Security risk of POP3 & IMAP protocols

Alain Williams addw at phcomp.co.uk
Fri Feb 13 09:35:43 EST 2009


On Fri, Feb 13, 2009 at 09:13:40AM -0500, Adam Tauno Williams wrote:
> On Fri, 2009-02-13 at 13:17 +0000, Duncan Gibb wrote:
> > Jason Voorhees wrote:
> > JV> a sales person told my friend that IMAP protocol is
> > JV> less secure than POP3 protocol.
> > Other people have covered the IMAP vs POP3 issues - Ian Batten most
> > comprehensively - but one comment I would add is that if you make either
> > service available to the open internet, even under SSL encryption,
> > password-based authentication is still susceptible to dictionary attack.
> >  So IMAP and/or POP3 (and/or SMTP AUTH) should be included in the list
> > of things you rate limit, monitor for bad password attempts, and lock
> > remote hosts out of if it they do things that look suspicious.

That got me thinking ....
I rate limit ssh connections to try to prevent dictionary attacks (3 attempts/3 minutes/IP address).
If I were to do the same with IMAP would that cause problems with some clients,
ie are there some clients that to many connect/disconnects ?

> True;  but really none of those good practices is specific to any
> protocol.   The exact same charge could be leveled against HTTP, FTP,
> SSH, etc...  and if you use certificate/PKI authentication you run the
> risk that someone could steal the private keys (and it isn't hard to
> make a setup where that is comically easy).  It is really far and away
> more about end-to-end security practices than it is the OSI layer 7
> protocol(s) involved.

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>


More information about the Info-cyrus mailing list