Security breach -Sniffer program!

[tiarra]

Security issue accessing Zimbra from the browser (port 80). The username & Password can be seen (text) by any Sniffer program.
We use ZCS 5.0.9 N/W edition
Can we encrypt the same with http(80) ?

[phoenix]

Quote:

Originally Posted by tiarra

Security issue accessing Zimbra from the browser (port 80). The username & Password can be seen (text) by any Sniffer program.

That's not a security issue it's poor practice to use that connection outside your LAN for passing passwords & login details.

Quote:

Originally Posted by tiarra

We use ZCS 5.0.9 N/W edition
Can we encrypt the same with http(80) ?

Use zmtlsctl to set it to a secure mode.

[tiarra]

U suggest to go for https mode?

What r the implications of having either mixed or redirect modes.

We have other mail systems & edirectory without https mode & no breaches yet!

Please can we still be with http & have more security?

[phoenix]

Quote:

Originally Posted by tiarra

U suggest to go for https mode?

What r the implications of having either mixed or redirect modes.

We have other mail systems & edirectory without https mode & no breaches yet!

If you have extermal access to these services in HTTP mode then it's only a matter of time before you have a problem, this is poor security practice to expose your username & login information via an insecure connection.

Quote:

Originally Posted by tiarra

Please can we still be with http & have more security?

No, you can't and by definition port 80 is an insecure connection.

I think you should give your security a serious review.

[raj]

same goes for POP3 connection ..it send in plain text also.
you may want to use pop3s

Raj

[uxbod]

If you can use a sniffer then you should understand how the protocols work aswell

[veronica]

better use https. Incase more worried on security , use commercial certificates.

[tiarra]

Donno for what reason implementor & we all opted for http for user logins!!

Any suggestions for opting mixed mode "http://wiki.zimbra.com/index.php?title=Zmtlsctl" as we have many users already LIVE with the system..
Is there any implications or anything need to be looked into before going further with https..

I am totally new to admin as well as ZImbra so plz bear with me

[uxbod]

Just go HTTPS ... if security is your concern, which I hope it is, then once you explain to your users about privacy then I am sure they will not mind having to type an additional 's'

[mmorse]

Or the new 'redirect' mode. (Won't have to type that extra s in the url either - it's automatic.)

What we're saying is besides just the logins there may be more important things in the body of your emails to protect.

Also might upgrade that 5.0.9 > 5.0.16 (As some of the third-paty products we bundle occasionally have fixes for their own flaws.)

Now why have 'mixed' mode at all? Secure sessions do use a little more resources on both ends, and often browsers are configured to not cache data as long for https sessions. So some just want it for the auth part only.

Make sure your self-signed certs are current (there's a section in the admin console), or you can add commercial certs so users aren't prompted for an extra security confirmation. It's more of an identity trust issue than an actual encryption difference.

Unless your talking thousands of users probably no need to tweak zimbraHttpSSLNumThreads (50) the counterpart to zimbraHttpNumThreads (250). (Examine your access logs and look at concurrent connections/sec at peak.)