Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC6331: Moving CRAM-MD5, DIGEST-MD5 and LOGIN to Historic #58

Open
Neustradamus opened this issue Nov 17, 2019 · 7 comments
Open

RFC6331: Moving CRAM-MD5, DIGEST-MD5 and LOGIN to Historic #58

Neustradamus opened this issue Nov 17, 2019 · 7 comments
Milestone
3.0.0

Comments

@Neustradamus
Copy link

Neustradamus commented Nov 17, 2019
edited
Loading

20 November 2008: CRAM-MD5 to Historic:

29 June 2017: CRAM-MD5 to Historic:

July 2011: RFC6331: Moving DIGEST-MD5 to Historic:

I add same about SCRAM-MD5.

There are now:

  • July 2010: RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM): SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802 (SCRAM-SHA-1 and SCRAM-SHA-1-PLUS)
  • July 2010: RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803
  • November 2015: RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS: Simple Authentication and Security Layer (SASL) Mechanisms: https://tools.ietf.org/html/rfc7677

Soon:
@jparise
Copy link
Member

jparise commented Nov 30, 2019

Is this a request to deprecate (or remove) CRAM-MD5 support?

@schengawegga
Copy link
Contributor

I think we´ve done this with PR #76.
@Neustradamus do you agree with this and we can close this issue successfully?

@schengawegga
Copy link
Contributor

After a little bit of research and a few mails with @Neustradamus, we both agree that the authentication methods CRAM-MD5, DIGEST-MD5, LOGIN and PLAIN are not secure enough to use it in the future. In PR #76, i´ve done a few changes to inform the users about the security issue using this authentication methods.

The question is, what are the next useful steps?

The suggestion of @Neustradamus was, to remove CRAM-MD5, DIGEST-MD5 and LOGIN. Only PLAIN should stay in the Class, because there are Mailservers out there wich only supports PLAIN as authentication method.

I am not sure about that, because i don´t want to make this library useless for some users wich Mailservers do not support more secure authentication methods.

My idea was, to make this authentications methods only useable if a TLS connection is established. Because the credentials were transfered through a more secure connection layer. Than the authentication method should not be a security issue. Or am I wrong in my assumption?

@till @jparise what do you think about that? do you know any security or encryption experts who can give a suggestion about that?

@jparise
Copy link
Member

jparise commented Aug 9, 2023

@till @jparise what do you think about that? do you know any security or encryption experts who can give a suggestion about that?

Because this is a client (not server) library, I think it's useful to continue offering support for these methods but also help end users make informed decisions about their security.

@schengawegga
Copy link
Contributor

@till @jparise what do you think about that? do you know any security or encryption experts who can give a suggestion about that?

Because this is a client (not server) library, I think it's useful to continue offering support for these methods but also help end users make informed decisions about their security.

@jparise i agree. What do you think about my suggestion to make them only available with TLS? Do you think this would remove the security gap, using this unsecure methods? I am not a deep security expert. Do you know an security encryption experts?

@jparise
Copy link
Member

jparise commented Aug 9, 2023
edited
Loading

@till @jparise what do you think about that? do you know any security or encryption experts who can give a suggestion about that?

Because this is a client (not server) library, I think it's useful to continue offering support for these methods but also help end users make informed decisions about their security.

@jparise i agree. What do you think about my suggestion to make them only available with TLS? Do you think this would remove the security gap, using this unsecure methods? I am not a deep security expert. Do you know an security encryption experts?

I think I'd apply the same reasoning: leave them available but caution users not to use them in insecure ways.

I would support removing them entirely in a new major version.

@schengawegga schengawegga added this to the 2.0.0 milestone Oct 23, 2023
@Neustradamus
Copy link
Author

The 1.11.0 release has done an important progress, DIGEST-MD5 is DEPRECATED:

And several SCRAM supports have been added (not -PLUS variants at this time):

@schengawegga schengawegga changed the title RFC6331: Moving DIGEST-MD5 to Historic RFC6331: Moving CRAM-MD5, DIGEST-MD5 and LOGIN to Historic Nov 1, 2023
@schengawegga schengawegga modified the milestones: 2.0.0, 3.0.0 Nov 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
3 participants
@jparise @Neustradamus @schengawegga