Disallow cleartext on the wire
brong at fastmail.fm
Mon Jan 10 19:09:46 EST 2011
On Tue, Jan 11, 2011 at 08:56:01AM +1100, Bron Gondwana wrote:
> > Running IMAP over 143 should be safe from over the wire snooping, if the
> > server is properly configured.
> Yeah, that's what's known as "wishful thinking" I suspect. Has anyone
> actually done any testing on this?
And it's certainly not safe from a man-in-the-middle attack which strips
the LOGINDISABLED from the CAPABILITY response, while SSL with a client
that checks certificates is.
True - a client that refuses to use non-TLS sessions is similarly safe,
but in that case why not just use SSL and avoid the extra round-trip?
More information about the Info-cyrus