On Fri, 2009-02-13 at 13:17 +0000, Duncan Gibb wrote: > Jason Voorhees wrote: > JV> a sales person told my friend that IMAP protocol is > JV> less secure than POP3 protocol. > Other people have covered the IMAP vs POP3 issues - Ian Batten most > comprehensively - but one comment I would add is that if you make either > service available to the open internet, even under SSL encryption, > password-based authentication is still susceptible to dictionary attack. > So IMAP and/or POP3 (and/or SMTP AUTH) should be included in the list > of things you rate limit, monitor for bad password attempts, and lock > remote hosts out of if it they do things that look suspicious. True; but really none of those good practices is specific to any protocol. The exact same charge could be leveled against HTTP, FTP, SSH, etc... and if you use certificate/PKI authentication you run the risk that someone could steal the private keys (and it isn't hard to make a setup where that is comically easy). It is really far and away more about end-to-end security practices than it is the OSI layer 7 protocol(s) involved. I stand by my assertion that the IMAP vs. POP issue is 100% bogosity. ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
