On 12/27/2012 09:58 PM, Reindl Harald wrote:
how do you sell this to the average enduser?
especially in days where all f**ing browsers supress protocol-prefixes

It started out with 'smart' admins configuring their DNS zones so that foo.com was a cname for www.foo.com.  It made it soo much easier...  But it caused other problems so it got 'fixed' in the browsers.

We spent so much effort to create things like SRV RR.   Whatever for, the browsers will solve all of our problems.

as said: prevent to send cookies unencrypted and redirect at
the first connect to https and you are done

And I thank you for this information on how to do better than just a redirect.



Am 28.12.2012 03:38, schrieb Benny Pedersen:

Dont use http to webmail host that olso have same hostname on https
Remove the http host in apache
Now the question is ? :-)


-------- Original message --------
From: Robert Moskowitz <rgm@htt-consult.com>
Date:
To: Roundcube Users mailing list <users@lists.roundcube.net>
Subject: Re: [RCU] invalid auth cookie



On 12/27/2012 06:40 PM, Reindl Harald wrote:

Am 28.12.2012 00:24, schrieb Jan M. Dziewulski:

On 27/12/2012 23:17, Robert Moskowitz wrote:


hmmm. Thinking (really!) I should change it back and try
https:/.../webmail and see if it works. If it does, I need to add a
force redirect to the roundcube.conf. Thinking more, this is reasonable
as this is how my current squirrelmail works.

But shouldn't people be accessing it via https anyway? I mean without the need for a redirection? Adding a
redirection increases security issues (for your site) so I personally would not be keen to do that

My little bit of testing gives the user a bad experience if they use
http://fqdn/webmail.  The ajax error is so cryptic.  I suppose with some
digging I can find a way to get it to say, "use https:// like you were
instructed!" instead.  Until I do, I tend towrad a forced redirect to https.

As for security issues for my site?  What, yet another DOS attack with
TLS costs to any robo that hits on my webmail url?

My expertise is in designing security protocols, not impact of force
using them.  ;)


it does not if it is done right

<Directory "roundcube-dir">
  php_admin_flag session.cookie_secure "1"
</Directory>

this makes sure that there will NEVER a client send the
session cookie unencrypted, if you get a external security
audit and do not use tis setting for https sites you
will get warned by the auditor and if not he did not make
his job!

Perhaps I am implementing this wrong on my server.  My
roundcubemail.conf has

<Directory /usr/share/roundcubemail/>
     Order Deny,Allow
     Allow from all
</Directory>

Am I suppose to put your <Directory "roundcube-dir"> ...

after this entry or the php_admin_flag in the one I have?

What do you use for force_https and use_https?



_______________________________________________
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users



_______________________________________________
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users



      

      

      

      
_______________________________________________
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users