On Tue, 15 Oct 2002 22:53:16 -0500 Steve Langasek <vorlon@netexpress.net> wrote: > On Tue, Oct 15, 2002 at 11:12:29PM -0400, Jaldhar H. Vyas wrote: > > Now we have crypto in main, these packages will have SSL/TLS > > support. The -ssl versions of these packages are just going to be > > dummies that will upgrade you to the packages listed above which > > will ask you via debconf which protocols you want to enable. > > > Following the upstream practice which is based on an IESG > > recommendation, plaintext logins will be disabled on non-SSL/TLS > > connections. If you absolutely don't want to use SSL or TLS for > > some reason, your only alternatives are to use CRAM-MD5 (See > > /usr/share/doc/libc-client2002/md5.txt) or Kerberos or to recompile > > the package. > > Recommended or not, this is a substantial change that will break a lot > of clients of existing systems. There *are* still POP clients in use > that support neither SASL nor SSL. Likewise, a client that refused to > negotiate plaintext would fail with some servers. Is it possible to > re-enable plaintext logins at runtime, or is this setting hard-coded > into the binaries? I'd like to second this. As a user of debian I *know* that POP3/IMAP suck security wise...but if an attacker has root on a machine between my users and the server, the game is probably already over. It will suck if I have to hand compile uw-* software. I _can't_ use CRAM-MD5, because I don't _know_ my users passwords (and keeping them syncronized would be a nightmare.) > Since most SSL-enabled POP servers don't have a certificate issued by > a recognized CA, tunneling plaintext passwords over SSL provides only > minimal protection against a dedicated attacker compared to sending > plaintext passwords in the clear. ...and telling users that a self signed sig is safe--this time only--sucks. I'd use SSL/SASL/START TLS when debian is a CA with root sigs in _all_ major browsers and email clients. > > * I would like some people to document how to set up up TLS or SSL > > in popular > > IMAP clients (in particular: Outlook, Outlook Express, KMail, > > Mozilla Mail, fetchmail, and Mutt.) I will include this > > indormation in a FAQ. Have fun documenting how to add support for self-signed certificates too. If you think turning on TLS/SSL support is fun just wait... Thomas
Attachment:
pgpkc2UKgJNqT.pgp
Description: PGP signature