Harald,
I am beginning to see what you are doing; through some foggy glasses.
Still need to read more, and today was not a reading day. I am
struggling to understand the attack space.
How can the user submit their cookie over an non-ssl connection when the
server redirects everything to https? The only senario I have come up
with is with the login screen in front of them, the user changes the
method to http, enters in their data and sends?
So I have been running SquirrelMail as a virtual host over https and
here the jist of what I have used:
<VirtualHost *:443>
ServerName webmail
ServerAlias webmail.foo.com
SSLEngine On
SSLCertificateFile ...crt
SSLCertificateKeyFile ...key
DocumentRoot /usr/share/squirrelmail
<Directory "/usr/share/squirrelmail">
...
</Directory>
</VirtualHost>
Any connection to http://webmail.foo.com gets returned as
https://webmail.foo.com It took a bit of reading to get to this setup.
I will probably have to check with wireshark about what is going on if I
change the method to http for any screen and what happens after login.
I do want to run Roundcube as a virtual host.
On 12/27/2012 06:40 PM, Reindl Harald wrote:
Am 28.12.2012 00:24, schrieb Jan M. Dziewulski:
On 27/12/2012 23:17, Robert Moskowitz wrote:
hmmm. Thinking (really!) I should change it back and try
https:/.../webmail and see if it works. If it does, I need to add a
force redirect to the roundcube.conf. Thinking more, this is reasonable
as this is how my current squirrelmail works.
But shouldn't people be accessing it via https anyway? I mean without the need
for a redirection? Adding a
redirection increases security issues (for your site) so I personally would not
be keen to do that
it does not if it is done right
<Directory "roundcube-dir">
php_admin_flag session.cookie_secure "1"
</Directory>
this makes sure that there will NEVER a client send the
session cookie unencrypted, if you get a external security
audit and do not use tis setting for https sites you
will get warned by the auditor and if not he did not make
his job!
_______________________________________________
Roundcube Users mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/users
