On Thu, 28 Nov 2002, Arnt Gulbrandsen wrote: >Andreas Aardal Hanssen writes: >> I'd rather turn the ball(?) around, and ask - why can't the localhost >> client use TLS or SSL like everyone else? I guess the obvious >> argument is that it wastes cycles and does not provide more security. >The client on localhost may be something like "stunnel -r 143" or an ssh >tunnel. >--Arnt
One more thing: root can tcpdump -i lo, and get your password. This password would not necessarily be available for root if this was not so. Sure, root can also replace the imap server, or perhaps dump the memory of the imap process, but still - lo is not indefinitely secure. That password could suddenly come in handy for root, as many users use the same passwords for other services, etc etc.. Andy -- Andreas Aardal Hanssen
