On Sun, Dec 16, 2007 at 06:16:06PM -0500, erik quanstrom wrote: :i'm not a security expert. what case that i can't currently see :would tls solve for me that's worth the extra configuration. :what am i missing?
It will prevent the username:password pair from being easily snpooped. Minimally this would compromise email, which as you say is inherantly insecure, but howmany of your users have the same username password pair for other things too (like the plan9 passowrd you wish to protect). It this seconday case that is more dangerous, you can blame the users for overloading their credentials and mixing "secure" and "insecure" usages, but they will blame you if their email password is also their bank passowrd. Atleast those are the things I worry about with my users... -Jon
