From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Mon, 17 Dec 2007 11:54:31 -0500 From: "Jonathan D. Proulx" To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu> Subject: Re: [9fans] upas/smtpd password authentication Message-ID: <20071217165431.GG603@csail.mit.edu> References: <20071216180213.32FA61E8C5C@holo.morphisms.net> <1a579fc66314c00596b0b6f99acf5fc8@quanstro.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1a579fc66314c00596b0b6f99acf5fc8@quanstro.net> User-Agent: Mutt/1.5.13 (2006-08-11) Topicbox-Message-UUID: 1b45ff50-ead3-11e9-9d60-3106f5b1d025 On Sun, Dec 16, 2007 at 06:16:06PM -0500, erik quanstrom wrote: :i'm not a security expert. what case that i can't currently see :would tls solve for me that's worth the extra configuration. :what am i missing? It will prevent the username:password pair from being easily snpooped. Minimally this would compromise email, which as you say is inherantly insecure, but howmany of your users have the same username password pair for other things too (like the plan9 passowrd you wish to protect). It this seconday case that is more dangerous, you can blame the users for overloading their credentials and mixing "secure" and "insecure" usages, but they will blame you if their email password is also their bank passowrd. Atleast those are the things I worry about with my users... -Jon