邮件列表#106329信息CGatePro@mail.stalker.com
从: Mark J Strawcutter <mjstraw@iup.edu>
主题: Re: [Ext]Re: [CGP-Update] [*] CommuniGate Pro 6.2c1 is released
日期: Wed, 15 Feb 2017 12:15:49 -0500
到: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Or spend your time developing a Shib-enabled webmail

Mark

On 2/15/2017 10:20 AM, Nicolas Hatier wrote:

Hello

To the developers: I know this is a preliminary version. But the current
implementation of the two-factor authentication for webmail has a
blatant flaw, since it relies on a field being sent by the client
browser. If all I have to do is to press F12 on my browser and remove
the x2auth value to bypass 2fa, well, that's not very secure. I
understand Mr Average Joe probably won't be able to do that, but that's
not the point here.

If CGP can get something directly from strings.data without relying on
the client browser to send it, that's where I would put the x2auth=1
value. If CGP can't get something from strings.data, you may want to put
an intermediate wssp step that contains a conditional server-side
redirect or something like that.

*Nicolas Hatier, ing.* <nicolas.hatier@niversoft.com
<mailto:nicolas.hatier@niversoft.com>>
Niversoft idées logicielles - http://www.niversoft.com



On 2017-02-14 15:38, Technical Support wrote:
Major Release

* SESSION: two-factor authentication framework has been implemented.
* XIMSS: the protocol has been extended to support two-factor authentication and forced password change.
* WebUser: the interface has been extended to support two-factor authentication and forced password change.


签署(FEED) 签署(DIGEST) 签署(INDEX) 不签署 联系 Listmaster