Dear all,
My RC use PLAIN mechanism for IMAP athentication. And it use default (non-SSL) IMAP port 143.
While log in, I captured the information by WireShark then I could see the usename and password, warped in a HTTP POST.
If I change to use SSL with IMAP,
$rcmail_config['default_host'] = 'ssl://mail.mysite.com'; $rcmail_config['default_port'] = 993;
I still can capture my Username/ Password. So I think the SSL authentication is just from RC to IMAP server. Not from my PC to RC server.
I know if I'm using HTTPS, the information send from my PC to HTTP server will be encrypted.
Is there anyway to encrypt the login session from my PC to the RC server, except using HTTPS? I mean the encryption supported inside RC login page.
Many thanks/ Minh.
List info: http://lists.roundcube.net/users/ BT/9b404e9e
On 08.12.2010 15:20, Minh Nguyen wrote:
Is there anyway to encrypt the login session from my PC to the RC server, except using HTTPS? I mean the encryption supported inside RC login page.
I don't know a secure way for doing this. If you find some you can write a plugin.
On Wed, 8 Dec 2010 21:20:06 +0700, Minh Nguyen wrote:
My RC use PLAIN mechanism for IMAP athentication. And it use default (non-SSL) IMAP port 143.
While log in, I captured the information by WireShark then I could see the usename and password, warped in a HTTP POST.
If I change to use SSL with IMAP,
$rcmail_config['default_host'] = 'ssl://mail.mysite.com [1]'; $rcmail_config['default_port'] = 993;
I still can capture my Username/ Password. So I think the SSL authentication is just from RC to IMAP server. Not from my PC to RC server.
I know if I'm using HTTPS, the information send from my PC to HTTP server will be encrypted.
Is there anyway to encrypt the login session from my PC to the RC server, except using HTTPS? I mean the encryption supported inside RC login page.
This is exactly why you should enforce HTTPS on your webserver for roundcubemail and enforce IMAPS on your mailserver.
This is how things are designed and why your webserver with roundcubeemail should be considered a critical component as far as security is concerned.
Hugo.
Many thanks. I will consider to setup HTTPS for my server.
On Wed, Dec 8, 2010 at 10:17 PM, Hugo van der Kooij < hvdkooij@vanderkooij.org> wrote:
On Wed, 8 Dec 2010 21:20:06 +0700, Minh Nguyen minh281182@gmail.com wrote:
My RC use PLAIN mechanism for IMAP athentication. And it use default (non-SSL) IMAP port 143.
While log in, I captured the information by WireShark then I could see the usename and password, warped in a HTTP POST.
If I change to use SSL with IMAP,
$rcmail_config['default_host'] = 'ssl://mail.mysite.com'; $rcmail_config['default_port'] = 993;
I still can capture my Username/ Password. So I think the SSL authentication is just from RC to IMAP server. Not from my PC to RC server.
I know if I'm using HTTPS, the information send from my PC to HTTP server will be encrypted.
Is there anyway to encrypt the login session from my PC to the RC server, except using HTTPS? I mean the encryption supported inside RC login page.
This is exactly why you should enforce HTTPS on your webserver for roundcubemail and enforce IMAPS on your mailserver.
This is how things are designed and why your webserver with roundcubeemail should be considered a critical component as far as security is concerned.
Hugo.
-- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG http://hugo.vanderkooij.org/PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
List info: http://lists.roundcube.net/users/ BT/aa05301c
List info: http://lists.roundcube.net/users/ BT/9b404e9e