Robert Moskowitz skrev den 28-12-2012 21:30:
It is an interesting question, should this behaviour be default? It seems that Roundcube works from a default non-secured senario and expects those that want to secure it to know what to do.
it should be coded with secure in mind no matter how stupid webmasters is :)
please note that i did not say idiots, ups i did now :)
I suspect you can open as many tickets as you choose, the developers will most likely NOT take a secure by default posture.
hmm okay with me if both http and https is secure with the same php code, i dont think its should be a consern in end users to make sure its safe to use, if this is insecure by default i ask users to use there apple hardware :)
We (the security area in the IETF) have worked on this for years to get basic default security into protocol and application design. It is tilting at windmills.
there is so much problems in security that all users drop it and run unsecure to get it simple, now tcpdump kids can use there logins in stolen passwords / logins, we could start using non ssl imap/pop3/submission aswell to make it even better for all parts