[yam] [Imap-protocol] Re: draft-daboo-srv-email: POP3S/IMAPS?

Tony Finch dot at dotat.at
Mon Jan 18 07:04:00 PST 2010


On Mon, 18 Jan 2010, Arnt Gulbrandsen wrote:

>

> Timo's mail made me think of a different approach: Immediately expire a

> password if a server receives that password in clear text. Bang bang. (Let me

> guess: The words "support spike" entered your mind now.)



:-)


One advantage of POP's separate USER and PASS commands relative to IMAP's
unified LOGIN command or SASL PLAIN is that the server can reject the USER
command on unencrypted connections and with any luck the client will give
up without blurting out the password. At least in theory :-)

In practice I'm not too worried about idiot client software revealing
passwords because it'll only happen during the user's first attempts at
configuration, so the exposure is pretty small. I might revise that
opinion if a college decides to go all-wireless for network access in
student bedrooms, and if against all past experience students start using
MUAs en masse instead of webmail...

Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.



More information about the Imap-protocol mailing list