Re: Security risk of POP3 IMAP protocols
On 13 Feb 09, at 0149, Joseph Brennan wrote: The protocol itself is no less secure than POP. Security isn't about protocols, it's about systems, and I suspect POP3 vs IMAP is metonymic for local vs remote mail storage. I can see an argument that says that one problem with IMAP is that your entire mail store, which is much more interesting to an attacker than a message in flight or your current mail pending collection a la POP3, is under someone else's control. So if, say, you use a whole disk encryption product, mail delivered via traditional POP3 will be wrapped in the arms of the encryption immediately after collection, while mail stored on a remote server and accessed via IMAP will have whatever security features the server has. If you control the IMAP server (for some suitable value of `you') then a risk assessment is the same task in both scenarios. However, if, as is common in many situations, the IMAP server isn't within the scope of a risk assessment, then I can imagine that your 27001 life is a little easier if you don't have a large pool of potentially sensitive data under someone else's (for some value of `someone else') control. Data at rest is a different class of problem to data in motion, and IMAP implies a _lot_ of data at rest. To make this more concrete, imagine you're an HR department within a large enterprise, handling job applications, CVs, disciplinary processes, dismissals, etc. You need to demonstrate your compliance with your local data protection regulations. The theft of a day's email would be severely embarrassing, but is analogous to the theft of a day's postal mail: a risk which most businesses would accept. It would expose limited amounts of information about a small subset of your employees. However, the theft of a year's or a decade's email would expose substantial information about a large percentage of your employees, and would be analogous to allowing a few filing cabinets to be stolen. Your email system is run by your corporation's IT function in another jurisdiction which has laxer data protection laws --- say, an EU company whose head office is in the USA. Do you (a) store all your long term records in the other jurisdiction or (b) store them locally? Now I'm not defending the argument, and indeed here we have ~4TB of email on our Cyrus servers. But I don't think the position is entirely without merit, and having gone through the simplifying and distorting mirror of sales droids I can see where it's come from... ian Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
Jason Voorhees wrote: JV a sales person told my friend that IMAP protocol is JV less secure than POP3 protocol. Other people have covered the IMAP vs POP3 issues - Ian Batten most comprehensively - but one comment I would add is that if you make either service available to the open internet, even under SSL encryption, password-based authentication is still susceptible to dictionary attack. So IMAP and/or POP3 (and/or SMTP AUTH) should be included in the list of things you rate limit, monitor for bad password attempts, and lock remote hosts out of if it they do things that look suspicious. Cheers Duncan -- Duncan Gibb, Technical Director Sirius Corporation plc - The Open Source Experts http://www.siriusit.co.uk/ || +44 870 608 0063 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
On Fri, 2009-02-13 at 13:17 +, Duncan Gibb wrote: Jason Voorhees wrote: JV a sales person told my friend that IMAP protocol is JV less secure than POP3 protocol. Other people have covered the IMAP vs POP3 issues - Ian Batten most comprehensively - but one comment I would add is that if you make either service available to the open internet, even under SSL encryption, password-based authentication is still susceptible to dictionary attack. So IMAP and/or POP3 (and/or SMTP AUTH) should be included in the list of things you rate limit, monitor for bad password attempts, and lock remote hosts out of if it they do things that look suspicious. True; but really none of those good practices is specific to any protocol. The exact same charge could be leveled against HTTP, FTP, SSH, etc... and if you use certificate/PKI authentication you run the risk that someone could steal the private keys (and it isn't hard to make a setup where that is comically easy). It is really far and away more about end-to-end security practices than it is the OSI layer 7 protocol(s) involved. I stand by my assertion that the IMAP vs. POP issue is 100% bogosity. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
[OT] Re: Security risk of POP3 IMAP protocols
Adam Tauno Williams wrote: JV a sales person told my friend that IMAP protocol is JV less secure than POP3 protocol. ATW It is really far and away more about end-to-end security ATW practices than it is the OSI layer 7 protocol(s) involved. Indeed. ATW I stand by my assertion that the IMAP vs. POP issue is 100% bogosity. Yep; I agree. Perhaps the sales person is pushing a mail system which doesn't speak IMAP (if such a thing exists). Duncan -- Duncan Gibb, Technical Director Sirius Corporation plc - The Open Source Experts http://www.siriusit.co.uk/ || +44 870 608 0063 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
On Fri, Feb 13, 2009 at 09:13:40AM -0500, Adam Tauno Williams wrote: On Fri, 2009-02-13 at 13:17 +, Duncan Gibb wrote: Jason Voorhees wrote: JV a sales person told my friend that IMAP protocol is JV less secure than POP3 protocol. Other people have covered the IMAP vs POP3 issues - Ian Batten most comprehensively - but one comment I would add is that if you make either service available to the open internet, even under SSL encryption, password-based authentication is still susceptible to dictionary attack. So IMAP and/or POP3 (and/or SMTP AUTH) should be included in the list of things you rate limit, monitor for bad password attempts, and lock remote hosts out of if it they do things that look suspicious. That got me thinking I rate limit ssh connections to try to prevent dictionary attacks (3 attempts/3 minutes/IP address). If I were to do the same with IMAP would that cause problems with some clients, ie are there some clients that to many connect/disconnects ? True; but really none of those good practices is specific to any protocol. The exact same charge could be leveled against HTTP, FTP, SSH, etc... and if you use certificate/PKI authentication you run the risk that someone could steal the private keys (and it isn't hard to make a setup where that is comically easy). It is really far and away more about end-to-end security practices than it is the OSI layer 7 protocol(s) involved. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php Past chairman of UKUUG: http://www.ukuug.org/ #include std_disclaimer.h Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
Alain Williams wrote: That got me thinking I rate limit ssh connections to try to prevent dictionary attacks (3 attempts/3 minutes/IP address). If I were to do the same with IMAP would that cause problems with some clients, ie are there some clients that to many connect/disconnects ? Webmail is the first one that comes to mind. Thanks, Dave -- Dave McMurtrie, SPE Email Systems Team Leader Carnegie Mellon University, Computing Services Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
--On 13 February 2009 14:35:43 + Alain Williams a...@phcomp.co.uk wrote: That got me thinking I rate limit ssh connections to try to prevent dictionary attacks (3 attempts/3 minutes/IP address). If I were to do the same with IMAP would that cause problems with some clients, ie are there some clients that to many connect/disconnects ? Yes. Anything that opens a bunch of mailboxes at the same time might be doing way more than that. You should be measuring failed attempts, not attempts. -- Ian Eiloart IT Services, University of Sussex x3148 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
On Thu, Feb 12, 2009 at 5:49 PM, Jason Voorhees jvoorhe...@gmail.com wrote: Hi people: A friend of mine is asking me about security risks of using IMAP POP3 protocols. Why? Because a sales person told my friend that IMAP protocol is less secure than POP3 protocol. This assumption is not related to Cyrus IMAP, instead is related only to the protocols. I'm searching at Google something about POP3 IMAP security but I'm not pretty sure about comments I can found in forums or other sites. Does anybody here know anything about security risk of these protocols? Is it true that one of them is less secure than the other one? Thanks, bye Thanks everyone for your replies, they were good answers with different points of view. Actually, I made a mistake writing my post: My friend told me that the sales person believes that POP3 has security problems and is vulnerable so recommends IMAP as a replacement of use at final users. Anyway, it doesn't matter what the sales person really said because I can see now that the argument of using one protocol instead the other one depends much of the context. The POP3/IMAP server (now running Zimbra) is running at my friend's office with all his users using POP3. I will migrate its mailserver to Cyrus + MTA+other components...and they plan to use IMAP now. I will explain him every point of view that you shared with me. Thanks again :) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
[23~On Fri, Feb 13, 2009 at 03:21:06PM +, Ian Eiloart wrote: --On 13 February 2009 14:35:43 + Alain Williams a...@phcomp.co.uk wrote: That got me thinking I rate limit ssh connections to try to prevent dictionary attacks (3 attempts/3 minutes/IP address). If I were to do the same with IMAP would that cause problems with some clients, ie are there some clients that to many connect/disconnects ? Yes. Anything that opens a bunch of mailboxes at the same time might be doing way more than that. You should be measuring failed attempts, not attempts. Yes, but I do the rate limiting with iptables (Linux firewall). I don't know how to feedback failed attempts to iptables. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php Past chairman of UKUUG: http://www.ukuug.org/ #include std_disclaimer.h Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
Alain Williams wrote, at 02/13/2009 10:30 AM: [23~On Fri, Feb 13, 2009 at 03:21:06PM +, Ian Eiloart wrote: --On 13 February 2009 14:35:43 + Alain Williams a...@phcomp.co.uk wrote: That got me thinking I rate limit ssh connections to try to prevent dictionary attacks (3 attempts/3 minutes/IP address). If I were to do the same with IMAP would that cause problems with some clients, ie are there some clients that to many connect/disconnects ? Yes. Anything that opens a bunch of mailboxes at the same time might be doing way more than that. You should be measuring failed attempts, not attempts. Yes, but I do the rate limiting with iptables (Linux firewall). I don't know how to feedback failed attempts to iptables. I have yet to encounter an automated brute force attack that negotiates STARTTLS, SSL or any of the more secure SASL mechanisms. In time, this will probably change, but you will get more bang for your buck now if you enforce encrypted connections. You can still run an unencrypted port on localhost (or restrict access another way) if you need it for webmail. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
--On 13 February 2009 15:30:46 + Alain Williams a...@phcomp.co.uk wrote: [23~On Fri, Feb 13, 2009 at 03:21:06PM +, Ian Eiloart wrote: --On 13 February 2009 14:35:43 + Alain Williams a...@phcomp.co.uk wrote: That got me thinking I rate limit ssh connections to try to prevent dictionary attacks (3 attempts/3 minutes/IP address). If I were to do the same with IMAP would that cause problems with some clients, ie are there some clients that to many connect/disconnects ? Yes. Anything that opens a bunch of mailboxes at the same time might be doing way more than that. You should be measuring failed attempts, not attempts. Yes, but I do the rate limiting with iptables (Linux firewall). I don't know how to feedback failed attempts to iptables. Hmm, and for the webmail case, you'd want to do failed attempts per username per minute, not per IP address. Or, exempt your webmail server. Apple Mail is a case in point, it checks for new mail in your INBOX or all of your mailboxes in parallel. I've seen it open dozens of connections from a single user, simultaneously. -- Ian Eiloart IT Services, University of Sussex x3148 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
On Fri, 13 Feb 2009, Alain Williams wrote: From: Alain Williams a...@phcomp.co.uk To: Cyrus Mailing List info-cyrus@lists.andrew.cmu.edu Date: Fri, 13 Feb 2009 15:30:46 + Subject: Re: Security risk of POP3 IMAP protocols ... Yes. Anything that opens a bunch of mailboxes at the same time might be doing way more than that. You should be measuring failed attempts, not attempts. Yes, but I do the rate limiting with iptables (Linux firewall). I don't know how to feedback failed attempts to iptables. There are probably several ways to do this. But, as a suggestion, have a look at sshblack from: http://www.pettingers.org/code/sshblack.html It's intended for use against ssh brute-force attempts. However it's a perl script runnning tail on a log looking for suspicious activity. So should be easily adaptable for other purposes, along with the iptables scripts included. I expect the only wrinkle with IMAP is that you'll want to block both port 143 and 993. I fire up a small IMAP server with: CYRUS_VERBOSE=1 ... and keep the logs separate. Failed login attempts show up in the logs as lines of the form: Feb 13 15:42:25 bahamontes imap[10596]: badlogin: hinault.bath.ac.uk [138.38.56.28] PLAIN [SASL(-13): authentication failure: Password verification failed] so it should be easy for a perl script to pick out the badly-behaved client. As others have pointed out, webmail servers are a particular pain. You'll probably need to whitelist your own webmail servers. Otherwise the external blackhats will be able to persuade your IMAP server to deny access to your webmail server(s). A neat DOS attack *and* lots of unhappy customers! You should also consider how you'd harden up your webmail servers against brute force attacks. Not sure how you'd do that as many, if not all webmail servers, rely on the IMAP server to validate the connection. Usual disclaimer: I've never tried doing this myself. This advice is worth what you paid for it. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
On Fri, 13 Feb 2009, Ian Batten wrote: On 13 Feb 09, at 0149, Joseph Brennan wrote: The protocol itself is no less secure than POP. Security isn't about protocols, it's about systems, and I suspect POP3 vs IMAP is metonymic for local vs remote mail storage. I can see an argument that says that one problem with IMAP is that your entire mail store, which is much more interesting to an attacker than a message in flight or your current mail pending collection a la POP3, is under someone else's control. So if, say, you use a whole disk encryption product, mail delivered via traditional POP3 will be wrapped in the arms of the encryption immediately after collection, while mail stored on a remote server and accessed via IMAP will have whatever security features the server has. If you control the IMAP server (for some suitable value of `you') then a risk assessment is the same task in both scenarios. However, if, as is common in many situations, the IMAP server isn't within the scope of a risk assessment, then I can imagine that your 27001 life is a little easier if you don't have a large pool of potentially sensitive data under someone else's (for some value of `someone else') control. Data at rest is a different class of problem to data in motion, and IMAP implies a _lot_ of data at rest. To make this more concrete, imagine you're an HR department within a large enterprise, handling job applications, CVs, disciplinary processes, dismissals, etc. You need to demonstrate your compliance with your local data protection regulations. The theft of a day's email would be severely embarrassing, but is analogous to the theft of a day's postal mail: a risk which most businesses would accept. It would expose limited amounts of information about a small subset of your employees. However, the theft of a year's or a decade's email would expose substantial information about a large percentage of your employees, and would be analogous to allowing a few filing cabinets to be stolen. Your email system is run by your corporation's IT function in another jurisdiction which has laxer data protection laws --- say, an EU company whose head office is in the USA. Do you (a) store all your long term records in the other jurisdiction or (b) store them locally? Now I'm not defending the argument, and indeed here we have ~4TB of email on our Cyrus servers. But I don't think the position is entirely without merit, and having gone through the simplifying and distorting mirror of sales droids I can see where it's come from... the flip side of the complience issue is that it's a LOT easier to control retention policies (including backups) on a central server than on everybody's individual desktops/laptops. as for the concerns about laxer data security in other juristictions, that's something that needs to be addressed when you outsource your mail (via contract with whoever you are having host your mail for you) David Lang Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
David Lang wrote: the flip side of the complience issue is that it's a LOT easier to control retention policies (including backups) on a central server than on everybody's individual desktops/laptops. as for the concerns about laxer data security in other juristictions, that's something that needs to be addressed when you outsource your mail (via contract with whoever you are having host your mail for you) I worked at one organization that supported ONLY POP3. No IMAP was offered. Each client was configured to download all messages and not leave a copy on the server. This was a policy that the University group I worked with that time used for FOIA avoidance. Want to see somebody's email well you'll have to go see that individual. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
On 13 Feb 2009, at 04:23, Ian Batten wrote: Security isn't about protocols, it's about systems, and I suspect POP3 vs IMAP is metonymic for local vs remote mail storage. Also keep in mind that IMAP can be used just like POP, i.e., you can use IMAP to download remove all mail from the server. :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
On Feb 12, 2009, at 2:49 PM, Jason Voorhees wrote: Hi people: A friend of mine is asking me about security risks of using IMAP POP3 protocols. Why? Because a sales person told my friend that IMAP protocol is less secure than POP3 protocol. This assumption is not related to Cyrus IMAP, instead is related only to the protocols. I'm searching at Google something about POP3 IMAP security but I'm not pretty sure about comments I can found in forums or other sites. Does anybody here know anything about security risk of these protocols? Is it true that one of them is less secure than the other one? I suppose that depends on one's definition of security. There are secure authentication mechanisms available for both protocols, and you can use TLS. The more complex an application is the more opportunity there is for programmers to make mistakes or not properly validate inputs. Since IMAP is vastly more complicated that POP in it's operation, one could argue that an IMAP implementation is more likely to have exploitable bugs. Peter Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
A friend of mine is asking me about security risks of using IMAP POP3 protocols. Why? Because a sales person told my friend that IMAP protocol is less secure than POP3 protocol. This assumption is not related to Cyrus IMAP, instead is related only to the protocols. I'm searching at Google something about POP3 IMAP security but I'm not pretty sure about comments I can found in forums or other sites. I'd write this claim off as bogus; use GSSAPI authentication and TLS and either is extremely secure. Your more pressing security vulnerabilities will certainly be elsewhere (the client OS and configuration, most likely). Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
Adam Tauno Williams awill...@whitemice.org wrote: A friend of mine is asking me about security risks of using IMAP POP3 protocols. Why? Because a sales person told my friend that IMAP protocol is less secure than POP3 protocol. This reminds me of a concern that was raised about U Wash IMAP and storage of mail in unix home directories. In that setup IMAP access is based on unix file system permissions, and IMAP will open files that are not mail files if the user has unix file permissions to open them-- including various system files. This always struck me as a bogus concern since the user could also telnet in and see the same files! The protocol itself is no less secure than POP. I don't understand why POP is still around. Joseph Brennan Columbia University Information Technology Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html