Security risk of POP3 & IMAP protocols

Duncan Gibb Duncan.Gibb at SiriusIT.co.uk
Fri Feb 13 08:17:47 EST 2009


Jason Voorhees wrote:

JV> a sales person told my friend that IMAP protocol is
JV> less secure than POP3 protocol.

Other people have covered the IMAP vs POP3 issues - Ian Batten most
comprehensively - but one comment I would add is that if you make either
service available to the open internet, even under SSL encryption,
password-based authentication is still susceptible to dictionary attack.
 So IMAP and/or POP3 (and/or SMTP AUTH) should be included in the list
of things you rate limit, monitor for bad password attempts, and lock
remote hosts out of if it they do things that look suspicious.


Cheers


Duncan

-- 
Duncan Gibb, Technical Director
Sirius Corporation plc - The Open Source Experts
http://www.siriusit.co.uk/ || +44 870 608 0063


More information about the Info-cyrus mailing list