While it is easy enough to modify login.php to require a secure connection when logging in, SquirrelMail should have a configuration option to require the secure connection before displaying the login screen. Otherwise, userids and passwords are transmitted in clear text.
Ideally, a non-secure connection should display an error screen indicating the nature of the problem. Only a secure connection should display the login screen.
For those that don't wish to use secure login, there should be an option to disble the check in the config script. I'd suggest that the secure login should be the default, to prevent user error from compromising the system as a result of the SquirrelMail installation.
Log in to post a comment.