RE: RFC 2195 (Was: what happened to newtrk?)

To: "Hallam-Baker, Phillip" <pbaker at verisign.com>, Christian Huitema <huitema at windows.microsoft.com>, "Kurt D. Zeilenga" <Kurt at OpenLDAP.org>, John C Klensin <john-ietf at jck.com>
Subject: RE: RFC 2195 (Was: what happened to newtrk?)
From: Jeffrey Hutzelman <jhutz at cmu.edu>
Date: Thu, 07 Sep 2006 23:29:57 -0400
Cc: Frank Ellermann <nobody at xyzzy.claranet.de>, ietf at ietf.org
In-reply-to: <198A730C2044DE4A96749D13E167AD37D3F7A0@MOU1WNEXMB04.vcorp.ad.vrsn.com>
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
References: <198A730C2044DE4A96749D13E167AD37D3F7A0@MOU1WNEXMB04.vcorp.ad.vr sn.com>

On Thursday, September 07, 2006 08:12:44 PM -0700 "Hallam-Baker, Phillip" <pbaker at verisign.com> wrote:

The solution to this particular problem is to use SSL as the transport.
IMAP and POP both support this use. It is a trivial matter to discover
that IMAPS is supported using an SRV record.

Of course, if you depend on this technique to determine whether TLS should be used, you are subject to a downgrade attack which not only exposes your password to a dictionary attack, but also makes it fairly simple for an attacker to gain access to the server as you _without_ carrying out such an attack.

If you're going to depend on TLS to protect CRAM-MD5 or HTTP Digest or plaintext passwords, you need to know in advance that you're doing so, and properly validate the server's certificate.

-- Jeff

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

References:
- RE: RFC 2195 (Was: what happened to newtrk?)
  - From: Hallam-Baker, Phillip

Prev by Date: Re: RFC 2195 (Was: what happened to newtrk?)
Next by Date: Weekly posting summary for ietf at ietf.org
Previous by thread: RE: RFC 2195 (Was: what happened to newtrk?)
Next by thread: RE: RFC 2195 (Was: what happened to newtrk?)
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

RE: RFC 2195 (Was: what happened to newtrk?)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.