HTTPS suggestion

[supermagnum]

All non local logins to B2/B3 and Horde should be enforced to https.

[RandomUsername]

+1. I've done this myself by modifying apache but it's broken the photo albums in the B3

[Ubi]

Meh, why enforce it? If you have the choice to use it, and you think it is important, you'll use it. The problem is that forcing https is only useful if you have a *certified* certificate on your machine. If you do not, Internet Explorer will give a crazy warning and refuses to load. Yes, tech savy people like you will know how to get around that, but the bubba is meant to be used by regular people too, who will whine to the helpdesk that their webmail is broken.

I'd like to be able to make my own choice whether to use SSL or not, so I vote -1

[RandomUsername]

But what about enforcing it or people who don't know any better? Especially for people accessing their email remotely? Don't we, as tech savvy people, have a duty of care to those who don't know their arse from their elbow when it comes to computers (read: my dad)?

[Ubi]

Wouldn't a notification with explanation on the front page suffice? That's what I do for my webmail service and it seems to work fine.

[Eek]

does that also explain that their session can be hijacked if they don't use SSL?
with plugins like firesheep it has become trivial.

True you need valid certified certificates. But those don't need to to cost that much anymore.

And if you only have known users, why not create your own root ca certificate and let them import it into their browser. No more pesky warnings.

I vote +1

[Ubi]

because most people do not understand this.

Look, it's a bit like bulldozering down all McDonalds because fast food is bad for you and we should "educate" the people. If you want to educate, ehtn educate. Don't force your opinion on me.

[Eek]

Ubi, I was not talking to you personally nor do I try to force anything.
It is just an opinion and it happens to be mine,
that we try to provide the best security possible for all the non-tech savvy people,
as the web is badly broken and bad guys and script kiddies are roaming free.
I don't believe education is the solution, you don't need to understand a seatbelt in order to use it.
So I think it is a good idea to have the possibility of a HTTPS only bubba,
one that does not break the photo albums.

PS. congratulations on becoming the top poster! you knocked Tor of his top spot

[johannes]

Interesting discussion. My opinion is that we should not enforce this, since:

1) Many people are not paranoid and do not think having a high-jacked account would be the end of the world to them. Private email adresses are not considered a big secret to many people and they don't worry about this stuff. Forcing https would create only annoyance.

2) Many non-tech-savvy users (who may or may not care about privacy) would never figure out how to connect using https due to the certificate issue. IE makes it quite difficult (and forcing them to leave IE is also difficult). Some might not be able to use the email service.

3) Most B3 users understand that they have the possibility to use https and can choose to do so if they wish.

[supermagnum]

It should be possible to choose it in the web/gui config perhaps..

[Ubi]

you can https: into bubba already, theres no need for a gui options.

[Gordon]

because most people do not understand this.

Look, it's a bit like bulldozering down all McDonalds because fast food is bad for you and we should "educate" the people. If you want to educate, ehtn educate. Don't force your opinion on me.

I've been thinking about this and I disagree.

Thing is that you'd be amazed to learn how many people share passwords between multiple accounts. Knowing someone's password for eBay may very well also get you into their PayPal account, or even the one they use for private banking, work, and of course their home Bubba or B3. People, specifically uneducated people, should not be tempted to enter such a password on a non-secure site. And actually it really isn't that big a deal to maintain personal self-signed certificates and to make Windows accept them is maybe just four guided clicks away.

[Ubi]

You can still do this. The point here is whether to make it compulsory. In reality the only way that SSL protects against snooping a password is with a MiM attach, which is quite difficult to do. Keyloggers are much simpler, and they are not stopped by HTTPS.

Your solution does not have a problem.

[Gordon]

Well, yeah... The only way to make any computer meddle-free is to pour concrete on top of it and then drop it in the middle of the ocean. But that doesn't mean you should give up trying with computers that you actually intent to use.

In any case, the following quick and dirty fix will help those that like the idea but feel reluctant to go into the console and hack the webserver.

1. Access the web folder on your B3 ( on Windows \\your-B3\home\web )
2. Create a file in there named `index.php` and copy-paste the following text into it

Code: Select all

<?php
  header("location: https://".$_SERVER["HTTP_HOST"]."/admin");
?>

3. Rename the file `index.html` that was already there to `index.html.dist`

Now this will not prevent you from accessing the B3 admin page through normal http, but anyone accessing the regular web index page will now be redirected to the SSL protected admin page (and as a bonus not see `Redirecting ...` printed on a page with title `Bubba|2`)

Rename index.html.dist back to index.html to revert to the original setup.

[Cheeseboy]

Neat.
I think I added this to my Bubba2 /etc/apache2/conf.d some years ago to achieve the same thing (to force the use of HTTPS):

Code: Select all

<Location /admin>
        RewriteEngine on
        RewriteBase /admin
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule ^(.*)$ index.php/$1 [L]
        RewriteCond %{HTTPS} off
        RewriteCond %{HTTP_HOST} !localhost
        RewriteCond %{HTTP_HOST} !bubba2
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

</Location>

EDIT:
It was actually only 14 months ago according to the timestamp of the file, but it feels a lot longer