Loading ...
Sorry, an error occurred while loading the content.

[OT] suitable webmail

Expand Messages
  • Stan Hoeppner
    ... I think you re making some incorrect assumptions. Squirrelmail has had a pretty abysmal security track record of its own over the years. One reason for
    Message 1 of 42 , Feb 1, 2010
    View Source
    • 0 Attachment
      Kay put forth on 2/1/2010 11:49 AM:

      > In my job (hosting company) I see boxes exploited via roundcube all the
      > time. Squirrelmail? Not one so far. Part of the reason is that
      > squirrelmail comes with RHEL, so it's kept up to date automatically,
      > while customers install their own roundcube and then don't maintain it.

      I think you're making some incorrect assumptions. Squirrelmail has had a pretty
      abysmal security track record of its own over the years. One reason for that is
      probably exactly what you're calling out Roundcube for here, which has nothing
      to do with the software, but the administration of the system. That said, you
      appear to think the world runs on Red Hat, and if Red Hat doesn't have a
      Roundcube package, admins will install from source or an external RPM that
      doesn't get updated by Red Hat's uptodate or whatever it's called. The world
      doesn't run on Red Hat, and many admins _do_ keep their Roundcube (and other)
      packages up to date. For instance, I do security updates on my Debian servers
      once a week. My Roundcube package is currently up to date, and it is a standard
      Debian package:

      [02:21:52][root@greer]/$ aptitude show roundcube
      Package: roundcube
      New: yes
      State: installed
      Automatically installed: no
      Version: 0.2.2-1~bpo50+1
      Priority: extra
      Section: web
      Maintainer: Debian Roundcube Maintainers
      <pkg-roundcube-maintainers@...>
      Uncompressed Size: 94.2k
      Depends: roundcube-core (= 0.2.2-1~bpo50+1)
      Description: skinnable AJAX based webmail solution for IMAP servers - metapackage

      > That said, it's not the only webmail client (or any other web app) that
      > gets the install&neglect treatment, it's just the one most frequently
      > exploited.

      Do you have any empirical data showing that Roundcube is exploited more often
      today than Squirrelmail? Claims like this really need to be backed up. Data
      for only your data center doesn't count, the sample size is way too small. This
      is called "anecdotal" evidence, not empirical evidence.

      --
      Stan
    • Stan Hoeppner
      ... If you d have read past the first line you d have noticed I said the same thing. ;) -- Stan
      Message 42 of 42 , Feb 12, 2010
      View Source
      • 0 Attachment
        LuKreme put forth on 2/12/2010 10:08 AM:
        > On 12-Feb-2010, at 08:48, Stan Hoeppner wrote:
        >>
        >> Tell me about this "top-secure" aspect of Squirrelmail again. ;)
        >
        > The fact that some spammers are able to get into email accounts and send spam via squirrelmail has nothing to do with the security of squirrelmail itself. In nerely all, if not all, of these cases the account is being compromised due to having a password like "password1" or "12345678"

        If you'd have read past the first line you'd have noticed I said the same thing. ;)

        --
        Stan
      Your message has been successfully submitted and would be delivered to recipients shortly.