> From: Jeffrey Hutzelman [mailto:jhutz@xxxxxxx] > > On Thursday, September 07, 2006 08:12:44 PM -0700 > "Hallam-Baker, Phillip" > <pbaker@xxxxxxxxxxxx> wrote: > > > The solution to this particular problem is to use SSL as > the transport. > > IMAP and POP both support this use. It is a trivial matter > to discover > > that IMAPS is supported using an SRV record. > > Of course, if you depend on this technique to determine > whether TLS should be used, you are subject to a downgrade > attack which not only exposes your password to a dictionary > attack, but also makes it fairly simple for an attacker to > gain access to the server as you _without_ carrying out such > an attack. How so? The attacker cannot downgrade the server security, particularly if the server does not support unencrypted IMAP or POP. If you deploy DNSSEC the downgrade attack can be eliminated. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf