View Single Post
  #1  
Old 28th March 2007, 14:44
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Default Big Security Problem

Just want to tell.
some days ago some of the developer told me, that it is a big security-hole to store the password of the user in plaintext inside the DB.

i think, we have a other big security-problem.
if you send (or get) emails, the "normal" way is sending the data in plaintext. this means, if a user is the admin of the web and has a email-account, then he sends his passport every time he gets (or sends) emails.

means if anybody can scan the "email-protokol" he can read the pwd of the admin and so connect to the server and change the files at the server (for example a php-script to get the account-data of the database used).

it is NO problem for me to use SFTP because this is "FTP over SSH" and SSH has it's own fingerprint. but i can't generate a SSL-certificate for every customer i am hosting.

so isn't it better, to separate the FTP from the email-user?
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote
Sponsored Links