Re: [SOGo] Public dav link is not secure

Wed, 21 Aug 2024 10:45:23 -0700

We need to establish a way how to securely share eg busy/free times without having to provide a login. Typically other calendaring servers do this by offering a tokenized URL which then can be shared.

I would never want any user to publicly share his busy/free times while anyone can guess the DAV URL…

Am 21.08.2024 um 15:55 schrieb qhivert <users@sogo.nu>:



Hello,

 

This option will not change the dav links only the url of the website.

 

To see its effects, you should first empty Memcached and remove the current session of with the command:

sogo-tool expire-sessions 0

 

But the dav link will still have the username.

Concerning the public link, by default nothing will be shared. Indeed, if you click on three dots next to your calendar -> sharing -> public access. All will be at None. Only the user can decide and set what to share publicly. If you don’t want to have public access for all yours users, you can also disable it in your sogo.conf -> SOGoEnablePublicAccess = NO;

Quentin

 

From: users-requ...@sogo.nu <users-requ...@sogo.nu> On Behalf Of Michael Krecek
Sent: mercredi 21 août 2024 15:40
To: users@sogo.nu
Subject: Re: [SOGo] Public dav link is not secure

 

Hi Christian,

 

this is also critical for me but I could not get it running setting both 

  SOGoURLEncryptionEnabled = YES;

  SOGoURLEncryptionPassphrase = “mypassphrase“;

 

 

The Sogo UI still show the username-including URL in calendar > show links view.

Any idea?

 

Thanks

Michael
 



Am 21.08.2024 um 13:58 schrieb Christian Mack (christian.m...@uni-konstanz.de) <users@sogo.nu>:

 

Hello

Please check option SOGoURLEncryptionEnabled.


Kind regards,
Christian Mack

Am 16.08.24 um 14:11 schrieb Denys Shcherbyna (denys.shcherb...@zone3000.net):

Hello.
The current public dav link has the format: https://hostname/SOGo/dav/public/user@domain/Calendar/personal/.
It is not secure because it can be guessed, leading to unauthorized access by unauthorized users.
Please consider adding a feature that makes a more secure and unique link for each user.
Thank you.


--
Christian Mack
Universität Konstanz
Kommunikations-, Informations-, Medienzentrum (KIM)
Abteilung IT-Dienste Forschung, Lehre, Infrastruktur
78457 Konstanz
+49 7531 88-4416

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to