Mailing List CGatePro@mail.stalker.com Message #106329
From: Mark J Strawcutter <mjstraw@iup.edu>
Subject: Re: [Ext]Re: [CGP-Update] [*] CommuniGate Pro 6.2c1 is released
Date: Wed, 15 Feb 2017 12:15:49 -0500
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Or spend your time developing a Shib-enabled webmail

Mark

On 2/15/2017 10:20 AM, Nicolas Hatier wrote:

Hello

To the developers: I know this is a preliminary version. But the current
implementation of the two-factor authentication for webmail has a
blatant flaw, since it relies on a field being sent by the client
browser. If all I have to do is to press F12 on my browser and remove
the x2auth value to bypass 2fa, well, that's not very secure. I
understand Mr Average Joe probably won't be able to do that, but that's
not the point here.

If CGP can get something directly from strings.data without relying on
the client browser to send it, that's where I would put the x2auth=1
value. If CGP can't get something from strings.data, you may want to put
an intermediate wssp step that contains a conditional server-side
redirect or something like that.

*Nicolas Hatier, ing.* <nicolas.hatier@niversoft.com
<mailto:nicolas.hatier@niversoft.com>>
Niversoft idées logicielles - http://www.niversoft.com



On 2017-02-14 15:38, Technical Support wrote:
Major Release

* SESSION: two-factor authentication framework has been implemented.
* XIMSS: the protocol has been extended to support two-factor authentication and forced password change.
* WebUser: the interface has been extended to support two-factor authentication and forced password change.


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster