EmailDiscussions.com - View Single Post

emoore · 17 Nov 2021, 02:55 PM

Reading https://searchsecurity.techtarget.co...an-it-be-fixed and https://threatpost.com/imap-attacks-...counts/142824/ makes me wonder if anybody complaining a lot about the security of IMAP might have a agenda for pushing two factor authentication (2FA) as a requirement in the protocol. It makes a convenient fall guy if you don't enforce strong unique passwords etc. and many of the accounts on your server are compromised.

All of my email providers use TLS for secure connections and I'm not convinced OAuth2 based authentication is significantly more secure than sending a normal password over a secure connection. It seems more of a marketing ploy if you're not worried about the physical security of your PC/laptop.

I only occasionally use a smartphone because I find the environment too insecure to do anything that has a financial risk, and a desktop meets my needs fine. So 2FA doesn't seem worth the hassle to me. It would also mean I'd probably have to give up using a email client because there seem to be plenty of webmail implementations that support U2F or YubiKey but very few email clients. The only U2F support in Thunderbird is for Gmail.

JMAP is being pushed as a modern replacement for IMAP. Its a IETF standard now, Fastmail is using it, and Thunderbird has plans to add support for it. Yet the arguments for why its a better protocol seem to focus on performance, efficiency and simplicity. Browsing https://jmap.io and https://jmap.io/spec-core.html#trans...onfidentiality I get the impression they claim its more secure than IMAP mainly because its a more robust protocol in general than IMAP and TLS 1.2 or later is required. If there were serious security flaws in IMAP I'd expect them to be addressed in JMAP, and it be used as yet another argument for why JMAP is better.

https://fastmail.blog/open-technolog...open-standard/

17 Nov 2021, 02:55 PM	#3
emoore Essential Contributor Join Date: Apr 2002 Posts: 280	Reading https://searchsecurity.techtarget.co...an-it-be-fixed and https://threatpost.com/imap-attacks-...counts/142824/ makes me wonder if anybody complaining a lot about the security of IMAP might have a agenda for pushing two factor authentication (2FA) as a requirement in the protocol. It makes a convenient fall guy if you don't enforce strong unique passwords etc. and many of the accounts on your server are compromised. All of my email providers use TLS for secure connections and I'm not convinced OAuth2 based authentication is significantly more secure than sending a normal password over a secure connection. It seems more of a marketing ploy if you're not worried about the physical security of your PC/laptop. I only occasionally use a smartphone because I find the environment too insecure to do anything that has a financial risk, and a desktop meets my needs fine. So 2FA doesn't seem worth the hassle to me. It would also mean I'd probably have to give up using a email client because there seem to be plenty of webmail implementations that support U2F or YubiKey but very few email clients. The only U2F support in Thunderbird is for Gmail. JMAP is being pushed as a modern replacement for IMAP. Its a IETF standard now, Fastmail is using it, and Thunderbird has plans to add support for it. Yet the arguments for why its a better protocol seem to focus on performance, efficiency and simplicity. Browsing https://jmap.io and https://jmap.io/spec-core.html#trans...onfidentiality I get the impression they claim its more secure than IMAP mainly because its a more robust protocol in general than IMAP and TLS 1.2 or later is required. If there were serious security flaws in IMAP I'd expect them to be addressed in JMAP, and it be used as yet another argument for why JMAP is better. https://fastmail.blog/open-technolog...open-standard/