[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Plaintext passwords IMAP please!

On Wednesday 14 January 2004 17:27, David Fetter wrote:
> I think that disabling plain text password authentication by default is
> a good move for SuSE.  If you're still using plain text passwords then
> something is wrong.  There are very few email clients that don't support
> SSL these days.  Things like telnet and ftp are obsolete (or should be)
> due to SSH and SFTP.  Even cisco ships their IOS with ssh authentication
> now days.  The fact of the matter is that over half of security breaches
> are from internal sources, so having a "firewall" isn't the end of
> security.  If you believe that the data you're securing isn't important
> enough to need secure password authentication then perhaps that's
> acceptable to your company.  To have decent security in place requires a
> layered security approach, meaning that you have more than one piece to
> secure everything.  Setting up SSL is really not that hard, and using it
> on the clients usually only requires you to check a box.  I would
> strongly suggest that you invest the time to use SSL for your email
> authentication, but obviously the end decision is based on the cost
> difference between doing that versus the risk of losing your data.  The
> paranoia that SuSE is displaying here is simply derived from basic
> modern security principals.

I would fully agree with you ( I haven't talked to a telnet server in 7 years) 
if it weren't for the fact that one often-used application of imapd is to 
have it listening on localhost _only_ and have squirrelmail or another 
webmail app talk to it. This latest change breaks that.

The same goes for telnet. Although it shouldn't be used to build a traditional 
connection, it serves me often to check services ('telnet hostname 25') so 
removing telnet "because it's insecure" would be a bad move.
I'm speaking hypothetically of course, but you get the point.


> David M. Fetter - http://www.fetterconsulting.com/
> "The world is full of power and energy and a person can go far by just
> skimming off a tiny bit of it." Neal Stephenson - Snow Crash

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here