On Sun, Feb 23, 2014 at 11:37:55PM +0100, Reindl Harald wrote:
what headache?
The one I've described.
how do you imagine a man-in-the-middle-attack on 127.0.0.1
You're confusing the different attacks. This has nothing to do with a man-in-the-middle. This is against a passive eavesdropper, e.g. someone watching people entering the password at a web interface, or a keylogger on an unreliable computer.
Please add a configuration variable to configure, whether %c should become "secured" for unencrypted traffic on the loopback device (localhost)
to gain exactly what?
to gain different LDAP filter strings for IMAP requests coming from outside encrypted with SSL/TLS and unencrypted IMAP requests on localhost.
frankly for practical usage epect debugging even a fallback to no encryption at all on loopback would be sane and for the sake of reduce useless overhead fine
It is never a good idea to lower security in favor of easy debugging. That's why I propose a switch to turn this behaviour on and off.
Hadmut