Re: how to prevent clear text IMAP authorization?
- From: "mc2718@xxxxxxxxx" <mc2718@xxxxxxxxx>
- Date: Thu, 09 Aug 2007 19:48:26 -0000
It does NOT "first try SSL". When you specify /ssl, it ONLY uses SSL and
NEVER uses any other means of session encryption.
[...]
In an SSL session, the ENTIRE session is encrypted, including the
authentication.
Authentication has the possibility of an ADDITIONAL layer of encryption,
on top of the SSL encryption, so that you do not ever disclose your
password to the server but instead prove that you know the password
without disclosing it. These are mechanisms with names such as CRAM-MD5
or Kerberos.
Thank you for clarifying this. Great, so I have little to worry about
then (unless the server gets compromised, or I do not fix the
certificate issue below). Wonder why they still use plain text in the
21st century (even if the traffic is encrypted) ... but googling will
help find some answers to that.
By the way, your use of /novalidate-cert makes you vulnerable to a fake
server spoofing your real server. You would be better off making sure
that your server's certificate is installed on your system, so you can
verify that it is really your server.
Thanks for pointing this out, will ask the local admins for the
certificate (they should have this general IMAP thingy even if they
are not pine experts).
----
Sorry for taking this much of your time,
mc
.
- References:
- how to prevent clear text IMAP authorization?
- From: mc2718@xxxxxxxxx
- Re: how to prevent clear text IMAP authorization?
- From: Mark Crispin
- Re: how to prevent clear text IMAP authorization?
- From: mc2718@xxxxxxxxx
- Re: how to prevent clear text IMAP authorization?
- From: Mark Crispin
- how to prevent clear text IMAP authorization?
- Prev by Date: Re: how to prevent clear text IMAP authorization?
- Next by Date: Interrupting a Hung Pine Session?
- Previous by thread: Re: how to prevent clear text IMAP authorization?
- Next by thread: Re: how to prevent clear text IMAP authorization?
- Index(es):
Relevant Pages
|
