Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Security breach -Sniffer program!

  1. #1
    Join Date
    Apr 2009
    Posts
    70
    Rep Power
    6

    Question Security breach -Sniffer program!

    Security issue accessing Zimbra from the browser (port 80). The username & Password can be seen (text) by any Sniffer program.
    We use ZCS 5.0.9 N/W edition
    Can we encrypt the same with http(80) ?

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by tiarra View Post
    Security issue accessing Zimbra from the browser (port 80). The username & Password can be seen (text) by any Sniffer program.
    That's not a security issue it's poor practice to use that connection outside your LAN for passing passwords & login details.

    Quote Originally Posted by tiarra View Post
    We use ZCS 5.0.9 N/W edition
    Can we encrypt the same with http(80) ?
    Use zmtlsctl to set it to a secure mode.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Apr 2009
    Posts
    70
    Rep Power
    6

    Question

    U suggest to go for https mode?

    What r the implications of having either mixed or redirect modes.

    We have other mail systems & edirectory without https mode & no breaches yet!

    Please can we still be with http & have more security?

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by tiarra View Post
    U suggest to go for https mode?

    What r the implications of having either mixed or redirect modes.

    We have other mail systems & edirectory without https mode & no breaches yet!
    If you have extermal access to these services in HTTP mode then it's only a matter of time before you have a problem, this is poor security practice to expose your username & login information via an insecure connection.

    Quote Originally Posted by tiarra View Post
    Please can we still be with http & have more security?
    No, you can't and by definition port 80 is an insecure connection.

    I think you should give your security a serious review.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default

    same goes for POP3 connection ..it send in plain text also.
    you may want to use pop3s

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    If you can use a sniffer then you should understand how the protocols work aswell

  7. #7
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    8

    Default

    better use https. Incase more worried on security , use commercial certificates.

  8. #8
    Join Date
    Apr 2009
    Posts
    70
    Rep Power
    6

    Default

    Donno for what reason implementor & we all opted for http for user logins!!

    Any suggestions for opting mixed mode "http://wiki.zimbra.com/index.php?title=Zmtlsctl" as we have many users already LIVE with the system..
    Is there any implications or anything need to be looked into before going further with https..

    I am totally new to admin as well as ZImbra so plz bear with me

  9. #9
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Just go HTTPS ... if security is your concern, which I hope it is, then once you explain to your users about privacy then I am sure they will not mind having to type an additional 's'

  10. #10
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Or the new 'redirect' mode. (Won't have to type that extra s in the url either - it's automatic.)

    What we're saying is besides just the logins there may be more important things in the body of your emails to protect.

    Also might upgrade that 5.0.9 > 5.0.16 (As some of the third-paty products we bundle occasionally have fixes for their own flaws.)

    Now why have 'mixed' mode at all? Secure sessions do use a little more resources on both ends, and often browsers are configured to not cache data as long for https sessions. So some just want it for the auth part only.

    Make sure your self-signed certs are current (there's a section in the admin console), or you can add commercial certs so users aren't prompted for an extra security confirmation. It's more of an identity trust issue than an actual encryption difference.

    Unless your talking thousands of users probably no need to tweak zimbraHttpSSLNumThreads (50) the counterpart to zimbraHttpNumThreads (250). (Examine your access logs and look at concurrent connections/sec at peak.)
    Last edited by mmorse; 06-09-2009 at 10:58 PM.

Similar Threads

  1. Zimbra .pids / service monitoring
    By bin2hex in forum Administrators
    Replies: 24
    Last Post: 04-03-2010, 10:12 PM
  2. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 05:42 PM
  3. DelegateAuth in audit.log
    By Krishopper in forum Administrators
    Replies: 2
    Last Post: 05-17-2007, 06:08 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •