In message <38A86A95.462F8468at_private>, Dan Stromberg writes: > "Steven M. Bellovin" wrote: > > > > In message <387E245C.F279E367at_private>, Craig Ruefenacht writes: > > > > >It is well known throughout the Internet that the two most common > > >protocols for reading email, POP3 (port 110) and IMAP (port 143), are > > >sent in the clear over the network. > > > > It's worth noting that many POP3 servers and clients support APOP > > authentication, which eliminates the problem of the plaintext password goin > g > > over the wire. As best I can tell, Netscape's mail client doesn't give you > > that choice. > > > > --Steve Bellovin > > Sadly, it appears that APOP has the drastic downside that the server > must store all passwords in cleartext - so if the server is broken into, > attackers don't even need to run crack; they just get a list of > passwords. Right. Depending on the setup, that may or may not be a serious issue. I would never do that on a general-purpose host; for an ISP -- which often has plaintext passwords lying around anyway, and which should have locked-down mail servers -- the answer may be different. > --Steve Bellovin
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:03 PDT