Hi, Caskey :) On Tue, 11 Mar 2003, Caskey Dickson wrote: >On Tue, Mar 11, 2003 at 11:10:47AM +0100, Andreas Aardal Hanssen wrote: >> LOGINDISABLED is a hint to the client that can't do a plain text >> authentication. It saves a roundtrip.. if the server does not say >Just to drive the nail home: it's more than just a hint, it's a >critically important policy enforcement and security feature. > This capability is useful to prevent clients compliant with this > specification from sending an unencrypted password in an environment > subject to passive attacks. ... >And of course, any non-PtP IP network is an environment subject to >passive attacks which pretty much covers nearly every situation in which >a user is accessing an IMAP server. >Unlike other protocols where the username and password are sent as two >separate steps (e.g. POP3's USER/PASS), with IMAP password >authentication (i.e. LOGIN), it is a single line so the server doesn't >get an opportunity to stop the client from transmitting the secret with >a "TLS REQUIRED" type message.
Good point. :P Andy -- Andreas Aardal Hanssen | http://www.andreas.hanssen.name/gpg Author of Binc IMAP | Nil desperandum
