On Thursday, September 07, 2006 08:12:44 PM -0700 "Hallam-Baker, Phillip"
<pbaker(_at_)verisign(_dot_)com> wrote:
The solution to this particular problem is to use SSL as the transport.
IMAP and POP both support this use. It is a trivial matter to discover
that IMAPS is supported using an SRV record.
Of course, if you depend on this technique to determine whether TLS should
be used, you are subject to a downgrade attack which not only exposes your
password to a dictionary attack, but also makes it fairly simple for an
attacker to gain access to the server as you _without_ carrying out such an
attack.
If you're going to depend on TLS to protect CRAM-MD5 or HTTP Digest or
plaintext passwords, you need to know in advance that you're doing so, and
properly validate the server's certificate.
-- Jeff
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf