On Fri, 8 Sep 2006, Ned Freed wrote: > I don't think the lack of support for unencrypted IMAP or POP is quite > sufficient. What's to stop an attacker acting as a MITM (by > publishing a bogus SRV record or whatever) getting an unencypted connection and > turning around and connecting to the server using encryption? That's exactly the scenario I was thinking of. > However, just because this and other attacks are real doesn't mean that there's > no security gain from a setup that's subject to downgrade attacks. Often as not > it is far more difficult to mount a MITM attack than it is to mount to perform > passive eavesdropping. True. However, spoofing a DNS response is often considerably easier than mounting a MITM attack at the network layer. Phill is correct that deploying DNSSEC helps with this. However, I don't see wide deployment of DNSSEC today, and I'm not holding my breath. Please, feel free to prove my pessimism unwarranted. -- Jeff _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf