On Fri, 8 Sep 2006, Ned Freed wrote:
I don't think the lack of support for unencrypted IMAP or POP is quite
sufficient. What's to stop an attacker acting as a MITM (by
publishing a bogus SRV record or whatever) getting an unencypted connection
and
turning around and connecting to the server using encryption?
That's exactly the scenario I was thinking of.
However, just because this and other attacks are real doesn't mean that
there's
no security gain from a setup that's subject to downgrade attacks. Often as
not
it is far more difficult to mount a MITM attack than it is to mount to perform
passive eavesdropping.
True. However, spoofing a DNS response is often considerably easier than
mounting a MITM attack at the network layer. Phill is correct that
deploying DNSSEC helps with this. However, I don't see wide deployment of
DNSSEC today, and I'm not holding my breath. Please, feel free to prove
my pessimism unwarranted.
-- Jeff
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf