From: Jeffrey Hutzelman [mailto:jhutz(_at_)cmu(_dot_)edu]
On Thursday, September 07, 2006 08:12:44 PM -0700
"Hallam-Baker, Phillip"
<pbaker(_at_)verisign(_dot_)com> wrote:
The solution to this particular problem is to use SSL as
the transport.
IMAP and POP both support this use. It is a trivial matter
to discover
that IMAPS is supported using an SRV record.
Of course, if you depend on this technique to determine
whether TLS should be used, you are subject to a downgrade
attack which not only exposes your password to a dictionary
attack, but also makes it fairly simple for an attacker to
gain access to the server as you _without_ carrying out such
an attack.
How so?
The attacker cannot downgrade the server security, particularly if the server
does not support unencrypted IMAP or POP.
If you deploy DNSSEC the downgrade attack can be eliminated.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf