?

Log in

No account? Create an account

fanf

Secure IMAP and POP

« previous entry | next entry »
2nd Jan 2007 | 17:46

I've just rolled out some changes to our POP and IMAP servers which have become possible because all our users are now logging in over TLS. For the last year while we have been working towards getting all users' settings secured there has been a small weakness in the way we enforced secure logins. The server had to receive the username before it could decide whether or not to allow an insecure login, which means that when a supposedly secure user accidentally uses insecure settings (e.g. because they are reconfiguring a new MUA) they are likely to expose their password because the login conversation goes too far before it is aborted.

The changes are just a few pedantic tweaks to the way our servers speak IMAP and POP.

In POP, the client logs in by issuing a USER command, which states the username, followed by a PASS command with the password. The server now rejects insecure login attempts after the USER command, before the password is transmitted. There is a corresponding change to the server's capability list, which omits the USER command until TLS has been established.

IMAP is less helpful to us because its LOGIN command transmits the username and password all at once. (However this saves a round trip so is faster.) However we can still put LOGINDISABLED in the server's capability list, which will help clients that use it. The other IMAP improvement is to include the capability list in the server banner which saves another round trip - a noticeable improvement for GPRS users.

This should be invisible to users, but makes the service safer especially for wireless access.

| Leave a comment | Share

Comments {3}

Now these points of data make a beautiful line

from: mstevens
date: 2nd Jan 2007 22:39 (UTC)

Why choose TLS over SSL?

Reply | Thread

Tony Finch

from: fanf
date: 2nd Jan 2007 23:00 (UTC)

TLS == SSL modulo version numbers. The convention that IMAP+SSL=imaps and IMAP+TLS=STARTTLS is common but incorrect according to pedants like me, and isn't all that important.

Reply | Parent | Thread

Now these points of data make a beautiful line

from: mstevens
date: 3rd Jan 2007 21:25 (UTC)

I had a fuzzy mental image that TLS was generally setup after the connection had possibly been going for a while, whereas SSL was setup on connection startup.

My logic being that if you used SSL you'd then avoid the risk from misconfigured clients, because they wouldn't be able to setup a connection at all if they had SSL disabled.

Reply | Parent | Thread