[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the uw-imap maintainer

On Wed, Oct 16, 2002 at 12:10:05AM -0400, Jaldhar H. Vyas wrote:
> > > Following the upstream practice which is based on an IESG recommendation,
> > > plaintext logins will be disabled on non-SSL/TLS connections.  If you
> > > absolutely don't want to use SSL or TLS for some reason, your only
> > > alternatives are to use CRAM-MD5 (See /usr/share/doc/libc-client2002/md5.txt)
> > > or Kerberos or to recompile the package.

> > Recommended or not, this is a substantial change that will break a lot
> > of clients of existing systems.  There *are* still POP clients in use
> > that support neither SASL nor SSL.  Likewise, a client that refused to
> > negotiate plaintext would fail with some servers.  Is it possible to
> > re-enable plaintext logins at runtime, or is this setting hard-coded
> > into the binaries?

> upstream doesn't believe in runtime configuration!

One more reason for me to stop using their IMAP server, then.

> > Since most SSL-enabled POP servers don't have a certificate issued by a
> > recognized CA, tunneling plaintext passwords over SSL provides only
> > minimal protection against a dedicated attacker compared to sending
> > plaintext passwords in the clear.

> You know more about this than I do.  But I have to choose one or the other
> or maintain two sets of packages which I don't want to do.

> And minimal protection is better than none right?

Not when it's associated with buzzwords that make people think they're
getting much more.  SASL provides real protection of your passwords; SSL
does not.

Steve Langasek
postmodern programmer

Attachment: pgpRiMvoW1qr3.pgp
Description: PGP signature

Reply to: