On 12/27/2012 09:58 PM, Reindl Harald wrote:
how do you sell this to the average enduser? especially in days where all f**ing browsers supress protocol-prefixes
It started out with 'smart' admins configuring their DNS zones so that foo.com was a cname for www.foo.com. It made it soo much easier... But it caused other problems so it got 'fixed' in the browsers.
We spent so much effort to create things like SRV RR. Whatever for, the browsers will solve all of our problems.
as said: prevent to send cookies unencrypted and redirect at the first connect to https and you are done
And I thank you for this information on how to do better than just a redirect.
Am 28.12.2012 03:38, schrieb Benny Pedersen:
Dont use http to webmail host that olso have same hostname on https Remove the http host in apache Now the question is ? :-)
-------- Original message -------- From: Robert Moskowitz rgm@htt-consult.com Date: To: Roundcube Users mailing list users@lists.roundcube.net Subject: Re: [RCU] invalid auth cookie
On 12/27/2012 06:40 PM, Reindl Harald wrote:
Am 28.12.2012 00:24, schrieb Jan M. Dziewulski:
On 27/12/2012 23:17, Robert Moskowitz wrote:
hmmm. Thinking (really!) I should change it back and try https:/.../webmail and see if it works. If it does, I need to add a force redirect to the roundcube.conf. Thinking more, this is reasonable as this is how my current squirrelmail works.
But shouldn't people be accessing it via https anyway? I mean without the need for a redirection? Adding a redirection increases security issues (for your site) so I personally would not be keen to do that
My little bit of testing gives the user a bad experience if they use http://fqdn/webmail. The ajax error is so cryptic. I suppose with some digging I can find a way to get it to say, "use https:// like you were instructed!" instead. Until I do, I tend towrad a forced redirect to https.
As for security issues for my site? What, yet another DOS attack with TLS costs to any robo that hits on my webmail url?
My expertise is in designing security protocols, not impact of force using them. ;)
it does not if it is done right
<Directory "roundcube-dir"> php_admin_flag session.cookie_secure "1"
</Directory>
this makes sure that there will NEVER a client send the session cookie unencrypted, if you get a external security audit and do not use tis setting for https sites you will get warned by the auditor and if not he did not make his job!
Perhaps I am implementing this wrong on my server. My roundcubemail.conf has
<Directory /usr/share/roundcubemail/> Order Deny,Allow Allow from all
</Directory>
Am I suppose to put your <Directory "roundcube-dir"> ...
after this entry or the php_admin_flag in the one I have?
What do you use for force_https and use_https?
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users