Security risk of POP3 & IMAP protocols

Adam Tauno Williams awilliam at whitemice.org
Fri Feb 13 09:13:40 EST 2009


On Fri, 2009-02-13 at 13:17 +0000, Duncan Gibb wrote:
> Jason Voorhees wrote:
> JV> a sales person told my friend that IMAP protocol is
> JV> less secure than POP3 protocol.
> Other people have covered the IMAP vs POP3 issues - Ian Batten most
> comprehensively - but one comment I would add is that if you make either
> service available to the open internet, even under SSL encryption,
> password-based authentication is still susceptible to dictionary attack.
>  So IMAP and/or POP3 (and/or SMTP AUTH) should be included in the list
> of things you rate limit, monitor for bad password attempts, and lock
> remote hosts out of if it they do things that look suspicious.

True;  but really none of those good practices is specific to any
protocol.   The exact same charge could be leveled against HTTP, FTP,
SSH, etc...  and if you use certificate/PKI authentication you run the
risk that someone could steal the private keys (and it isn't hard to
make a setup where that is comically easy).  It is really far and away
more about end-to-end security practices than it is the OSI layer 7
protocol(s) involved.

I stand by my assertion that the IMAP vs. POP issue is 100% bogosity. 



More information about the Info-cyrus mailing list