how do you sell this to the average enduser? especially in days where all f**ing browsers supress protocol-prefixes
as said: prevent to send cookies unencrypted and redirect at the first connect to https and you are done Am 28.12.2012 03:38, schrieb Benny Pedersen: > Dont use http to webmail host that olso have same hostname on https > Remove the http host in apache > Now the question is ? :-) > > > -------- Original message -------- > From: Robert Moskowitz <[email protected]> > Date: > To: Roundcube Users mailing list <[email protected]> > Subject: Re: [RCU] invalid auth cookie > > > > On 12/27/2012 06:40 PM, Reindl Harald wrote: >> >> Am 28.12.2012 00:24, schrieb Jan M. Dziewulski: >>> On 27/12/2012 23:17, Robert Moskowitz wrote: >>> >>>> hmmm. Thinking (really!) I should change it back and try >>>> https:/.../webmail and see if it works. If it does, I need to add a >>>> force redirect to the roundcube.conf. Thinking more, this is reasonable >>>> as this is how my current squirrelmail works. >>> But shouldn't people be accessing it via https anyway? I mean without the >>> need for a redirection? Adding a >>> redirection increases security issues (for your site) so I personally would >>> not be keen to do that > > My little bit of testing gives the user a bad experience if they use > http://fqdn/webmail. The ajax error is so cryptic. I suppose with some > digging I can find a way to get it to say, "use https:// like you were > instructed!" instead. Until I do, I tend towrad a forced redirect to https. > > As for security issues for my site? What, yet another DOS attack with > TLS costs to any robo that hits on my webmail url? > > My expertise is in designing security protocols, not impact of force > using them. ;) > >> it does not if it is done right >> >> <Directory "roundcube-dir"> >> php_admin_flag session.cookie_secure "1" >> </Directory> >> >> this makes sure that there will NEVER a client send the >> session cookie unencrypted, if you get a external security >> audit and do not use tis setting for https sites you >> will get warned by the auditor and if not he did not make >> his job! > > Perhaps I am implementing this wrong on my server. My > roundcubemail.conf has > > <Directory /usr/share/roundcubemail/> > Order Deny,Allow > Allow from all > </Directory> > > Am I suppose to put your <Directory "roundcube-dir"> ... > > after this entry or the php_admin_flag in the one I have? > > What do you use for force_https and use_https? > > > > _______________________________________________ > Roundcube Users mailing list > [email protected] > http://lists.roundcube.net/mailman/listinfo/users > > > > _______________________________________________ > Roundcube Users mailing list > [email protected] > http://lists.roundcube.net/mailman/listinfo/users > -- Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / CISO / Software-Development p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
