EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > The Technical Zone...
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

The Technical Zone... The Geeky forum... Use this forum to discuss technical aspects of email, from authentication protocols to encryption.

Reply
 
Thread Tools
Old 12 Nov 2021, 08:29 PM   #1
TenFour
Master of the @
 
Join Date: Feb 2017
Posts: 1,180
Security of IMAP?

So, frequently I see warnings about using IMAP due to some unstated security reasons, but I am unclear on what security vulnerabilities IMAP presents. OK, for most instances of IMAP I have encountered you can't require 2FA login but instead must utilize an app password to make IMAP work. But, as long as that app password is long and random it should be essentially uncrackable. And, unless I am mistaken that app password would only give access to the actual email and not allow attackers into your account management. Occasionally I try various things with a Gmail account that require the creation of an app password, and that is always flagged as a security concern by Google. Google reminds me frequently and asks if the app password is still needed. So what are the security concerns with IMAP?
TenFour is offline   Reply With Quote

Old 13 Nov 2021, 01:40 AM   #2
chrisretusn
Cornerstone of the Community
 
Join Date: Aug 2006
Location: Philippines
Posts: 767
I've never really heard a lot about security issues with IMAP. I do know that Yahoo, Gmail, Outlook are using OAuth2 for authentication. So far I've been able to avoid using that. My email client didn't have the capability to use that at one point. Now it does, but enabling it seem like a pain in the rear.

With Yahoo I have to use App Passwords for all of my accounts; two IMAP two POP3. Also the same with AOL, I have one account, connected via POP3 and IMAP (testing).

With Gmail I have to turn on "Less secure app access" in Account, Security. They remind me all to often that I have the enabled and recommend I turn it off. That's not going to happen. So far I have been hit with 2FV yet. I Have two gmail accounts. One setup for POP3, one for IMAP. I have never been asked to add an App password with Google.

Outlook I have four accounts, all are POP3 and all are working normally.

I am guessing eventually I will have to configure for OAuth2.
chrisretusn is offline   Reply With Quote
Old 17 Nov 2021, 03:55 PM   #3
emoore
Essential Contributor
 
Join Date: Apr 2002
Posts: 261
Reading https://searchsecurity.techtarget.co...an-it-be-fixed and https://threatpost.com/imap-attacks-...counts/142824/ makes me wonder if anybody complaining a lot about the security of IMAP might have a agenda for pushing two factor authentication (2FA) as a requirement in the protocol. It makes a convenient fall guy if you don't enforce strong unique passwords etc. and many of the accounts on your server are compromised.

All of my email providers use TLS for secure connections and I'm not convinced OAuth2 based authentication is significantly more secure than sending a normal password over a secure connection. It seems more of a marketing ploy if you're not worried about the physical security of your PC/laptop.

I only occasionally use a smartphone because I find the environment too insecure to do anything that has a financial risk, and a desktop meets my needs fine. So 2FA doesn't seem worth the hassle to me. It would also mean I'd probably have to give up using a email client because there seem to be plenty of webmail implementations that support U2F or YubiKey but very few email clients. The only U2F support in Thunderbird is for Gmail.

JMAP is being pushed as a modern replacement for IMAP. Its a IETF standard now, Fastmail is using it, and Thunderbird has plans to add support for it. Yet the arguments for why its a better protocol seem to focus on performance, efficiency and simplicity. Browsing https://jmap.io and https://jmap.io/spec-core.html#trans...onfidentiality I get the impression they claim its more secure than IMAP mainly because its a more robust protocol in general than IMAP and TLS 1.2 or later is required. If there were serious security flaws in IMAP I'd expect them to be addressed in JMAP, and it be used as yet another argument for why JMAP is better.

https://fastmail.blog/open-technolog...open-standard/
emoore is offline   Reply With Quote
Old 17 Nov 2021, 08:03 PM   #4
TenFour
Master of the @
 
Join Date: Feb 2017
Posts: 1,180
Quote:
So 2FA doesn't seem worth the hassle to me.
I'm not a huge fan of 2FA for everything, but I think the Achilles heel of many things you might log into is their own security. Theoretically, if you have 2FA a thief that steals the password database from your bank or email provider still won't be able to login to your account. Though in reality, the biggest danger for most of us is probably a phishing or smsishing attack that tricks us into giving up our login details. Again, 2FA might help prevent the final login even if we lose the password. In any case, I think the slight hassle of 2FA seems to be worth it for the most important accounts. Google reports it almost eliminated account compromises among their staff.
TenFour is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 10:21 AM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy