So I like the ability to have multiple identities but right now its a huge security risk to have enable the way I see it. Since there is no indication in the header of the original username, and also no check to authorize the user for the address they are adding, I just can't allow my users to have that option. It wont even be a day before people start sending emails out as me and as the officers. Does anybody else share this sentiment? If so, I propose that there needs to be 1) a simple way to disable it and 2) a way to force RC to put the original identity into the headers of the outgoing message. Thanks.
Jim Lester ACM Staff Manager notroot@acm.cs.umn.edu
On 8 Jan 2007, at 23:02, Jim Lester wrote:
So I like the ability to have multiple identities but right now its
a huge security risk to have enable the way I see it. Since there
is no indication in the header of the original username, and also
no check to authorize the user for the address they are adding, I
just can't allow my users to have that option. It wont even be a
day before people start sending emails out as me and as the
officers. Does anybody else share this sentiment? If so, I propose
that there needs to be 1) a simple way to disable it and 2) a way
to force RC to put the original identity into the headers of the
outgoing message. Thanks.
It's pretty trivial to forge a from address if you are allowed to
send email. Any desktop mail client will let you claim to be anyone
you want. You should block this behaviour at the mail server and not
in the client to be sure that it doesn't happen.
Cheers, Craig -- Craig Webster | Lead Developer | e: craig@xeriom.net Xeriom Networks | skype: craigwebster | w: http://xeriom.net/
Chat with us now: http://xeriomnetworks.campfirenow.com/ef706
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Jan 8, 2007, at 6:02 PM, Jim Lester wrote:
So I like the ability to have multiple identities but right now its
a huge security risk to have enable the way I see it. Since there
is no indication in the header of the original username, and also
no check to authorize the user for the address they are adding, I
just can't allow my users to have that option. It wont even be a
day before people start sending emails out as me and as the
officers. Does anybody else share this sentiment? If so, I propose
that there needs to be 1) a simple way to disable it and 2) a way
to force RC to put the original identity into the headers of the
outgoing message. Thanks.
So you're saying you want to change how email works?
The 'problem' you're describing applies to just about any mail client
that an end user has to configure. Desktop or otherwise.
Of course, we could always come up with a way to embed a digital
signature on emails so we could verify identities. That way we could
ensure that messages are indeed from who they claim to be and that
content has been unmodified. Actually, if both parties exchanged keys
prior to the email, then we could encrypt the entire message. Of
course this would rely on some fairly advanced cryptography, but the
resulting privacy and identity verification would be pretty good.
Oh... wait...
J.
I understand that the identities issue is an issue with every desktop client, and that RoundCube is suppose to be a desktop-esk client in a browser. Still that being said, I would maintain that Identities is a feature and it would be nice if admins had the ability to turn that feature off. If I am alone on this then so be it, I will just turn it off myself, o be the glory of open source. But I still thought the point was valid to raise.
Btw, Jason, I like your satire, good work.
Jim Lester ACM Staff Manager notroot@acm.cs.umn.edu
On Mon, 8 Jan 2007 18:58:52 -0500, Jason Stelzer cynic@elitistbastard.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Jan 8, 2007, at 6:02 PM, Jim Lester wrote:
So I like the ability to have multiple identities but right now its a huge security risk to have enable the way I see it. Since there is no indication in the header of the original username, and also no check to authorize the user for the address they are adding, I just can't allow my users to have that option. It wont even be a day before people start sending emails out as me and as the officers. Does anybody else share this sentiment? If so, I propose that there needs to be 1) a simple way to disable it and 2) a way to force RC to put the original identity into the headers of the outgoing message. Thanks.
So you're saying you want to change how email works?
The 'problem' you're describing applies to just about any mail client that an end user has to configure. Desktop or otherwise.
Of course, we could always come up with a way to embed a digital signature on emails so we could verify identities. That way we could ensure that messages are indeed from who they claim to be and that content has been unmodified. Actually, if both parties exchanged keys prior to the email, then we could encrypt the entire message. Of course this would rely on some fairly advanced cryptography, but the resulting privacy and identity verification would be pretty good.
Oh... wait...
J.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin)
iD8DBQFFotq8vxud+cMTf5IRAs4fAKCKiINlnfN2IBk3sifGWDfiGw4ARACgwltr ZXiBmnxXCy9AZ7SahvyBezc= =Y/1t -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Jan 8, 2007, at 8:17 PM, Jim Lester wrote:
I understand that the identities issue is an issue with every
desktop client, and that RoundCube is suppose to be a desktop-esk
client in a browser. Still that being said, I would maintain that
Identities is a feature and it would be nice if admins had the
ability to turn that feature off. If I am alone on this then so be
it, I will just turn it off myself, o be the glory of open source.
But I still thought the point was valid to raise.Btw, Jason, I like your satire, good work.
I'm glad it came across as such. After I sent it I was hoping it
wouldn't come across completely snarky.
Honestly, it shouldn't be that hard to write a hook for a validation
plugin. In fact, if you did something like that in a generic enough
manner, then it could be tractable to implement whatever restrictions
you want. The down side to that is that you'd probably really need to
write your own module to do the validation for your site. Or maybe if
this were taken up by the developers it could be implemented a a
series of plugins ala pam.
Your best path forward today is to disable the feature if its a
concern. However, that doesn't eliminate the possibility of them
doing the same spoof with any other client, so really, its a stop gap
at best and futile at worst.
J.
On 9-jan-2007, at 2:17, Jim Lester wrote:
I understand that the identities issue is an issue with every
desktop client, and that RoundCube is suppose to be a desktop-esk
client in a browser. Still that being said, I would maintain that
Identities is a feature and it would be nice if admins had the
ability to turn that feature off. If I am alone on this then so be
it, I will just turn it off myself, o be the glory of open source.
But I still thought the point was valid to raise.
Adding something like a 'X-Original-Sender' is easy to do, but most
people do not want internal information like usernames exposed.
Besides, RoundCube logs outgoing mail, most other webmail application
don't.
Robin
I think the X-Original-Sender would be nice to have as an option, enable it if you want. It is nice that RoundCube logs outgoing mail, but it doesn't give you enough detail to go back and figure out what user send out what email as who. The log only says "User: 1 on [IP]" which isn't quite enough. If the logs said "User: notroot on [IP]" that would be cool.
See, my email server only accepts outgoing emails from the webmail system, so our users can't use something like Thunderbird unless they use a different SMTP server.
I still stand by my original suggestion, that Identities should be optional, and the you should have an option to include an X-Original-Sender header.
Jim Lester ACM Staff Manager notroot@acm.cs.umn.edu
On Tue, 9 Jan 2007 06:20:56 +0100, Robin Elfrink elfrink@introweb.nl wrote:
On 9-jan-2007, at 2:17, Jim Lester wrote:
I understand that the identities issue is an issue with every desktop client, and that RoundCube is suppose to be a desktop-esk client in a browser. Still that being said, I would maintain that Identities is a feature and it would be nice if admins had the ability to turn that feature off. If I am alone on this then so be it, I will just turn it off myself, o be the glory of open source. But I still thought the point was valid to raise.
Adding something like a 'X-Original-Sender' is easy to do, but most people do not want internal information like usernames exposed.
Besides, RoundCube logs outgoing mail, most other webmail application don't.
Robin
Jim Lester wrote:
I still stand by my original suggestion, that Identities should be optional, and the you should have an option to include an X-Original-Sender header.
I find the claim completely valid and for one stand by the proposal of implementing it as a toggle feature.
Soeren
-
Craig Webster -
Jason Stelzer -
Jim Lester -
Robin Elfrink -
Soeren Larsen