Disallow cleartext on the wire

Bron Gondwana brong at fastmail.fm
Mon Jan 10 19:09:46 EST 2011


On Tue, Jan 11, 2011 at 08:56:01AM +1100, Bron Gondwana wrote:
> > Running IMAP over 143 should be safe from over the wire snooping, if the
> > server is properly configured.
> 
> Yeah, that's what's known as "wishful thinking" I suspect.  Has anyone
> actually done any testing on this?

And it's certainly not safe from a man-in-the-middle attack which strips
the LOGINDISABLED from the CAPABILITY response, while SSL with a client
that checks certificates is.

True - a client that refuses to use non-TLS sessions is similarly safe,
but in that case why not just use SSL and avoid the extra round-trip?

Bron.


More information about the Info-cyrus mailing list