Mailinglist Archive: opensuse-security (570 mails)
| < Previous | Next > |
Re: [suse-security] Plaintext passwords IMAP please!
- From: Maarten v d Berg <maarten@xxxxxxx>
- Date: Wed, 14 Jan 2004 17:58:18 +0100
- Message-id: <200401141758.18417.maarten@xxxxxxx>
On Wednesday 14 January 2004 17:27, David Fetter wrote:
> I think that disabling plain text password authentication by default is
> a good move for SuSE. If you're still using plain text passwords then
> something is wrong. There are very few email clients that don't support
> SSL these days. Things like telnet and ftp are obsolete (or should be)
> due to SSH and SFTP. Even cisco ships their IOS with ssh authentication
> now days. The fact of the matter is that over half of security breaches
> are from internal sources, so having a "firewall" isn't the end of
> security. If you believe that the data you're securing isn't important
> enough to need secure password authentication then perhaps that's
> acceptable to your company. To have decent security in place requires a
> layered security approach, meaning that you have more than one piece to
> secure everything. Setting up SSL is really not that hard, and using it
> on the clients usually only requires you to check a box. I would
> strongly suggest that you invest the time to use SSL for your email
> authentication, but obviously the end decision is based on the cost
> difference between doing that versus the risk of losing your data. The
> paranoia that SuSE is displaying here is simply derived from basic
> modern security principals.
I would fully agree with you ( I haven't talked to a telnet server in 7 years)
if it weren't for the fact that one often-used application of imapd is to
have it listening on localhost _only_ and have squirrelmail or another
webmail app talk to it. This latest change breaks that.
The same goes for telnet. Although it shouldn't be used to build a traditional
connection, it serves me often to check services ('telnet hostname 25') so
removing telnet "because it's insecure" would be a bad move.
I'm speaking hypothetically of course, but you get the point.
Maarten
> David M. Fetter - http://www.fetterconsulting.com/
>
> "The world is full of power and energy and a person can go far by just
> skimming off a tiny bit of it." Neal Stephenson - Snow Crash
> I think that disabling plain text password authentication by default is
> a good move for SuSE. If you're still using plain text passwords then
> something is wrong. There are very few email clients that don't support
> SSL these days. Things like telnet and ftp are obsolete (or should be)
> due to SSH and SFTP. Even cisco ships their IOS with ssh authentication
> now days. The fact of the matter is that over half of security breaches
> are from internal sources, so having a "firewall" isn't the end of
> security. If you believe that the data you're securing isn't important
> enough to need secure password authentication then perhaps that's
> acceptable to your company. To have decent security in place requires a
> layered security approach, meaning that you have more than one piece to
> secure everything. Setting up SSL is really not that hard, and using it
> on the clients usually only requires you to check a box. I would
> strongly suggest that you invest the time to use SSL for your email
> authentication, but obviously the end decision is based on the cost
> difference between doing that versus the risk of losing your data. The
> paranoia that SuSE is displaying here is simply derived from basic
> modern security principals.
I would fully agree with you ( I haven't talked to a telnet server in 7 years)
if it weren't for the fact that one often-used application of imapd is to
have it listening on localhost _only_ and have squirrelmail or another
webmail app talk to it. This latest change breaks that.
The same goes for telnet. Although it shouldn't be used to build a traditional
connection, it serves me often to check services ('telnet hostname 25') so
removing telnet "because it's insecure" would be a bad move.
I'm speaking hypothetically of course, but you get the point.
Maarten
> David M. Fetter - http://www.fetterconsulting.com/
>
> "The world is full of power and energy and a person can go far by just
> skimming off a tiny bit of it." Neal Stephenson - Snow Crash
| < Previous | Next > |