suppressing DIGEST-MD5
Cyrus Daboo
daboo at cyrusoft.com
Fri Jul 18 13:55:29 EDT 2003
Hi Gary,
--On Friday, July 18, 2003 11:51 AM -0500 Gary Mills
<mills at cc.UManitoba.CA> wrote:
| Using both shared secrets and plain-text passwords introduces a
| client/server interaction problem. Many IMAP clients will not fall
| back to plain-text authentication when the server advertizes the
| shared secret mechanisms, but the specific user does not have a
| shared secret. The result is an impasse, since the user cannot
| authenticate and also cannot set the shared secret. My current
| workaround is to modify the c-client library so that it will fall
| back to plain-text passwords.
I did not implement fallback because my feeling is that if a user sets a
particular authentication mechanism then that is what they want. Certainly
fallback from a relatively secure mechanism like CRAM or DIGEST to one with
no security like plain is bad practice as man-in-the-middle attacks could
be used to trick clients into sending clear-text passwords, and the user
would be non the wiser.
--
Cyrus Daboo
More information about the Info-cyrus
mailing list