sms-backup-plus icon indicating copy to clipboard operation
sms-backup-plus copied to clipboard

Published 20 hours ago verified publisher icon jberkel

Request for information: "Plain text"

Open GregoryTravis opened this issue 5 years ago • 3 comments

The README says:

change Authentication to "Plain text" in "Advanced settings - Custom IMAP server"

Does "plain text" here mean that it is sending the app password unencrypted?

GregoryTravis avatar Jul 24 '20 16:07 GregoryTravis

I would also like a more in-depth explanation what happens to our "unencrypted" passwords.

Tecfan avatar Aug 22 '20 07:08 Tecfan

As I understand it, the IMAP protocol is conducted in plain text, including the password, but the whole thing is encapsulated by a TLS session which is encrypted. The email client need not encrypt data because the connection is secure, thanks to TLS.

I've often been known to misunderstand things!

ajhepple avatar Aug 22 '20 10:08 ajhepple

@ajhepple is correct. It's not especially vulnerable to interception as long as the IMAP server you're talking to supports and requires encryption. (GMail IMAP does.)

In this context "plain text" means that that the password itself is sent, rather than being used as part of a key-exchange. The is a requirement to support the IMAP protocol, which is 30+ years old at this point.

Together with the requirement to make the unencrypted password visible to any app that uses it, these are reasons why you should have a unique password for IMAP (or POP) access.

kurahaupo avatar Aug 23 '20 02:08 kurahaupo