cancel
Showing results for 
Search instead for 
Did you mean: 

webmail username in header:

N/A

webmail username in header:

While we're on the subject I've mentioned this before but the new webmail also sticks your username in the header:

(SquirrelMail authenticated user yourusername)

which to me doesn't seem a very good idea *at all*, and surely also has security implications? I don't like using it for this reason.

(The old one didn't do this thankfully. There was SOMETHING about the old one that had security implications, but I can't quite recall what it was? Smiley).
4 REPLIES
Community Veteran
Posts: 4,729
Registered: 04-04-2007

webmail username in header:

Hi egality

I felt that this subject was worthy of its own thread, rather than tying it in with the CGI servers.

Chilly
N/A

webmail username in header:

Yea thanks.
I don't know. I'm not quite sure if whinging about these things here is the best route, or bombarding support with tickets Smiley
p_w_d_stone
Grafter
Posts: 315
Registered: 05-04-2007

webmail username in header:

I'm not sure I understand your concern here. If you're using the e-mail address provided by your ISP then it will include your username in the virtual domain address anyway.

I can see that the username will would not normally be disclosed if your e-mail address if you're using a domain name rather than your virtual domain - but the fact that you're using PlusNet as your ISP is immediately obvious to anyone who is capable of doing a RDNS on the IP address anyway. I fail to see what the security issue is with revealing your PN username - if anything this adds confidence to the mail receiver that the e-mail came from you, although of course only PGP signing can prove this.

If you want privacy then you use a throw-away account (yahoo, gmail, hotmail and so on).
N/A

webmail username in header:

Quote
I'm not sure I understand your concern here. If you're using the e-mail address provided by your ISP then it will include your username in the virtual domain address anyway.

Well a lot of people DON'T use the isp supplied email address, the user logon is normally not known. I don't use the ISP supplied address, and probably never will again unless its for a special reason.

Quote

I can see that the username will would not normally be disclosed if your e-mail address if you're using a domain name rather than your virtual domain - but the fact that you're using PlusNet as your ISP is immediately obvious to anyone who is capable of doing a RDNS on the IP address anyway.

I don't mind people knowing my ISP is plusnet. The issue here is you may have many addresses ending up in your plusnet mailbox. If for some reason you use the webmail now to send 'from' a domain 'john@somedomain.co.uk' to someone, they can now see your personal plusnet logon. They could then sniff around your personal website if you have one. Send email to your personal address. Spam it. Sniff around here to see what you've posted. Find any other uses for that logon. Etc. Etc.

The old version didn't have it. It doesn't seem to add anything, but has obviously implications if using the webmail for anything other than the plusnet address.

Quote

If you want privacy then you use a throw-away account (yahoo, gmail, hotmail and so on).

Not exactly helpful or constructive?!..