[Dev] IMAP and SMTP accounts defined in external parcel
Heikki Toivonen
heikki at osafoundation.org
Mon Apr 4 11:49:29 PDT 2005
RL 'Bob' Morgan wrote:
> With STARTTLS, a site like ours that wants to protect people's passwords
> can set our IMAP servers to advertise TLS and require that it be
> negotiated by a client in order to log in (or they can use
> SASL/GSS/Kerberos, but that's another story). A client that has been
> thoughtfully designed will be set to use TLS if it is offered by the
> server. This way the client will work just fine, securely, with our
> site *without the user having to configure it*. And it will still work
> fine with plain old sites that just use cleartext. So everybody wins.
> But note this means that the client has to ship with "use TLS if
> offered" as a default. It is sometimes argued that client providers
IMO "Use TLS if available" option sucks. When a user has that set, they
won't know if the traffic is encrypted or not. From usability point it
is great, of course. But from security point of view it would be better
to try and force SSL/TLS and only if that did not work ask the user if
it would be ok to try unencrypted.
--
Heikki Toivonen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.osafoundation.org/pipermail/dev/attachments/20050404/dd5fd245/signature.bin
More information about the Dev
mailing list