Doubts about IMAP SSL authentication
  Home FAQ Contact Sign in
gnu.emacs.gnus only
 
Advanced search
POPULAR GROUPS

more...

gnu.emacs.gnus Profile…
 Up
Doubts about IMAP SSL authentication         


Author: chrycheng
Date: Sep 17, 2008 09:34

Gnus successfully opened an SSL connection with my IMAP server (GMail)
as evidenced by the ff. lines in *Messages*:

imap: Connecting to imap.gmail.com...
imap: Opening SSL connection with `openssl s_client -quiet -ssl3 -
connect %%s:%%p'...done

However, further on, I see these lines:

imap: Authenticating to `imap.gmail.com' using `login'...
imap: Plaintext authentication...

Does this mean that Gnus ignored the SSL connection that was set up
and went with a less secure plaintext login method instead?
2 Comments
Re: Doubts about IMAP SSL authentication         


Author: Ross Patterson
Date: Sep 17, 2008 10:58

"chrycheng@gmail.com" gmail.com> writes:
> Gnus successfully opened an SSL connection with my IMAP server (GMail)
> as evidenced by the ff. lines in *Messages*:
>
> imap: Connecting to imap.gmail.com...
> imap: Opening SSL connection with `openssl s_client -quiet -ssl3 -
> connect %%s:%%p'...done
>
> However, further on, I see these lines:
>
> imap: Authenticating to `imap.gmail.com' using `login'...
> imap: Plaintext authentication...
>
> Does this mean that Gnus ignored the SSL connection that was set up
> and went with a less secure plaintext login method instead?
Show full article (0.91Kb)
no comments
Re: Doubts about IMAP SSL authentication         


Author: Adam Sjøgren
Date: Sep 20, 2008 15:52

On Wed, 17 Sep 2008 10:58:20 -0700, Ross wrote:
> "chrycheng@gmail.com" gmail.com> writes:
>> imap: Authenticating to `imap.gmail.com' using `login'...
>> imap: Plaintext authentication...
>> Does this mean that Gnus ignored the SSL connection that was set up
>> and went with a less secure plaintext login method instead?
> Unless I'm misunderstanding, this is fine. Sine the *connection* is
> fully encrypted with SSL, it is safe to *authenticate* using plain text
> over the *encrypted connection*. Most SSL setups I've seen work this
> way where plain text auth is used when the connection is encrypted.
> Course, I'm no SSL expert.

Nevertheless you are right.

A nice, easy way to reassure oneself that it is so, is to sniff the
actual packets going over the wire.

Run something like:

# ngrep -Wbyline host your.imap.server

And then connect with Gnus and check that your password is really sent
over the SSL-encrypted connection (i.e. you can't see it in the
encrypted "noise").
Show full article (1.21Kb)
no comments

RELATED THREADS
SubjectArticles qty Group
OWA to POP, IMAP: OWA access, need pop3, IMAP, or Forwardingmicrosoft.public.exchange.misc ·
[CVS] OpenSSL: OpenSSL_0_9_7-stable: openssl/ CHANGES openssl/ssl/ ssl...mailing.openssl.cvs ·