Victor Hugo dos Santos wrote: > On Wed, Apr 15, 2009 at 2:56 PM, Drew Darrow <[email protected]> wrote: >> why don't you want your users to view their mail in ssl? > > because for rules of company, we need transmit all password and > sensible data for a secure channel !! > but, the users have a slow satellite connection with a big latency and > sending all data (photos and others ordinaries documents) for SSL is > very expensive for this connections. > >> isn't that kind of >> a normal practice now? > > Yes. Our idea is have two domains: one with all data encrypted > (general users) and other with login page encrypted (for satellite > users) > > thanks >
1) If you do this and your connection is compromised, the attacker will simply send password reminders that will be transmitted in plaintext. If that doesn't work, being able to spy on message contents makes social engineering attacks trivial. 2) The bandwidth overhead of SSL is negligible. Seriously. An exception to this might be if your users' browsers are configured not to cache encrypted pages, but that wouldn't apply here anyway, since you can't cache the contents of the inbox (for example). I don't mean to be rude, but this is a bad idea, and it's *more* trouble than doing it correctly. Just encrypt all email traffic. _______________________________________________ List info: http://lists.roundcube.net/users/
