On Feb 12, 2009, at 2:49 PM, Jason Voorhees wrote:
Hi people: A friend of mine is asking me about security risks of using IMAP & POP3 protocols. Why? Because a sales person told my friend that IMAP protocol is less secure than POP3 protocol. This assumption is not related to Cyrus IMAP, instead is related only to the protocols. I'm searching at Google something about POP3 & IMAP security but I'm not pretty sure about comments I can found in forums or other sites. Does anybody here know anything about security risk of these protocols? Is it true that one of them is less secure than the other one?
I suppose that depends on one's definition of "security". There are secure authentication mechanisms available for both protocols, and you can use TLS. The more complex an application is the more opportunity there is for programmers to make mistakes or not properly validate inputs. Since IMAP is vastly more complicated that POP in it's operation, one could argue that an IMAP implementation is more likely to have exploitable bugs.
Peter
---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
