Tony Finch writes:
On Mon, 18 Jan 2010, Arnt Gulbrandsen wrote:
Yeah. But I can't remember talking to anyone who really cared about
allowing cleartext imap inside the firewall.
I'm not sure exactly what you mean here, but I have counter examples
for two possible interpretations.
I meant that I can't remember speaking to anyone who REALLY WANTED to
allow unencrypted IMAP inside the firewall. Sorry about the lack of
clarity.
If you mean that no one in your experience is worried by unencrypted
access from local IP addresses, then we certainly are especially for
wireless users.
Yes. I have also heard mutterings about ethernet jacks and ARP attacks,
although that may be more paranoia than realism.
If you mean that no one in your experience enables unencrypted access
from local IP addresses,
(On the contrary, people do, and I think it makes sense. A low-value
feature is worth using if it's also low-cost, right?)
then I believe it's fairly common for universities to do so to avoid
having to reconfigure thousands of desktop clients. It took us about
a year to completely disable unencrypted access - we wanted to avoid
huge spikes in support load.
Yes.
With the right software it's fairly easy to restrict unencrypted
logins to local wired networks.
Timo's mail made me think of a different approach: Immediately expire a
password if a server receives that password in clear text. Bang bang.
(Let me guess: The words "support spike" entered your mind now.)
Arnt
_______________________________________________
yam mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/yam
