Re: POP vs IMAP vs MAPI - security through firewalls?

[Joseph S D Yao <jsdy () cospo osis gov>]

On Mon, Feb 26, 2001 at 08:02:11AM +0200, Chris Crozier wrote:
...
> Both POP3 and IMAP4 have stronger authentication mechanisms (APOP for POP3,
> CRAM-MD5 for IMAP4), but I have never seen them used - nearly everyone uses
> clear text passwords, which are blatantly lousy security.

In the 'qpopper' mailing list, a lot of people using the Qualcomm POP
daemon are asking about details of using APOP, which suggests that they
are using it.  This is just a data point to contrast against "never".
I don't have a similar one for IMAP4.

> Whichever way you slice it, I believe that no-one should use email for
> sensitive information without encrypting/signing at the client level since
> none of the mail access protocols have any inherent security worth
> considering, especially in the military context.

You'll be happy to know, then, that that's another part of the proposed
change.  ;-}

-- 
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards