On 13/07/15 11:42, Michael Stevens wrote:
> On Mon, Jul 13, 2015 at 12:39:51PM +0200, Andreas Olsson wrote:
>> mån 2015-07-13 klockan 10:16 +0100 skrev Michael Stevens:
>>> Has anyone got any recommendations for webmail software? I've been using
>>> prayer (http://www-uxsup.csx.cam.ac.uk/~dpc22/prayer/) but it seems to
>>> be vulnerable to POODLE and unlikely to get patched,
>>> ...
>> Assuming weak TLS support is your only problem with prayer, why not
>> simply put a proxy in front, and let that proxy do the TLS termination?
> It's an option, but I'd also like to upgrade to something with a less
> 1990s UI. It's more of a last straw.
>
>
The problem with Prayer appears to be with the configuration of the web
server on which it runs rather than the software itself. This is an MitM
(Man-in-the-Middle) bug so it "only" enables eavesdropping when you are
using the software, rather than enabling an unauthenticated attacker to
breach the server. I would suggest one of the following immediate
mitigations while you're deciding what to do:
* Stop logging into it - Nobody can man-in-the-middle a
communication you're not using.
* Apply the config changes to Apache listed here
https://poodle.io/servers.html - This will make Prayer safe to use.
* Only log in from networks you reasonably trust ( ethernet,
encrypted wifi where you know all the users or 3G/4G) - Don't use it in
coffee shops, on the train or anywhere with open public wifi.
If you avoid unencrypted wifi and networks owned by people who don't
provide bandwidth for money, like Vodafone, then the only people who
would generally have the legal ability to be in the middle would be "the
man."
I use Roundcube which I really like and has a slick, modern UI. It is,
however, also vulnerable to Poodle in its default config but once you've
tweaked the Apache config using the link above, you'll be good to go.
Bests,
Paul.
