Security risk of POP3 & IMAP protocols

Ian Batten ian.batten at uk.fujitsu.com
Fri Feb 13 04:23:10 EST 2009 

On 13 Feb 09, at 0149, Joseph Brennan wrote:
>
> The protocol itself is no less secure than POP.

Security isn't about protocols, it's about systems, and I suspect POP3  
vs IMAP is metonymic for local vs remote mail storage.

I can see an argument that says that one problem with IMAP is that  
your entire mail store, which is much more interesting to an attacker  
than a message in flight or your current mail pending collection a la  
POP3, is under someone else's control.  So if, say, you use a whole  
disk encryption product, mail delivered via traditional POP3 will be  
wrapped in the arms of the encryption immediately after collection,  
while mail stored on a remote server and accessed via IMAP will have  
whatever security features the server has.

If you control the IMAP server (for some suitable value of `you') then  
a risk assessment is the same task in both scenarios.  However, if, as  
is common in many situations, the IMAP server isn't within the scope  
of a risk assessment, then I can imagine that your 27001 life is a  
little easier if you don't have a large pool of potentially sensitive  
data under someone else's (for some value of `someone else')  
control.   Data at rest is a different class of problem to data in  
motion, and IMAP implies a _lot_ of data at rest.

To make this more concrete, imagine you're an HR department within a  
large enterprise, handling job applications, CVs, disciplinary  
processes, dismissals, etc.  You need to demonstrate your compliance  
with your local data protection regulations.  The theft of a day's  
email would be severely embarrassing, but is analogous to the theft of  
a day's postal mail: a risk which most businesses would accept.  It  
would expose limited amounts of information about a small subset of  
your employees.

However, the theft of a year's or a decade's email would expose  
substantial information about a large percentage of your employees,  
and would be analogous to allowing a few filing cabinets to be stolen.

Your email system is run by your corporation's IT function in another  
jurisdiction which has laxer data protection laws --- say, an EU  
company whose head office is in the USA.

Do you (a) store all your long term records in the other jurisdiction  
or (b) store them locally?

Now I'm not defending the argument, and indeed here we have ~4TB of  
email on our Cyrus servers.  But I don't think the position is  
entirely without merit, and having gone through the simplifying and  
distorting mirror of sales droids I can see where it's come from...

ian

More information about the Info-cyrus mailing list