Security Basics mailing list archives

Re: Sniffing emails - how?

From: Jonathan Kline <klinej () msoe edu>
Date: Mon, 15 Nov 2004 20:41:16 -0600

Incorrect thinking dude. You could do this more or less for any domain
on the internet. With out thinking too hard about it, I can think of
several ways to do it: playing DNS tricks, trying to advertise a new
route to the domains mx handler, and I am sure there are plenty of other
methods.

In brief, clear text == bad! Emailing passwords in cleartext == very
bad.

Cheers,
~J

On Sat, 2004-11-13 at 10:50 +0800, Derek Fountain wrote:

Reading the archives of this and other lists, I occasionally come across 
quotes like this (from the WebApp list in this case):

"2/ That sending a user's password in clear text over email systems is a 
secure method; inappropriate for most sites. For example, an attacker could 
provoke the password recovery procedure for his colleague and sniff the email 
containing the password with relative ease."

Am I correct in thinking that this is only a real problem when an attacker has 
access to the same network as the email recipient? Or is this kind of 
sniffing possible across the internet in general?

-- 
Jonathan Kline <klinej () msoe edu>
Milwaukee School of Engineering

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Sniffing emails - how? Derek Fountain (Nov 15)
- Re: Sniffing emails - how? Jonathan Kline (Nov 16)
- Re: Sniffing emails - how? xyberpix (Nov 16)
- RE: Sniffing emails - how? Clement Dupuis (Nov 16)
- <Possible follow-ups>
- Re: Sniffing emails - how? miguel . dilaj (Nov 16)
- RE: Sniffing emails - how? Justin Acquaro (Nov 16)
- RE: Sniffing emails - how? Dahate, Pramod (Nov 17)
  - RE: Sniffing emails - how? Clement Dupuis (Nov 18)