On Wed, 8 Dec 2010 21:20:06 +0700, Minh Nguyen <minh281182@gmail.com> wrote:

My RC use PLAIN mechanism for IMAP athentication. And it use default (non-SSL) IMAP port 143.

While log in, I captured the information by WireShark then I could see the usename and password, warped in a HTTP POST.

If I change to use SSL with IMAP,

$rcmail_config['default_host'] = 'ssl://mail.mysite.com';
$rcmail_config['default_port'] = 993;

I still can capture my Username/ Password. So I think the SSL authentication is just from RC to IMAP server. Not from my PC to RC server.

I know if I'm using HTTPS, the information send from my PC to HTTP server will be encrypted.

Is there anyway to encrypt the login session from my PC to the RC server, except using HTTPS? I mean the encryption supported inside RC login page.

This is exactly why you should enforce HTTPS on your webserver for roundcubemail and enforce IMAPS on your mailserver.

This is how things are designed and why your webserver with roundcubeemail should be considered a critical component as far as security is concerned.

Hugo.

-- 
hvdkooij@vanderkooij.org   http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc