Popfile 1.0 IMAP - Problems

2007-12-21
2013-04-15
  • Morgenstern72

    Morgenstern72 - 2007-12-21

    1. The password is stored in clear text in the popfile.cfg. This is a real security problem.
    2. If you enter a wrong username the Popfile UI does not load anymore, even after shutdown. You have to manually edit popfile.cfg.

    I use the IMAP-Extension for Gmail without a client so its really great to have this extension. But please make it more stable and secure :)

    Thx for all the great work!

     
    • David Lang

      David Lang - 2007-12-24

      remember that popfile needs to give the password to the server to login, so it can't just store a hashed password.

      we could encrypt the password when writing the file and then decrypt it when reading it, but the problem then becomes where do you store the encryption key? remember that this is a perl program so the source can be viewed, meaning that wherever we try to hide the key any bad guys can just look there and run the same perl routine to get the decrypted key.

      for that matter, if the bad guy can access your config file they can tell the popfile to connect to a different server, and then when you try to use popfile (IMAP of POP mode) you will end up connecting to them and handing them your password (decrypted, because that's what the server needs anyway)

      the only way to be secure is to not store the password anywhere and force someone to type it in each time popfile starts, unfortunately (from a security point of view) that's not practical in real life.

      encrypting the password in the config file will only slow down the most casual of attackers, I don't think the benefit is worth the complexity, but others may disagree

       

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks