CRAM-MD5 is obsolete and insecure. It is included for compatibility with existing servers. draft-ietf-sasl-crammd5-to-historic recommends using
PLAIN protected by TLS instead.
Additionally, RFC8314 discourage the use of cleartext and recommends TLS version 1.2 or greater be used for all traffic. With TLS
CRAM-MD5 is okay, but so is
# File net-imap-0.3.1/lib/net/imap/authenticators/cram_md5.rb, line 24 def initialize(user, password, warn_deprecation: true, **_ignored) if warn_deprecation warn "WARNING: CRAM-MD5 mechanism is deprecated." # TODO: recommend SCRAM end require "digest/md5" @user = user @password = password end
# File net-imap-0.3.1/lib/net/imap/authenticators/cram_md5.rb, line 17 def process(challenge) digest = hmac_md5(challenge, @password) return @user + " " + digest end