Gossamer Forum
Quote Reply
Security
What kind of security features have you built into Gossamer Mail?

Here are what I'm interested in:
Do you prevent all javascripts embedded inside e-mails from executing? Also, do you disallow iframes, styles, and other workarounds that can lead to security risks? Hotmail has gone through lots of these bugs...

Also, when user logs in, and then logs out, but forgets to close browser. Can someone else come in, press the back button until he's all the way to the page AFTER the login page, press refresh, and have the browser ask if he wants to re-POST his info? This basically lets intruder re-post the password (even though he can't see it) and login to the victim's account.



Quote Reply
Re: Security In reply to
Hi Aqua,

We have a parser that filters a message before it is displayed to the user. It is quite easy to adjust/change this as needed. Currently it remove embed, applet, javascript, and some other scripting/activex features. We will definately be able to easily tweak it as needed.

As for the login, no, we don't have anything to stop that. We have added it to our todo list as it is quite an easy fix. Basically when displaying the login page we will add a hidden timestamp field. That login form needs to be submitted with n minutes, otherwise it won't work, and the person will need to refresh the page.

Cheers,

Alex

--
Gossamer Threads Inc.