Security Basics mailing list archives
Re: Securing webmail - changing a port necessary to ensure security?
From: Chris <choypoy () mpl com au>
Date: Thu, 12 Feb 2004 10:14:34 +0800
Webmail is supposed to be easy to access, and somewhat secure. Using HTTPS really just protects the traffic in transit - if an interceptor is sitting between you, they can see the traffic, and can then work out the port number anyway. HTTPS just means they have to sweat a bit to work out whats going on. Security through obscurity (as in this case, "hiding" the default port) is only really going to protect against a script-kiddy like attack on that port (IMHO). If the application is well-designed, these attacks will probably be quite obvious, and probably pretty senseless anyway. Thus, IMHO, obscuring the port is not really protecting against much, and if a typical userbase is involved then the support issues caused by having to explain to use "webmail.server.com:20000" will far outweigh any advantage you might have in hiding the application in this manner. If the application is vulnerable to some kind of direct attack (ie one where an attacker does not need to "intercept" the traffic) then it might be a different case - but given the number of webmail servers available these days.. ;) (possibly more likely that the attacks will be directed against the actual server-container, ie IIS or apache, itself, rather then the application. Again, they are in common enough use, and I don't think that changing ports is any real protection.. better to be able to fix the problem then just use a temporary fix). my 2c. //Chris Hoy Poy On Thu, 2004-02-12 at 00:02, Jennifer Fountain wrote:
I am going back and forth on this one with a consultant on this one and need an expert opinion. So, I turn to you :) When configuring webemail (such as owa) that is using https, is it better to change the default port (443) to an uncommon port (20000)for security reasons? Does it secure it further by doing this? Wouldn't it cause more issues than anything if you try to access that site from inside an org that only allows port 80/443 and 21 out? Thank you in advance for any opinions you may share. Kind Regards, Jennifer Fountain --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Securing webmail - changing a port necessary to ensure security? Jennifer Fountain (Feb 11)
- Re: Securing webmail - changing a port necessary to ensure security? Michael Gale (Feb 12)
- Re: Securing webmail - changing a port necessary to ensure security? Pete Hunt (Feb 12)
- Re: Securing webmail - changing a port necessary to ensure security? Sandro Melo (Feb 13)
- RE: Securing webmail - changing a port necessary to ensure security? Aditya, ALD [Aditya Lalit Deshmukh] (Feb 12)
- RE: Securing webmail - changing a port necessary to ensure security? Joey Peloquin (Feb 13)
- Re: Securing webmail - changing a port necessary to ensure security? Dedric Ramsey - Ramsey Consulting Svcs (Feb 13)
- Re: Securing webmail - changing a port necessary to ensure security? Chris (Feb 13)
- Re: Securing webmail - changing a port necessary to ensure security? AgfTech Lists (Feb 13)
- Re: Securing webmail - changing a port necessary to ensure security? Miles Stevenson (Feb 13)
- Re: Securing webmail - changing a port necessary to ensure security? Ansgar -59cobalt- Wiechers (Feb 13)
- RE: Securing webmail - changing a port necessary to ensure security? Thiago Lima (Feb 13)
- RE: Securing webmail - changing a port necessary to ensure security? Byron Copeland (Feb 16)
- <Possible follow-ups>
- RE: Securing webmail - changing a port necessary to ensure security? Michael Bellears (Feb 12)