Niklas Gustavsson wrote: > Dave Roberts wrote: >> Niklas Gustavsson wrote: >>> What would you all think of this, would it be useful? >> Sounds useful to me. Sometimes it's the operator of the server that >> wants to protect the data, and the client users don't care. >> Enforcing this seems a good solution. Whilst there, it'd be useful >> to enforce that SSL is running before the client sends the USER >> command, to stop passwords being given away. > > Since the USER command is sent on the control socket, you can already > enforce this using implicit SSL. Or, am I misunderstanding something=
That's true, I was thinking about ensuring both the USER/PASS and the data connections were secured. If a change is made to ensure that SSL is in place for the data channels only, then the user could end up doing a login in the clear, resulting in the credentials being revealed.
