would have to support the hash then.
There already was a discussion about it and could be a nice feature. We already have a password encryption mechanism which could be used here.
- For visually impaired people, have a selector for font size that
simply changes the css or a high contrast theme. I think it would also be neat to use flite (http://www.speech.cs.cmu.edu/flite/doc/index.html) for text to speech. There would be a link that could be enabled which when clicked would let them save the message as a wav file, then play it back in audio form. I already do this for captchas on my websites. I'm sure most visually impaired people already have software on their computer do this, but they are probably all windows people. this could allow visually impaired people in linux or other less supported OSs to get an audio version of their email. Some web applications sport a logo indicating compliance with http://www.section508.gov/.
It is very hard to create output for screen readers from within an AJAX application. To achieve this we have to make a non-js/non-ajax version of RoundCube first. After that we can start talking about this topic again. In general I suggest to use (or build) another web-based IMAP client that relies on simple and valid (X)HTML output. Same statement as for mobile clients.
- GnUPG support, I would like to add the ability sign or encrypt
messages. A user could paste their private key into a form that then saved it on the server in sql. There is probably a huge security issue with saving private keys on a server. I don't know of a php API, I would most likely use exec();
This is on the road map but not a recent task.
Please email me any comments, questions or concerns.
Michael Phillips
Regards, Thomas
Marco wrote:
Hi
There is experimental extension for gnupg for php:
http://es2.php.net/manual/en/ref.gnupg.php http://pecl.php.net/package/gnupg
I dont know if its a good idea implement experimental extension, but it would work on more installations instead of using exec()
There is also a JS only implementation of the GnuPG encryption scheme available at http://www.hanewin.net/encrypt/. I haven't played with it but if it really works it's a safe solution. The problems are performance and that attachments will not be encrypted.
ivan
Thomas Bruederli wrote:
- For visually impaired people, have a selector for font size that
simply changes the css or a high contrast theme. I think it would also be neat to use flite (http://www.speech.cs.cmu.edu/flite/doc/index.html) for text to speech. There would be a link that could be enabled which when clicked would let them save the message as a wav file, then play it back in audio form. I already do this for captchas on my websites. I'm sure most visually impaired people already have software on their computer do this, but they are probably all windows people. this could allow visually impaired people in linux or other less supported OSs to get an audio version of their email. Some web applications sport a logo indicating compliance with http://www.section508.gov/.
It is very hard to create output for screen readers from within an AJAX application. To achieve this we have to make a non-js/non-ajax version of RoundCube first. After that we can start talking about this topic again. In general I suggest to use (or build) another web-based IMAP client that relies on simple and valid (X)HTML output. Same statement as for mobile clients.
I'm just a lurker on this list, but I think I can offer a valuable bit of advice on this topic.
I agree with your sentiment and your instinct on the technical approach. However, keep in mind that many universities (?=and corporations) are strictly bound by section 508, and that providing an alternate client is not a legal option (I think it has something to do with segregation and classes of service as a pathway to discrimination...) So, it's in your best interest to consider accessibility in your development if you want to get a large segment of universities to deploy RoundCube.
We (University of Wisconsin-Madison) are currently using Sun's Messenger Express webmail, which is one of the original AJAX applications (created years before the buzzword came about). It consists entirely of javascript talking to back-end C which communicate data back and forth in javascript data structures. The code violates most w3c standards and it's buggy with many browsers, but somehow Sun has maintained compliance with section 508 (as most screen readers, e.g. JAWS, today are compatible with javascript.)
I wouldn't be surprised if RoundCube already works with most screen readers. It could just be a matter of making a few tweaks here and there to make it fully compliant with section 508.
Jesse Thompson Division of Information Technology University of Wisconsin-Madison