Hi guys, To add to this thread ... Using SSL would make this tremendously more secure as the SSL connection negotiations between the client browser and the Apache server (or any https server) are executed and authenticated prior to any data passing between the server and the client - bottom line - the username and password would be encrypted as well as any email information in the SSL packets and not available for viewing by a sniffer...
One caveat here - make sure you are running 128-bit encryption as there is hardware available now that would allow brute-force decryption of 64-bit DES in about 48-hours or so... (Ah - the wonders of technology) and do not cost a great deal to implement (less than $2000 USD - Don't ask - If you do not know I am not saying).... Just my two cents... gm... > -----Original Message----- > From: Yves B. Desharnais [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 29, 2001 2:02 PM > To: .:[Travis]:. > Cc: Johannes Verelst; Branko Ivanovic'; > [EMAIL PROTECTED] > Subject: Re: Squirrel Mail - just how secure it is? > > > Why not just use https (port 443) connections? Just look through the > apache documentation to have it work for SSL and disable access to > squirremail via http (port 80). Then there won't be clear text > passwords. This should be independant of Squirrelmail. SSL is enabled > here on a Redhat 7.2 apache standard instalation. It seems to work > flawlessly (just asks about an unrecognized certifacte, but nothing more). > > Yves > > .:[Travis]:. wrote: > > >I consider IMAP insecure, however, I run Squirrel mail on the same > >machine I have the mail server on and while I am running IMAP I simply > >firewall it's services so that no one may access it external to > the server > >and allow Squirrel mail to access IMAP internal (no further > >configuration). This allows you to run IMAP and Squirrel mail so that > >IMAP isn't going to get exploited... You are left with the plain text > >username/password vulnerable combo - yes but this is a general norm > >considering other mail protocols. > > > > Yea, SSL for it would be great. I heard about tests with Squirrel > >mail and SSL but nothing concrete - this is probably one of the main > >problems with it's security. > > > > Just my $0.02 centavos. > > > >Travis > > > >=-=[Travis > Ogden]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > >ICQ UIN: #30220771 "Courage is not defined by those who > >AIM ID: Gen2600 fought and did not fall, but by those > >Email: who fought, fell, and rose again." > > [EMAIL PROTECTED] > >Website: > > http://www.FreeBSDFoo.com/~traviso > >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > -=-=-=-=-= > > > > >
