Re: Security risk of POP3 & IMAP protocols

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2009-02-13 at 13:17 +0000, Duncan Gibb wrote:
> Jason Voorhees wrote:
> JV> a sales person told my friend that IMAP protocol is
> JV> less secure than POP3 protocol.
> Other people have covered the IMAP vs POP3 issues - Ian Batten most
> comprehensively - but one comment I would add is that if you make either
> service available to the open internet, even under SSL encryption,
> password-based authentication is still susceptible to dictionary attack.
>  So IMAP and/or POP3 (and/or SMTP AUTH) should be included in the list
> of things you rate limit, monitor for bad password attempts, and lock
> remote hosts out of if it they do things that look suspicious.

True;  but really none of those good practices is specific to any
protocol.   The exact same charge could be leveled against HTTP, FTP,
SSH, etc...  and if you use certificate/PKI authentication you run the
risk that someone could steal the private keys (and it isn't hard to
make a setup where that is comically easy).  It is really far and away
more about end-to-end security practices than it is the OSI layer 7
protocol(s) involved.

I stand by my assertion that the IMAP vs. POP issue is 100% bogosity. 

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux