Educause Security Discussion mailing list archives
Re: Requesting feedback on Roundcube Webmail
From: Mark Montague <markmont () UMICH EDU>
Date: Fri, 6 Mar 2009 17:43:42 -0500
On Fri, Mar 6, 2009 5:21 PM, Elizabeth Shannon <eshannon () pittstate edu> wrote:
We currently use Squirrel Mail as our webmail interface for faculty/staff; needless to say they would prefer a more modern and user friendly interface. We are considering replacing Squirrel Mail with RoundCube Webmail. From the research I have done, it seems several schools have moved to RoundCube from Squirrel Mail. I would be interested in hearing from anyone who has implemented RoundCube or did not implement the product due to security concerns. Thanks.
The University of Michigan implemented RoundCube in October 2008; we have paid a lot of attention to security. Our team of developers has made a fair number of modifications to RoundCube that we've contributed back to the RoundCube open source project. We only found one security related problem, and the RoundCube developers were very responsive. We have not done a comprehensive security review or audit of the RoundCube code, but we have looked at it a lot, and are very familiar with it as a result of the modifications we have contirbuted back. We're always sensitive to the possibility of XSS, CSRF, injection, and parameter related vulnerabilities (among others) and we keep our eyes out for them. RoundCube the WasHTML library ( http://ubixis.com/washtml/ ) for sanitizing HTML that is displayed. This library is used by numerous other projects and is regularly updated. To provide additional "blanket of protection", we have configured RoundCube to use HTTPS only, and we use the cosign web single-sign-on system ( http://weblogin.org ) to restrict access to and help protect all RoundCube pages. On a typical day, around 34,000 University of Michigan students, faculty, and staff use RoundCube to access their email. (We also offer Horde/IMP and Microsoft Outlook Web Access as choices). We'd be glad to answer any other security questions you may have on-list or privately at webmailgroup () umich edu. And if you have non-security related questions about RoundCube that are not appropriate for the list, feel free to contact us at webmailgroup () umich edu. Mark Montague and Ziba Scott ITCS Web/Database Team The University of Michigan webmailgroup () umich edu
Current thread:
- Requesting feedback on Roundcube Webmail Elizabeth Shannon (Mar 06)
- <Possible follow-ups>
- Re: Requesting feedback on Roundcube Webmail Mark Montague (Mar 06)