Hi folks
First of all I want to say, RoundCube is a nice thing!
But I have one problem:
I log into RoundCube with an available account and leave the computer. The next day, I'm still logged in. So if I log in from a public computer and forget to log out, my account is predestinated to get compromised.
If I dont clear the browser's cache and history, RoundCube is opened without a login request. => Logs in with the last logged in account.
I also run Squirrelmail, and there, even if I just reload the URL, I'm asked for user and pw. I think, this behavior should be also possible for RoundCube. I have to explicitly log out with the logout button to get logged out effectively. Altough it is the task of the user to log out, an automatic log out functionality wouldn't be bad.
What am I doing wrong? Or don't I have understood everything?
Thanks for help _______________________________________________ List info: http://lists.roundcube.net/users/
I log into RoundCube with an available account and leave the computer. The next day, I'm still logged in. So if I log in from a public
computer and forget to log out, my account is predestinated to get compromised.
IMHO, some things are about good habits.
If I leave my house without locking it, my house is predestinated to
get compromised.
If I leave my car without locking it, my car is predestinated to get
compromised.
Which isn't to say that RoundCube isn't doing something
inappropriate, or couldn't do something better.
For example screen savers can set to lock the screen after a period
of time, but are not set that way by default.
However the main part of this issue is good habits, and that software
can't do _everything_ for you.
Charles Dostale System Admin - Silver Oaks Communications http://www.silveroaks.com/ 824 17th Street, Moline IL 61265
List info: http://lists.roundcube.net/users/
Quoting Farhan Fayyaz fafa@ten.ch:
I log into RoundCube with an available account and leave the computer. The next day, I'm still logged in. So if I log in from a public computer and forget to log out, my account is predestinated to get compromised.
If you use a public computer and don't clear the temporary files and reboot before you leave you're asking for trouble. It is a habit *you* should get into and not depend on *someone else* to protect your account.
Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
List info: http://lists.roundcube.net/users/
chasd wrote:
I log into RoundCube with an available account and leave the computer. The next day, I'm still logged in. So if I log in from a public
computer and forget to log out, my account is predestinated to get compromised.IMHO, some things are about good habits.
If I leave my house without locking it, my house is predestinated to
get compromised. If I leave my car without locking it, my car is predestinated to get
compromised.Which isn't to say that RoundCube isn't doing something
inappropriate, or couldn't do something better. For example screen savers can set to lock the screen after a period
of time, but are not set that way by default.However the main part of this issue is good habits, and that software
can't do _everything_ for you.Charles Dostale System Admin - Silver Oaks Communications http://www.silveroaks.com/ 824 17th Street, Moline IL 61265
Hmm, not sure I agree there. While things like locking your car is common sense, logging out, unfortunately, is not, for most people. Of course, in a world where everybody fully (or even just a little) understands on-line security, this is not a big deal. Right now, though, this is not how it is. By locking out this user group you are effectively removing access to your system from a lot of users.
Might I add that it is not unheard of for people to actually forget to lock their car? I think it would actually be quite nice if my car locked itself after a while of "inactivity" (provided I use some key-system like passwords where I can't leave them inside and lock myself out).
greetings,
Hraban Luyat
P.S.: According to most Canadians, an unlocked house is actually not "predestined to get compromised" ;) _______________________________________________ List info: http://lists.roundcube.net/users/
On Dec 15, 2007, at 8:14 PM, Hraban Luyat wrote:
While things like locking your car is common sense, logging out, unfortunately, is not, for most people.
Just because many people don't do it doens't make it not common
sense. it makes it an education issue.
I always take any opportunity to educate people, such as this mail list.
Of course, in a world where everybody fully (or even just a little) understands on-line security, this is not a big deal.
That is something everyone needs to strive for to make the world a
better place.
Might I add that it is not unheard of for people to actually forget to lock their car?
True, and people have locked their car when they didn't want to. Neither makes a case for ignoring the general rule of locking your car.
P.S.: According to most Canadians, an unlocked house is actually not "predestined to get compromised" ;)
There are other places other than Canada where that is true, and I
have lived in a few.
There are some places where one lock is not considered enough, and /
or you pay someone to guard the door ( NYC ).
Charles Dostale System Admin - Silver Oaks Communications http://www.silveroaks.com/ 824 17th Street, Moline IL 61265
List info: http://lists.roundcube.net/users/
Err—this time to the entire list:
chasd wrote:
On Dec 15, 2007, at 8:14 PM, Hraban Luyat wrote:
While things like locking your car is common sense, logging out, unfortunately, is not, for most people.
Just because many people don't do it doens't make it not common
sense. it makes it an education issue. I always take any opportunity to educate people, such as this mail list.Of course, in a world where everybody fully (or even just a little) understands on-line security, this is not a big deal.
That is something everyone needs to strive for to make the world a
better place.Might I add that it is not unheard of for people to actually forget to lock their car?
True, and people have locked their car when they didn't want to. Neither makes a case for ignoring the general rule of locking your car.
P.S.: According to most Canadians, an unlocked house is actually not "predestined to get compromised" ;)
There are other places other than Canada where that is true, and I
have lived in a few. There are some places where one lock is not considered enough, and /
or you pay someone to guard the door ( NYC ).Charles Dostale System Admin - Silver Oaks Communications http://www.silveroaks.com/ 824 17th Street, Moline IL 61265
List info: http://lists.roundcube.net/users/
Changing the world by re-educating everybody on no matter which topic is a very noble thing and I applaud you for doing it. There is, however, a time and a place for everything, and this webmail client is not the place, as far as I can see. Teaching people about the importance of security is good but building a good and secure webmail client is more important here. Providing the tools is not enough; how they will be used is just as important.
If you make a car that has a special knob somewhere below the driver's seat that you need to push to make the lock actually work and people do not know this, the car is not safe. No matter how tough it is to open it when the button is pushed; if people are not aware of it and thus not doing it, it's worth just as much as an unlocked car. While the car manufacturer can claim "but a car is only /really/ safe when this is done", and while car experts may all know and do this, the majority of the population knows little more about car security than just getting out and turning the lock.
Now, there are two options; take the opportunity to tell everybody how actually this system should be used or fix it so it works like everybody expects it to. Pros and cons of the first solution: it's safer than the other solution but it's more tedious to do, thus less people will buy your car (which means less profit). Second solution: no hassle for the customers but it's not as safe.
Back to roundcube; if you want to use roundcube to educate people about clicking "log out" instead of just closing the browser, that is a subject up for debate. While I personally support the practice of mentioning this to the user, I believe it is too harsh a method to just leave their session out in the open if they do not log out. I predict that in the end this will do nothing more than scare people into not using roundcube (and I would probably remove roundcube from the systems I adminster to prevent my users from this if it is decided not to be fixed). My opinion, though, is just one amongst many. I would like to hear what others have to say.
Cheers,
Hraban Luyat
PS: While the car metaphor referred to a car being "less safe" when locked regularly, making session cookies time out when you close the browser is actually exactly the same as making people log out.
List info: http://lists.roundcube.net/users/
-
chasd -
Earnie Boyd -
Farhan Fayyaz -
Hraban Luyat