[HN Gopher] So when did POP and IMAP become a "legacy protocol?"
___________________________________________________________________
So when did POP and IMAP become a "legacy protocol?"
Author : signa11
Score : 39 points
Date : 2022-09-25 06:27 UTC (16 hours ago)
(HTM) web link (boston.conman.org)
(TXT) w3m dump (boston.conman.org)
| jonathantf2 wrote:
| You can still enable these protocols per user - Microsoft are
| disabling these and Basic Authentication by default as most users
| don't use them and it's the primary vector for sending emails
| from compromised accounts. Any Microsoft tenant I set up or
| manage already has policies to block anything but the Outlook
| desktop or mobile clients with MFA on every account.
| Avamander wrote:
| I get the impression that the article's author didn't really read
| the linked help page. It's basic auth that's getting deprecated,
| due to being considered a legacy authentication protocol. For
| good reasons, as described.
|
| That aside, POP should really be considered legacy, it comes with
| many downsides that hinder people's e-mail usage. IMAP is
| definitely more functional, but has a successor - JMAP. So in
| some sense, it'd not even be entirely wrong to migrate.
|
| Lack of HTTPS on the author's site also adds a nice subtle
| flavour to the blogpost.
| mattgreenrocks wrote:
| Shaming people for not having HTTPS on their blog is not a
| great look. :/
| Dylan16807 wrote:
| Noting an amusing interaction with the context isn't shaming.
|
| Though if someone _can_ set it up in less than 15 minutes,
| and doesn 't, I reserve the right to snark. It's not a bad
| look in cases like that.
| chowells wrote:
| I don't see the problem. HTTPS is basic internet hygiene.
| It's no worse than telling people they should mind their body
| odor when they're in a space with a lot of other people.
| Possibly indelicate, but undoubtedly true.
| hsbauauvhabzb wrote:
| Exactly what risk does it have being on a low profile blog?
| oddlama wrote:
| I for example just wouldn't like anyone to be able to see
| what data I exchange with any server, be it small profile
| blog or a login page.
| seanp2k2 wrote:
| What traffic between a blog without user auth for comments
| needs to be encrypted? Why? I understand that Let's Encrypt
| exists and it's "easy" to set up (for people with root access
| to the system hosting their site + a decent level of
| technical sysadmin proficiency)
| Angostura wrote:
| > That aside, POP should really be considered legacy, it comes
| with many downsides that hinder people's e-mail usage.
|
| And one big advantage - it actually allows you retrieve and
| store e-mail locally - irrespective of any server allocation.
| loloquwowndueo wrote:
| Um what? Nothing in IMAP prevents you from doing the same.
| Just because most client implementations assume you want to
| keep your mail on the server by default, does not mean the
| protocol doesn't account for the other possibility.
|
| And to be fair, configuring most clients to retrieve and then
| delete, or keep a local copy in addition to the server one,
| is not difficult at all - these options are not hidden or
| anything.
| deaddodo wrote:
| So does IMAP? Most clients only cache headers because it's
| faster and most devices are always-connected; but you can
| certainly locally download the entirety of your IMAP
| contents.
|
| Considering you have to download the entirety of the mail
| contents to read it anyways, I have no idea what makes you
| think this is an impossibility.
| josephg wrote:
| JMAP works great for this too. It's a shame JMAP isn't widely
| implemented - it's a lovely standard.
| melony wrote:
| What about Macrosoft Exchange?
| afrcnc wrote:
| POP, not IMAP
| achillean wrote:
| The protocols are seeing a decline in deployments but they're
| still very popular. See the below for a trend of the protocol
| over the past 5 years:
|
| https://imgur.com/a/uIAiM9B
| a-dub wrote:
| you have to jump through hoops to do basic auth (even over SSL)
| for IMAP/pop with gmail as well. (this has been true for some
| years now)
|
| on one level, it's sad to see the open protocols go... on the
| other, google passwords are a big deal.
| belorn wrote:
| Some context: Microsoft has disabled the use of alternative email
| providers in Windows' built-in email app since Windows 11, and
| for 365 users, unless you got one of the more expensive accounts
| intended for large companies, then no custom domain names for
| your email unless you use Godaddy as registrar. They have an
| exclusivity deal with Microsoft.
|
| So sure, one can look at this from an authentication perspective,
| or simply look at this as one in a line of steps in a specific
| direction.
| jonathantf2 wrote:
| This is completely false, I've just installed the Mail app on
| my Windows 11 machine, first thing it asks you is what e-mail
| provider you use [0] and there are options for iCloud, Yahoo
| and a generic IMAP setup along with the Microsoft offerings.
|
| [0] https://files.catbox.moe/ljil4h.png
| ljlds3da wrote:
| Their plan is to remove old text-only protocols, and force to use
| XAUTH or similar protocols that requires use of a web browser, so
| they can spy you with cookies and more metadata. Both Google and
| Microsoft are announced this movement.
| advisedwang wrote:
| They're removing plain text auth because:
|
| a) password doesn't support 2nd factor.
|
| b) Most configurations keep password is on disk somewhere,
| often in plaintext.
|
| c) User configurations break on password rotation.
|
| Your tracking theory doesn't really hold up a) they know
| exactly who you are on your email client anyway as you log in
| and b) most users are logged in to their google/microsoft
| account anyway because of o375/workspace/youtube.
| pessimizer wrote:
| Standards are the enemy because they allow you to use alternate
| client implementations.
| saagarjha wrote:
| And enterprises _hate_ this.
| okasaki wrote:
| > I do have to wonder how long until Google decides that only
| certain clients can connect with Gmail?
|
| Already the case on mobile:
|
| > If you use the Play store or GitHub version of FairEmail, you
| can use the quick setup wizard to easily setup a Gmail account
| and identity. The Gmail quick setup wizard is not available for
| third party builds, like the F-Droid build because Google
| approved the use of OAuth for official builds only. OAuth is also
| not available on devices without Google services, such as recent
| Huawei devices, in which case selecting an account will fail.
|
| https://github.com/M66B/FairEmail/blob/master/FAQ.md#user-co...
___________________________________________________________________
(page generated 2022-09-25 23:00 UTC)