On Sun, Feb 23, 2014 at 11:37:55PM +0100, Reindl Harald wrote: > > what headache?
The one I've described. > > how do you imagine a man-in-the-middle-attack on 127.0.0.1 You're confusing the different attacks. This has nothing to do with a man-in-the-middle. This is against a passive eavesdropper, e.g. someone watching people entering the password at a web interface, or a keylogger on an unreliable computer. > > Please add a configuration variable to configure, whether %c > > should become "secured" for unencrypted traffic on the loopback > > device (localhost) > > to gain exactly what? to gain different LDAP filter strings for IMAP requests coming from outside encrypted with SSL/TLS and unencrypted IMAP requests on localhost. > frankly for practical usage epect debugging even a fallback to > no encryption at all on loopback would be sane and for the > sake of reduce useless overhead fine It is never a good idea to lower security in favor of easy debugging. That's why I propose a switch to turn this behaviour on and off. Hadmut