Bugtraq mailing list archives
Re: Misleading sense of security in Netscape
From: smb () RESEARCH ATT COM (Steven M. Bellovin)
Date: Mon, 14 Feb 2000 15:54:07 -0500
In message <38A86A95.462F8468 () nis acs uci edu>, Dan Stromberg writes:
"Steven M. Bellovin" wrote:In message <387E245C.F279E367 () digsigtrust com>, Craig Ruefenacht writes:It is well known throughout the Internet that the two most common protocols for reading email, POP3 (port 110) and IMAP (port 143), are sent in the clear over the network.It's worth noting that many POP3 servers and clients support APOP authentication, which eliminates the problem of the plaintext password goingover the wire. As best I can tell, Netscape's mail client doesn't give you that choice. --Steve BellovinSadly, it appears that APOP has the drastic downside that the server must store all passwords in cleartext - so if the server is broken into, attackers don't even need to run crack; they just get a list of passwords.
Right. Depending on the setup, that may or may not be a serious issue. I would never do that on a general-purpose host; for an ISP -- which often has plaintext passwords lying around anyway, and which should have locked-down mail servers -- the answer may be different.
--Steve Bellovin
Current thread:
- Re: Misleading sense of security in Netscape Dan Stromberg (Feb 14)
- <Possible follow-ups>
- Re: Misleading sense of security in Netscape Steven M. Bellovin (Feb 14)