[svlug] PDA-friendly webmail?

Kevin Smathers kevin at ank.com
Mon Jan 29 22:19:08 PST 2007


It is false economy.  Sure you have http running, but that is like 
saying you have xinetd running.  Each application that you install under 
your http daemon has to be vetted independently, and IMAP has a much 
longer history of security updates than any of the webmail apps you 
could install.

The security rule of thumb is indeed to run no more services than you 
need, but if you need a service, then you need it.  Buffer overflows, 
etc, can just as easily be used against any CGI application as they can 
against IMAP.

Cheers,
-kls

Florin Andrei wrote:
> Bill Ward wrote:
>   
>> You could always install an IMAP client on your Palm.
>>     
>
> True, but that means one more service (IMAP) exposed to the Internet. 
> I'd rather not do that, since httpd is already accessible and I actually 
> tend to trust it more than the IMAP server. Sure, the webmail component 
> introduces its own issues (and needs to be trusted before exposing it to 
> the Internet) but...
>
> I don't know, IMAP (even SSL IMAP) accessible directly from the Internet 
> feels wrong from a security perspective.
>
> Sure, I can always add port knocking or something, but that just adds 
> one more layer of complexity and the client platform does not lend 
> itself easily to something like this.
>
> Another idea is to run some sort of VPN server that has clients 
> available on Palm OS. That would be either something based on PPTP or on 
> IPSec. But the thing is, I already have OpenVPN installed, there's no 
> OpenVPN client for Palm OS, and I'd rather not stack up VPN servers for 
> no good reason - same justification, don't want to expose more services 
> to the Internet.
>
>   





More information about the svlug mailing list