July 4th, 2005

dotat

Security

We've just taken the third step towards eliminating insecure access to our servers.

When I was an undergraduate, Hermes was too overloaded to be able to cope with crypto, so all access (except for the sysadmins) was via cleartext protocols with exposed passwords. This has not been a problem for many years now, but because of inertia we have continued to allow insecure logins and a very large proportion of users are still using them.

Last summer I introduced secure authenticated message submission, in order to provide better support for roaming users. Since that point we have had secure versions of all protocols. At the start of term a couple of months ago, we gave notice that insecure protocols would be gradually disabled. I added pre- and post-login banners on the Telnet and FTP services warning of this, which probably had little effect because users don't read banners. I also changed the webmail login: in the past insecure logins were accompanied by a small warning which was not effective; I changed it so that users were forced to click through to the insecure login form and I made the warning more prominent. This had an immediate effect, reducing insecure logins by 80%.

This morning we've disabled Telnet and FTP completely, so terminal logins and file transfers must be performed using ssh and sftp. I've also changed webmail so that the insecure front page is redirected to the secure version, and insecure logins are forbidden.

The final stage is going to be a very long slog to gradually get all IMAP and POP users switched to secure configurations, by disabling insecure access for groups of users in stages. We expect this to take at least a year...