Dont use http to webmail host that olso have same hostname on https
Remove the http host in apache
Now the question is ? :-)
Sent from Samsung Mobile
-------- Original message --------
From: Robert Moskowitz rgm@htt-consult.com
Date:
To: Roundcube Users mailing list users@lists.roundcube.net
Subject: Re: [RCU] invalid auth cookie
On 12/27/2012 06:40 PM, Reindl Harald wrote:
Am 28.12.2012 00:24, schrieb Jan M. Dziewulski:
On 27/12/2012 23:17, Robert Moskowitz wrote:
hmmm. Thinking (really!) I should change it back and try https:/.../webmail and see if it works. If it does, I need to add a force redirect to the roundcube.conf. Thinking more, this is reasonable as this is how my current squirrelmail works.
But shouldn't people be accessing it via https anyway? I mean without the need for a redirection? Adding a redirection increases security issues (for your site) so I personally would not be keen to do that
My little bit of testing gives the user a bad experience if they use http://fqdn/webmail.%C2%A0 The ajax error is so cryptic. I suppose with some digging I can find a way to get it to say, "use https:// like you were instructed!" instead. Until I do, I tend towrad a forced redirect to https.
As for security issues for my site? What, yet another DOS attack with TLS costs to any robo that hits on my webmail url?
My expertise is in designing security protocols, not impact of force using them. ;)
it does not if it is done right
<Directory "roundcube-dir"> php_admin_flag session.cookie_secure "1"
</Directory>
this makes sure that there will NEVER a client send the session cookie unencrypted, if you get a external security audit and do not use tis setting for https sites you will get warned by the auditor and if not he did not make his job!
Perhaps I am implementing this wrong on my server. My roundcubemail.conf has
<Directory /usr/share/roundcubemail/> Order Deny,Allow Allow from all
</Directory>
Am I suppose to put your <Directory "roundcube-dir"> ...
after this entry or the php_admin_flag in the one I have?
What do you use for force_https and use_https?
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
how do you sell this to the average enduser? especially in days where all f**ing browsers supress protocol-prefixes
as said: prevent to send cookies unencrypted and redirect at the first connect to https and you are done
Am 28.12.2012 03:38, schrieb Benny Pedersen:
Dont use http to webmail host that olso have same hostname on https Remove the http host in apache Now the question is ? :-)
-------- Original message -------- From: Robert Moskowitz rgm@htt-consult.com Date: To: Roundcube Users mailing list users@lists.roundcube.net Subject: Re: [RCU] invalid auth cookie
On 12/27/2012 06:40 PM, Reindl Harald wrote:
Am 28.12.2012 00:24, schrieb Jan M. Dziewulski:
On 27/12/2012 23:17, Robert Moskowitz wrote:
hmmm. Thinking (really!) I should change it back and try https:/.../webmail and see if it works. If it does, I need to add a force redirect to the roundcube.conf. Thinking more, this is reasonable as this is how my current squirrelmail works.
But shouldn't people be accessing it via https anyway? I mean without the need for a redirection? Adding a redirection increases security issues (for your site) so I personally would not be keen to do that
My little bit of testing gives the user a bad experience if they use http://fqdn/webmail. The ajax error is so cryptic. I suppose with some digging I can find a way to get it to say, "use https:// like you were instructed!" instead. Until I do, I tend towrad a forced redirect to https.
As for security issues for my site? What, yet another DOS attack with TLS costs to any robo that hits on my webmail url?
My expertise is in designing security protocols, not impact of force using them. ;)
it does not if it is done right
<Directory "roundcube-dir"> php_admin_flag session.cookie_secure "1"
</Directory>
this makes sure that there will NEVER a client send the session cookie unencrypted, if you get a external security audit and do not use tis setting for https sites you will get warned by the auditor and if not he did not make his job!
Perhaps I am implementing this wrong on my server. My roundcubemail.conf has
<Directory /usr/share/roundcubemail/> Order Deny,Allow Allow from all
</Directory>
Am I suppose to put your <Directory "roundcube-dir"> ...
after this entry or the php_admin_flag in the one I have?
What do you use for force_https and use_https?
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
On 12/27/2012 09:58 PM, Reindl Harald wrote:
how do you sell this to the average enduser? especially in days where all f**ing browsers supress protocol-prefixes
It started out with 'smart' admins configuring their DNS zones so that foo.com was a cname for www.foo.com. It made it soo much easier... But it caused other problems so it got 'fixed' in the browsers.
We spent so much effort to create things like SRV RR. Whatever for, the browsers will solve all of our problems.
as said: prevent to send cookies unencrypted and redirect at the first connect to https and you are done
And I thank you for this information on how to do better than just a redirect.
Am 28.12.2012 03:38, schrieb Benny Pedersen:
Dont use http to webmail host that olso have same hostname on https Remove the http host in apache Now the question is ? :-)
-------- Original message -------- From: Robert Moskowitz rgm@htt-consult.com Date: To: Roundcube Users mailing list users@lists.roundcube.net Subject: Re: [RCU] invalid auth cookie
On 12/27/2012 06:40 PM, Reindl Harald wrote:
Am 28.12.2012 00:24, schrieb Jan M. Dziewulski:
On 27/12/2012 23:17, Robert Moskowitz wrote:
hmmm. Thinking (really!) I should change it back and try https:/.../webmail and see if it works. If it does, I need to add a force redirect to the roundcube.conf. Thinking more, this is reasonable as this is how my current squirrelmail works.
But shouldn't people be accessing it via https anyway? I mean without the need for a redirection? Adding a redirection increases security issues (for your site) so I personally would not be keen to do that
My little bit of testing gives the user a bad experience if they use http://fqdn/webmail. The ajax error is so cryptic. I suppose with some digging I can find a way to get it to say, "use https:// like you were instructed!" instead. Until I do, I tend towrad a forced redirect to https.
As for security issues for my site? What, yet another DOS attack with TLS costs to any robo that hits on my webmail url?
My expertise is in designing security protocols, not impact of force using them. ;)
it does not if it is done right
<Directory "roundcube-dir"> php_admin_flag session.cookie_secure "1"
</Directory>
this makes sure that there will NEVER a client send the session cookie unencrypted, if you get a external security audit and do not use tis setting for https sites you will get warned by the auditor and if not he did not make his job!
Perhaps I am implementing this wrong on my server. My roundcubemail.conf has
<Directory /usr/share/roundcubemail/> Order Deny,Allow Allow from all
</Directory>
Am I suppose to put your <Directory "roundcube-dir"> ...
after this entry or the php_admin_flag in the one I have?
What do you use for force_https and use_https?
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Robert Moskowitz skrev den 2012-12-28 05:13:
It started out with 'smart' admins configuring their DNS zones so that foo.com was a cname for www.foo.com. It made it soo much easier... But it caused other problems so it got 'fixed' in the browsers.
this require wildcard ssl, if the server have only one hostname in ssl then it cant work with ssl on more then one domain or subdomain
csr can be made with multiple domains and or subdomains, in that case it works as you want on above
We spent so much effort to create things like SRV RR. Whatever for, the browsers will solve all of our problems.
is there even srv compliant webbrowsers that use this in ssl ?
as said: prevent to send cookies unencrypted and redirect at the first connect to https and you are done
i dont like the word redirect, it will fail if there redirect is comming from one domain to another domain, so dont use it
And I thank you for this information on how to do better than just a redirect.
configure apache to not use http urls for webmail, so all users have to use https always
remember there is a reason that ssl is not just running starttls on port 80, like postfix can :)
on postfix maillist there was a number of users there tell me to use smtps or submission for end users email sending, i think i gone to the next step of webhosting with that in mind
Reindl Harald skrev den 28-12-2012 03:58:
how do you sell this to the average enduser?
i dont sell anything
especially in days where all f**ing browsers supress protocol-prefixes
stop using lame browsers
as said: prevent to send cookies unencrypted and redirect at the first connect to https and you are done
stop redirecting, if needed one culd use gmail with smtpd auth to ones own mailserver if runnig roundcube is so hard to get right
On 12/28/2012 12:42 AM, Benny Pedersen wrote:
Reindl Harald skrev den 28-12-2012 03:58:
how do you sell this to the average enduser?
i dont sell anything
especially in days where all f**ing browsers supress protocol-prefixes
stop using lame browsers
as said: prevent to send cookies unencrypted and redirect at the first connect to https and you are done
stop redirecting, if needed one culd use gmail with smtpd auth to ones own mailserver if runnig roundcube is so hard to get right
And I am seriously thinking in this direction for one of my users. It really has an attraction, but there are times when all is available is a friend's puter to take care of things. Or so I have been told.
What you do for family.
Robert Moskowitz skrev den 2012-12-28 06:55:
And I am seriously thinking in this direction for one of my users. It really has an attraction, but there are times when all is available is a friend's puter to take care of things. Or so I have been told.
what error does users make ?, its design choice of problems, not problems choice of solution, with that in mind one can make sure no user using http links for there webmail content, with logins, why is this so hard ?
for the admin its a matter of setup non selfsigned ssl keys, and keep it uptodate, here i have not found more problems then that
What you do for family.
keep them on gmail :)
Am 28.12.2012 06:42, schrieb Benny Pedersen:
Reindl Harald skrev den 28-12-2012 03:58:
how do you sell this to the average enduser?
i dont sell anything
so better shut up
especially in days where all f**ing browsers supress protocol-prefixes
stop using lame browsers
PLEASE shut up
i can not control what my customers are using come on tell me use MSIE because FF hides the procotol in recnet releases
as said: prevent to send cookies unencrypted and redirect at the first connect to https and you are done
stop redirecting
why should i`? beause YOU are too stupid make it secure?
if needed one culd use gmail with smtpd auth to ones own mailserver if runnig roundcube is so hard to get right
sorry i can not resist: idiot!
On 2012-12-27 11:51 PM, Benny Pedersen me@junc.eu wrote:
Robert Moskowitz skrev den 2012-12-28 05:13:
It started out with 'smart' admins configuring their DNS zones so that foo.com was a cname for www.foo.com. It made it soo much easier... But it caused other problems so it got 'fixed' in the browsers.
this require wildcard ssl, if the server have only one hostname in ssl then it cant work with ssl on more then one domain or subdomain
csr can be made with multiple domains and or subdomains, in that case it works as you want on above
A very interesting way to accomplish multi-domain name based SSL hosting on a single IP with each host having its own domain name and cert:
I'd be interested in hearing opinions on how secure this is.
Charles
-
Benny Pedersen -
Benny Pedersen -
Charles Marcus -
Reindl Harald -
Robert Moskowitz