I'm developing a web app. One of the required features is sending emails, in this case using mandrill or mailgun, which works pretty fine.
My question is about the sensitive data as passwords, password reset links and other possible stuff... is this secure to do so through a third-party app? Are you used to do so? Since i'm not a server admin and i don't want to set a mail server for such that things... is that a good and secure option? or how do you handle that?
Best practice is to treat email as an insecure channel.
Passwords should never be sent via email, password reset links should be one-time use only, etc. Mandrill, Mailgun, and similar services make no promises on data security or compliance.
Related
I have a free hosting account at 000webhost. I have configured PHPMailer to send a message to me in the mail as soon as someone fills out the feedback form. Messages do not come if the gmail function allow less secure apps is disabled.
How to accept gmail emails without enabling allow less secure apps. This is my main mail, and I would not like to disable protection on it. It's not here for beauty, is it?) After searching the Internet, I could not find a similar solution. Seems disabling allow less secure apps suits many. So maybe there is a way to make my hosting account trusted?
Ignore the naysayers, this is entirely possible, and it doesn't involve IMAP.
To be clear, the "allow less secure apps" option only applies to sending email from your gmail account. It has nothing to do with you receiving messages from other people, or how they receive messages sent from you.
Gmail (and others) offers an SMTP authentication mechanism called XOAUTH2, which is, as you might expect, based on OAuth 2.0. If you use this mechanism, you do not need to enable "less secure apps". PHPMailer supports this mechanism, and provides code example showing you how to use it](https://github.com/PHPMailer/PHPMailer/blob/master/examples/gmail_xoauth.phps). However, that only shows how to use the auth credentials, not how to get them, which, being OAuth, is a confusing and unpleasant experience. Fortunately there is documentation (which should always be the first place you look before asking questions anyway) and an example script that helps you get the tokens you need. I'm not going to reproduce them here because it just makes more work for me as a maintainer.
The approach is broadly:
Define an OAuth app within your Google account
Use the supplied script to perform an authentication procedure (requires that you have a functioning HTTP server)
Take the credentials from that process and drop them into the PHPMailer sending example.
Send email as usual.
I am making a basic web app on Heroku and want to be able to send basic emails. I am coming from PHP but trying to write this one in node.js. I am used to PHPMailer. I have a gmail account that I want to send a certain email from every time a certain page is accessed. Nodemailer and postmark all seem to have costs associated - is there a 100% free option that I could use to send from Gmail? Else I may just do this in PHP.
Thank you
Add a POST endpoint to your Node router to submit the data to be used to create a message and use a library with support for SMTP with TLS/SSL security like emailjs to send standard SMTP emails via accounts like Gmail (you will need to enable third party apps in the security settings for the Gmail account). There is likely more than one library option but I am recommending one that I've used for a few years myself:
emailjs Lib for Node
https://www.mailgun.com/ is a service similar to postmark. They provide a simple REST API to send email and their free plan allow you to send 10,000 emails per month. Depending on the volume you want to send, this can be a viable solution for you.
I recently started to make some iPhone applications using Phonegap. Due to my current knowledge of HTML, CSS and JS, it is an easy way for me to start learning and create concepts that developers can optimize later on. I stumbled accross this blog post.
Here there is a description of a simple AJAX login form. I have previously asked about the security with using AJAX as a login method and was told that posting password as an AJAX variable is risky compared to a normal page change. This is of course based on desktop web applications, and in this case it is about native phone applications. Is there also a security risk using AJAX for Phonegap Apps?
In the post, the author also mentions a method to store the password and username as local variables to make an automatic login next time they open the application. Is this safe? Storing the login details as plain text in local variables?
I took some time browsing around some websites to see how they handle login AJAX based. To my big surprise, they don't do anything but just post the login details as an array to their login server. Websites such as iCloud and Squarespace, do not do anything with the login details before posting them. Of course they have an SSL certificate on the site, but is that secure enough?
Store password is not a good solution.
I Strongly recommend using security tokens using JWT (json web token) that can be disabled without putting your password at risk. Oauth 2.0 is also good complete solution.
Communications shoud be secured at least with SSL encryption and Basic Authentication protocol to send token in every connection.
Well the main problem of this approach is that login credentials can be sniffed .
You can prevent it, with a SSL certificate for sure.
Now for the encryption part, i have come to use bcrypt (instead of mcrypt that was referred), because it provides a mechanism to slow down brute force attacks and is generally a recommended encryption algorithm. PHP has password_hash method (PHP 5 >=5.5.0) and it is extremely easy to use it !
I'm building a website that will require registration and login.
Since I'm new to web developing, i was thinkink if sending unencrypted passwords to the server is an option.
Or, what you would reccomand me, since I don't know nothing about cryptography?
Edit: http://pastebin.com/nYcazcZq
If your website is just for testing or for use within the intranet, it's not that big of a deal.
If not, I highly suggest you use SSL.
If you can't afford the certificate, at least give your users the option to :
login with OpenID (as most OpenID providers offer SSL for authentification) ;
login using Digest Authentication (which doesn't send the passwords in clear over the network).
If you mean sending from browser to your server, then you need to use https/ssl to encrypt the connection, not the password itself. If on the other hand you're talking about storing passwords plaintext, then yes, that's bad as well. You should hash it with a strong salt (per user is best) and a slow algorithm.
This answer goes into more detail about sending passwords over SSL : Sending passwords over the web
You can use PHP's crypt for hashing : http://php.net/manual/en/function.crypt.php
Keep in mind that even when your service doesn't have any kind of valuable payload, it is guaranteed that many of your users will use the same password with it that they use with something more valuable, which means a breach or an easily-intercepted password on your end is capable of causing harm. Even if this is bad practice on the user's part, it's an unavoidable fact of life, so there is really no circumstance under which it is responsible to be blasé about user credentials with a publicly-accessible service. Please use SSL/https or OpenID (or another externally-hosted login management scheme, even Facebook: how to use facebook for user login on my website?) and if you are the password holder, please don't save them in the db as plaintext.
It is never good to send password unencrypted. For a serious web site you should encrypt the traffic between the browser and server using https. You do that by purchasing a certificate that you install on the web server.
never send raw critical data on net,using ssl is best solution i think,also you can use javascript encryptor to encrypt password in client side and decrypt in server,
I don't know whether or not it's a good question :(
But my intention is to know if it is possible to to build an email client application like Thunderbird or OutLook . And can we able to configure/create a Web Application in PHP?
Please let me know your thoughts!
Thanks in advance!!!
I am not sure that I understand the question, but here a couple of notes :
if you want to create a web application, of course you can use PHP : it's been created for that task, and does it well
if you want to develop a webmail (ie, a web application to send/receive mail), it'll mean lots of work...
maybe taking a look at some existing webmails might be wiser ?
About that, you might be interested by my answer to the question How do you build a web based email client using PHP?
if you want to create a desktop application, this is possible too ;-)
take a look at PHP-GTK (GTK is the graphic toolkit used for Gnome and/or the Gimp, for instance), about that ; here are a couple links :
Desktop Application Development with PHP-GTK
Beginning PHP-GTK: Creating a Simple Interface
Beginning PHP-GTK: Signals
Uh, sure, but why would you do so? Thunderbird is free and open-source. You could just use that. Unless you've a compelling reason to develop an entirely new e-mail client, it's better not to reinvent the wheel.
Plenty of open-source webmail clients already exist, too. RoundCube is one of the prettiest.
PHP is usually used as a server-side scripting language to build web applications. It does have the functionality that you need to be able to send email messages from a properly configured server.
The mail should definitely be sent from the server not the local machine, but its perfectly ok to create a webmail system. Also you can retrieve incoming mails from your mail server. Actually there are webmail clients on the market that you can use. I personally like Squirrel Mail
I would recommend in your case that you look at using PHP as core backend and (x)html+javascript+ajax for frontend and front-to-backend communications.
Ajax is very good for dynamic pages where you do not want page reloads etc.
You could have a local smtp server to send the email, but most internet providers would not allow this. If the later is the case you need to use the internet providers smtp, alternatively allow the configuration of smtp within the user interface.
PHP has builtin classes to send mail which makes this process easy in either case.
Receiving mail and parsing them correctly is just a matter of understanding the correct protocols. (pop3 / exchange and so on).
I know this wasn't a straightforward answer, but I hope it gave at least some insight.