Security risk of POP3 & IMAP protocols

Fri Feb 13 12:22:02 EST 2009

On Fri, 13 Feb 2009, Ian Batten wrote:

> On 13 Feb 09, at 0149, Joseph Brennan wrote:
>>
>> The protocol itself is no less secure than POP.
>
> Security isn't about protocols, it's about systems, and I suspect POP3
> vs IMAP is metonymic for local vs remote mail storage.
>
> I can see an argument that says that one problem with IMAP is that
> your entire mail store, which is much more interesting to an attacker
> than a message in flight or your current mail pending collection a la
> POP3, is under someone else's control.  So if, say, you use a whole
> disk encryption product, mail delivered via traditional POP3 will be
> wrapped in the arms of the encryption immediately after collection,
> while mail stored on a remote server and accessed via IMAP will have
> whatever security features the server has.
>
> If you control the IMAP server (for some suitable value of `you') then
> a risk assessment is the same task in both scenarios.  However, if, as
> is common in many situations, the IMAP server isn't within the scope
> of a risk assessment, then I can imagine that your 27001 life is a
> little easier if you don't have a large pool of potentially sensitive
> data under someone else's (for some value of `someone else')
> control.   Data at rest is a different class of problem to data in
> motion, and IMAP implies a _lot_ of data at rest.
>
> To make this more concrete, imagine you're an HR department within a
> large enterprise, handling job applications, CVs, disciplinary
> processes, dismissals, etc.  You need to demonstrate your compliance
> with your local data protection regulations.  The theft of a day's
> email would be severely embarrassing, but is analogous to the theft of
> a day's postal mail: a risk which most businesses would accept.  It
> would expose limited amounts of information about a small subset of
> your employees.
>
> However, the theft of a year's or a decade's email would expose
> substantial information about a large percentage of your employees,
> and would be analogous to allowing a few filing cabinets to be stolen.
>
> Your email system is run by your corporation's IT function in another
> jurisdiction which has laxer data protection laws --- say, an EU
> company whose head office is in the USA.
>
> Do you (a) store all your long term records in the other jurisdiction
> or (b) store them locally?
>
> Now I'm not defending the argument, and indeed here we have ~4TB of
> email on our Cyrus servers.  But I don't think the position is
> entirely without merit, and having gone through the simplifying and
> distorting mirror of sales droids I can see where it's come from...

the flip side of the complience issue is that it's a LOT easier to control 
retention policies (including backups) on a central server than on everybody's 
individual desktops/laptops.

as for the concerns about laxer data security in other juristictions, that's 
something that needs to be addressed when you outsource your mail (via contract 
with whoever you are having host your mail for you)

David Lang