On Wed, Apr 15, 2009 at 2:56 PM, Drew Darrow drew@portlandfairy.com wrote:
why don't you want your users to view their mail in ssl?
because for rules of company, we need transmit all password and sensible data for a secure channel !! but, the users have a slow satellite connection with a big latency and sending all data (photos and others ordinaries documents) for SSL is very expensive for this connections.
isn't that kind of a normal practice now?
Yes. Our idea is have two domains: one with all data encrypted (general users) and other with login page encrypted (for satellite users)
thanks
I haven't delved into that part of the RC code myself, perhaps other's have and can correct me if i'm wrong.
But RC uses phps sessions and by default they don't cross over form https to http. I did some googling and it seems like other's had done it before in their own code so it's probably doable in RC too, just will likely require some coding.
On 4/15/09 3:09 PM, Victor Hugo dos Santos wrote:
Yes. Our idea is have two domains: one with all data encrypted (general users) and other with login page encrypted (for satellite users)
I presume you mean "sub-domains". If your session authentication is cookie based, then be sure that the cookie domain is not specific to a sub-domain. Otherwise, authenticated sessions will not transfer from the SSL login to the non-ssl session. If they are indeed separate domains, then you will have to use something other than cookies to propagate your sessions.
Kevin
List info: http://lists.roundcube.net/users/
Victor Hugo dos Santos wrote:
On Wed, Apr 15, 2009 at 2:56 PM, Drew Darrow drew@portlandfairy.com wrote:
why don't you want your users to view their mail in ssl?
because for rules of company, we need transmit all password and sensible data for a secure channel !! but, the users have a slow satellite connection with a big latency and sending all data (photos and others ordinaries documents) for SSL is very expensive for this connections.
isn't that kind of a normal practice now?
Yes. Our idea is have two domains: one with all data encrypted (general users) and other with login page encrypted (for satellite users)
thanks
- If you do this and your connection is compromised, the attacker will
simply send password reminders that will be transmitted in plaintext. If that doesn't work, being able to spy on message contents makes social engineering attacks trivial.
- The bandwidth overhead of SSL is negligible. Seriously. An exception
to this might be if your users' browsers are configured not to cache encrypted pages, but that wouldn't apply here anyway, since you can't cache the contents of the inbox (for example).
I don't mean to be rude, but this is a bad idea, and it's *more* trouble than doing it correctly. Just encrypt all email traffic. _______________________________________________ List info: http://lists.roundcube.net/users/
On Apr 15, 2009, at 6:11 PM, Michael Orlitzky wrote:
- The bandwidth overhead of SSL is negligible. Seriously.
A quote from an article about using SSL - <http://searchsoa.techtarget.com/news/interview/ 0,289202,sid26_gci995388,00.html>
" The increase in message size due to SSL is not very significant,
and is rarely a concern. "
It isn't a bandwidth issue, it is a data throughput issue at the
server and at the client.
The server has to calculate the encryption, and that takes time, so
the response from a server using SSL / TLS will lag compared to
unencrypted traffic. Likewise the browser has to decrypt the data, so
there is a lag while the local CPU does the calculations before it
can parse the HTML / JavaScript.
The length of those lags is dependent on the processing power at each
end, not dependent on bandwidth.
Here <http://www.webperformanceinc.com/web_stress_test/ performancerealistic.html#CPU>
you can see that a 2.4 GHz server can deliver better performance
serving encrypted traffic than a 800 MHz server serving unencrypted
traffic. Yeah, it's comparing a Fiat 500 to an Alfa-Romeo, but the
numbers comparing encrypted vs, unencrypted for each CPU are
interesting.
Although I am not that familiar with satellite links, I do know that
one of the biggest problems using satellite is latency. The lag at
the server while the encryption is being calculated is the pain
point; it adds to the latency problem.
I don't mean to be rude, but this is a bad idea,
I think it isn't such a good idea either.
If you have e-mail messages that fall under a NDA, you'd want that
connection encrypted at all times, not just to protect the
authentication.
If you have the time and the skill to hack on the code, this might be
doable, but what you are looking for isn't built in standard.
chasd wrote:
I think it isn't such a good idea either. If you have e-mail messages that fall under a NDA, you'd want that
connection encrypted at all times, not just to protect the
authentication.If you have the time and the skill to hack on the code, this might be
doable, but what you are looking for isn't built in standard.
See http://trac.roundcube.net/ticket/1485461 and http://trac.roundcube.net/ticket/1485336 for hints. Again, partial HTTPS is not a security at all. Attacker may hijack the cookie and use it to browse the mailbox -- Dennis
List info: http://lists.roundcube.net/users/
-
chasd -
Dennis P. Nikolaenko -
Drew Darrow -
Kevin Faulhaber -
Michael Orlitzky -
Victor Hugo dos Santos