Brian Candler writes: > As told to me off-list by matti, if you go to the demo page > > https://karhula.taivassalo.fi/cgi-bin/demo > > and login explicitly then you get the usual sqwebmail-in-frames.
If you tried it and it works then the thing is actually secure after all and the apparent insecurity is an artefact of the way he set up his demo. Which makes his demo a less-than-effective test because it does not reproduce actual working conditions in at least one respect. And that defect is a rather unusual one coming from somebody who claims to be concerned by usability issues. Either you make the demo work exactly like the real thing or you document the differences, *if you understand them*. The fact that he did not immediately, upon first criticism, explain that it was merely an artefact of the test implies to me that he had no understanding of what people were complaining about or why people had an issue with it. OK, it's probably safe to use as far as the URL hiding goes. Dunno about you, but for various reasons it just doesn't appeal to me. YMMV. -- Paul Allen Softflare Support
