On Fri, 28 Dec 2001, ambarish pathak wrote:
I always thought IMAP was an insecure as POP3 is. Will you please elaborate? Thanks in advance.
IMAP allows authentication through either the LOGIN or AUTHENTICATE commands. The LOGIN command sends username and password as plaintext, while AUTHENTICATE provides a general mechanism for a variety of authentication techniques. (RFC2060)
Using AUTHENTICATE, I could for example use KERBEROS, GSSAPI or S/Key (RFC1731). S/Key does not provide protection, but the others do.
I guess it could be extended to add other authentication mechanisms too, since no additional commands need to be added to the protocol to support it.
Philip