[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the uw-imap maintainer



On Tue, 15 Oct 2002 22:53:16 -0500
Steve Langasek <vorlon@netexpress.net> wrote:

> On Tue, Oct 15, 2002 at 11:12:29PM -0400, Jaldhar H. Vyas wrote:
> > Now we have crypto in main, these packages will have SSL/TLS
> > support. The -ssl versions of these packages are just going to be
> > dummies that will upgrade you to the packages listed above which
> > will ask you via debconf which protocols you want to enable.
> 
> > Following the upstream practice which is based on an IESG
> > recommendation, plaintext logins will be disabled on non-SSL/TLS
> > connections.  If you absolutely don't want to use SSL or TLS for
> > some reason, your only alternatives are to use CRAM-MD5 (See
> > /usr/share/doc/libc-client2002/md5.txt) or Kerberos or to recompile
> > the package.
> 
> Recommended or not, this is a substantial change that will break a lot
> of clients of existing systems.  There *are* still POP clients in use
> that support neither SASL nor SSL.  Likewise, a client that refused to
> negotiate plaintext would fail with some servers.  Is it possible to
> re-enable plaintext logins at runtime, or is this setting hard-coded
> into the binaries?

I'd like to second this. As a user of debian I *know* that POP3/IMAP
suck security wise...but if an attacker has root on a machine between my
users and the server, the game is probably already over. It will suck if
I have to hand compile uw-* software. I _can't_ use CRAM-MD5, because I
don't _know_ my users passwords (and keeping them syncronized would be a
nightmare.)

> Since most SSL-enabled POP servers don't have a certificate issued by
> a recognized CA, tunneling plaintext passwords over SSL provides only
> minimal protection against a dedicated attacker compared to sending
> plaintext passwords in the clear.

...and telling users that a self signed sig is safe--this time
only--sucks. I'd use SSL/SASL/START TLS when debian is a CA with root
sigs in _all_ major browsers and email clients. 

> > * I would like some people to document how to set up up TLS or SSL
> > in popular
> >   IMAP clients (in particular: Outlook, Outlook Express, KMail,
> >   Mozilla Mail, fetchmail, and Mutt.)  I will include this
> >   indormation in a FAQ.

Have fun documenting how to add support for self-signed certificates
too. If you think turning on TLS/SSL support is fun just wait...

Thomas

Attachment: pgpxZoxocp3aj.pgp
Description: PGP signature


Reply to: