Many thanks. I will consider to setup HTTPS for my server. On Wed, Dec 8, 2010 at 10:17 PM, Hugo van der Kooij < [email protected]> wrote:
> On Wed, 8 Dec 2010 21:20:06 +0700, Minh Nguyen <[email protected]> > wrote: > > My RC use PLAIN mechanism for IMAP athentication. And it use default > (non-SSL) IMAP port 143. > > While log in, I captured the information by WireShark then I could see the > usename and password, warped in a HTTP POST. > > If I change to use SSL with IMAP, > > $rcmail_config['default_host'] = 'ssl://mail.mysite.com'; > $rcmail_config['default_port'] = 993; > > I still can capture my Username/ Password. So I think the SSL > authentication is just from RC to IMAP server. Not from my PC to RC server. > > I know if I'm using HTTPS, the information send from my PC to HTTP server > will be encrypted. > > Is there anyway to encrypt the login session from my PC to the RC server, > except using HTTPS? I mean the encryption supported inside RC login page. > > This is exactly why you should enforce HTTPS on your webserver for > roundcubemail and enforce IMAPS on your mailserver. > > > This is how things are designed and why your webserver with roundcubeemail > should be considered a critical component as far as security is concerned. > > > Hugo. > > > -- [email protected] http://hugo.vanderkooij.org/ > PGP/GPG <http://hugo.vanderkooij.org/PGP/GPG>? Use: > http://hugo.vanderkooij.org/0x58F19981.asc > > > _______________________________________________ > List info: http://lists.roundcube.net/users/ > BT/aa05301c > >
_______________________________________________ List info: http://lists.roundcube.net/users/ BT/8f4f07cd
