On Sun, 5 Oct 2003, Chr. von Stuckrad wrote: > IF ALL access to the mail goes over 'https:...' and is so > encrypted, and the connection between 'webmail' and 'imap' > is ABSOLUTELY ONLY on the 'localhost', you would not really > need to encrypt the imap-protocol between apache and uw_imap > on the localhost.
I have been informed that it is *not* safe to assume that localhost is a secure pipe; and that localhost *can* be sniffed. I do not want imapd to be the center of attention of a security advisory because of an ill-considered decision to exempt localhost from the encryption rules. There are still still flames about imapd being "insecure" because of problems that were fixed 5 years ago. -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum.