> From: Jeffrey Hutzelman [mailto:[EMAIL PROTECTED]
> > On Thursday, September 07, 2006 08:12:44 PM -0700 > "Hallam-Baker, Phillip" > <[EMAIL PROTECTED]> wrote: > > > The solution to this particular problem is to use SSL as > the transport. > > IMAP and POP both support this use. It is a trivial matter > to discover > > that IMAPS is supported using an SRV record. > > Of course, if you depend on this technique to determine > whether TLS should be used, you are subject to a downgrade > attack which not only exposes your password to a dictionary > attack, but also makes it fairly simple for an attacker to > gain access to the server as you _without_ carrying out such > an attack. How so? The attacker cannot downgrade the server security, particularly if the server does not support unencrypted IMAP or POP. If you deploy DNSSEC the downgrade attack can be eliminated. _______________________________________________ Ietf mailing list [email protected] https://www1.ietf.org/mailman/listinfo/ietf
