suppressing DIGEST-MD5

Cyrus Daboo daboo at
Fri Jul 18 13:55:29 EDT 2003

Hi Gary,

--On Friday, July 18, 2003 11:51 AM -0500 Gary Mills 
<mills at cc.UManitoba.CA> wrote:

| Using both shared secrets and plain-text passwords introduces a
| client/server interaction problem.  Many IMAP clients will not fall
| back to plain-text authentication when the server advertizes the
| shared secret mechanisms, but the specific user does not have a
| shared secret.  The result is an impasse, since the user cannot
| authenticate and also cannot set the shared secret.  My current
| workaround is to modify the c-client library so that it will fall
| back to plain-text passwords.

I did not implement fallback because my feeling is that if a user sets a 
particular authentication mechanism then that is what they want. Certainly 
fallback from a relatively secure mechanism like CRAM or DIGEST to one with 
no security like plain is bad practice as man-in-the-middle attacks could 
be used to trick clients into sending clear-text passwords, and the user 
would be non the wiser.

Cyrus Daboo

More information about the Info-cyrus mailing list