In Virtualmin 5.0GPL on CentOS 7.2.1511, I went to Install scripts and selected Squirrelmail. The next screen gave me a choice of where to install it. The default was already filled in as “squirrelmail”. I wondered if there was a slash missing, because we all know from experience that in a URL, the local part always begins with a slash. Just to be on the safe side, I changed “squirrelmail” to “/squirrelmail”.
After installation completed, I saw this on the screen:
The installed SquirrelMail works just fine, but the second double-slash in the URL above might be disconcerting to end users in a commercial web-hosting environment. Knowledgeable users know that in UNIX or Linux environment, multiple consecutive slashes in pathnames are treated as single slashes (so “cd ////” is the same as “cd /”), but naive users might find it confusing.
I know presenting users with https URLs risks giving them an invalid SSL certificate warning (but see Note 1 below). But it’s far more risky to log into Squirrelmail http, because a passive eavesdropper (e.g., one who is hanging around an open Wi-Fi network, or somebody on the same segment of your cable internet) can easily collect your username and password. With an invalid SSL certificate, only an active intruder, who has the resources and the motivation to mount a man-in-the-middle attack, can get your login credentials.
Naive users have a hard enough time with computer security, so at the very least, let’s give them both http and https links, and recommend the more secure one. E.g.:
Note 1. Since Let’s Encrypt is now available within Virtualmin, SSL certificate warnings are a non-issue. There’s no good reason to not provide https links everywhere, in addition to http links if not in place of, especially for any type of administrative or email interface.