Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Requesting feedback on Roundcube Webmail

From: Mark Montague <markmont () UMICH EDU>
Date: Fri, 6 Mar 2009 17:43:42 -0500
On Fri, Mar 6, 2009 5:21 PM, Elizabeth Shannon <eshannon () pittstate edu>
wrote:

We currently use Squirrel Mail as our webmail interface for
faculty/staff; needless to say they would prefer a more modern and
user friendly interface.  We are considering replacing Squirrel Mail
with RoundCube Webmail.  From the research I have done, it seems
several schools have moved to RoundCube from Squirrel Mail.  I would
be interested in hearing from anyone who has  implemented RoundCube or
did not implement the product due to security concerns.  Thanks.


The University of Michigan implemented RoundCube in October 2008; we
have paid a lot of attention to security.  Our team of developers has
made a fair number of modifications to RoundCube that we've contributed
back to the RoundCube open source project.  We only found one security
related problem, and the RoundCube developers were very responsive.

We have not done a comprehensive security review or audit of the
RoundCube code, but we have looked at it a lot, and are very familiar
with it as a result of the modifications we have contirbuted back.
We're always sensitive to the possibility of XSS, CSRF, injection, and
parameter related vulnerabilities (among others) and we keep our eyes
out for them.

RoundCube the WasHTML library ( http://ubixis.com/washtml/ ) for
sanitizing HTML that is displayed.  This library is used by numerous
other projects and is regularly updated.

To provide additional "blanket of protection", we have configured
RoundCube to use HTTPS only, and we use the cosign web single-sign-on
system ( http://weblogin.org ) to restrict access to and help protect
all RoundCube pages.

On a typical day, around 34,000 University of Michigan students,
faculty, and staff use RoundCube to access their email.  (We also offer
Horde/IMP and Microsoft Outlook Web Access as choices).

We'd be glad to answer any other security questions you may have on-list
or privately at webmailgroup () umich edu.  And if you have non-security
related questions about RoundCube that are not appropriate for the list,
feel free to contact us at webmailgroup () umich edu.

               Mark Montague and Ziba Scott
               ITCS Web/Database Team
               The University of Michigan
               webmailgroup () umich edu
Previous By Date Next
Previous By Thread Next

Current thread: