From: Ned Freed [mailto:ned(_dot_)freed(_at_)mrochek(_dot_)com]
The attacker cannot downgrade the server security,
particularly if the
server does not support unencrypted IMAP or POP.
I don't think the lack of support for unencrypted IMAP or POP
is quite sufficient. What's to stop an attacker acting as a
MITM (by publishing a bogus SRV record or whatever) getting
an unencypted connection and turning around and connecting to
the server using encryption?
Hopefully one would deploy DNSSEC.
Either a client key check on the server or the client
requiring encyption and checking the server cert will address
this, I believe.
If one has DNSSEC one could also use a DNS distributed key to secure the server
key.
That avoids the need to have that particular cert issued by a Trusted Third
Party.
If you deploy DNSSEC the downgrade attack can be eliminated.
That prevents one MITM attack vector, but there may be others.
I have a somewhat larger proposal. I think that it is in fact possible to offer
a very robust level of security.
The discussion here is missing the point though. Most security schemes fail
because they are not used and they are not used because the administrative
configuration process is utterly abysmal. The reason that most WiFi access
points are not secured has nothing to do with the insecurity of WEP - which is
fixable.
Fixing security holes is easy. Fixing usability holes is very hard,
particularly because none of us are psychologists and few of us are likely to
want to learn about it.
Therefore the security strategy we should be pushing for is going to be one
that requires the minimum number of user interactions while providing the user
with the most direct information that allows them to be safe.
We currently have an abysmal security infrastructure in the Internet and this
is not going to be solved just by everyone deploying IPSEC.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf