#!/bin/cat
$Id: FAQ.OnlineUI.txt,v 1.20 2019/12/06 14:51:03 gilles Exp gilles $

This document is also available online at
https://imapsync.lamiral.info/FAQ.d/
https://imapsync.lamiral.info/FAQ.d/FAQ.OnlineUI.txt

=====================================================================
   Imapsync tips about the online visual user interfaces
   https://i005.lamiral.info/X/
   https://imapsync.lamiral.info/X/
=====================================================================

Questions answered in this FAQ are:

Q. How secure is the online visual user interface /X?

Q. Will I have any issues with browser timing out? What happens
   if the browser connection is closed for whatever reason?


Now the questions again with their answers.

=====================================================================
Q. How secure is the online visual user interface /X?

R0. Well, I don't know if asking the provider whether his online 
   service is secure or not would be of any interest. 
   Let's do it anyway, you'll be the judge.

R1. Some figures

Date of this report: 6 December 2019.

The online imapsync service /X started 9 January 2017 
(1061 days of service).

In average, /X has 50 users per day lunching in mean 6 
different migrations, from just one launch to many (hundreds).

The total volume /X transferred is around 101 TiB in more 
than 219 thousands email imap migrations, 
340 millions email messages.

R2. Pros & Cons

The online imapsync service /X runs on https only, with a 
letsencrypt certificate, a certificate overall rated "A+" at
https://www.ssllabs.com/ssltest/analyze.html?d=i005.lamiral.info

Because of the https usage, what the users enter in their browser,
the imap logins and passwords, can't be eavesdropped on the network.

Imapsync itself takes care about encryption for the imap sessions, 
if possible: It tries SSL first on port 993, then TLS on port 143 
if the servers announces TLS, then no encryption at all. 
Concerning encryption, what is done with the source imap server host1 
is independent of what is done with the destination imap server host2.

At the date of 6 December 2019, there is no security problem 
detected or reported to me (Gilles LAMIRAL), so far.
Feel free to attack the service and feel free to report any 
hole encountered. Have in mind I can watch what you try 
from the server side and take measure if the service suffers from
your acts.

As the owner of the service, it could have been 219 000 pairs of 
credentials collected and nearly 101 terabytes of email messages. 
I haven't kept them but I can't prove I haven't. It's just trust, 
like nearly every online service in the universe.

The imap server certificates are not checked for authenticity 
(by default) because too many  imap servers are crappy configured 
regarding certified certificates.

This default behavior is chosen like this because users of /X 
want their emails transferred, instead of being not transferred 
because of an incompetent imap server sysadmin.

I admint that this part, checking imap ssl/tls certificates, 
could be improved from my side by including well known 
certificates directly in imapsync. 

If the imap servers don't honor ssl nor tls, then logins, passwords 
and everything will go clear text during the imap transfers. 
That's not good at all but what "comforts" me is that if the 
imap servers do only clear text transfers, then it's also true 
for all imap sessions the accounts' owner encounters, 
imapsync is just one of them.

Last point, who could be sure that no cracker cracked the online 
hosts and that he isn't currently sniffing the credentials?

No one, I'm not sure myself, even if I do take care of that 
possibility. So changing the imap accounts passwords after 
a sync is a safe and recommended practice!

=====================================================================
Q. Will I have any issues with browser timing out? What happens
   if the browser connection is closed for whatever reason?

R. It stops the imapsync process, ie, the sync is ended right away.

Further comments on this behavior.

When using the /X interface there are three connections. 
One connection is the Browser/WebServer connection, 
the two others connections are the WebServer/ImapServers 
connections (imapsync stuff).

If the Browser/WebServer connection is timeout or ended, 
the imapsync sync is also ended immediately by the remote 
Apache https server. Technically, Apache sends a TERM signal
to the imapsync process, then wait some seconds before 
sending a KILL signal if it is still alive.

You can relaunch a sync again with "Sync!" button, at any time.
If the "Sync!" button is gray/inactive then just reload 
the page (F5 or similar), and reenter the credentials.

If the interface tells you that a sync is already going on,
it may be that a sync is running from another browser or place.
You can stop this sync with the "Abort!" button from any /X
tab/window, even from another browser or place. To be able
to abort with success, you have to give the same account 
parameters, same credentials, or imapsync will ignore the demand.

In other words, you can try safely to launch several parallel 
runs between the same mailboxes. Open a new tab/windows with /X, 
and start the exact same sync. It's safe, the /X will say, if any, that 
there is already a current sync running on them and it will present
the logfile running the sync like a "tail -f" command (isn't that magic?).


=====================================================================
=====================================================================
