Re: Misleading sense of security in Netscape

[strombrg () NIS ACS UCI EDU (Dan Stromberg)]

"Steven M. Bellovin" wrote:
> In message <387E245C.F279E367 () digsigtrust com>, Craig Ruefenacht writes:
>
> > It is well known throughout the Internet that the two most common
> > protocols for reading email, POP3 (port 110) and IMAP (port 143), are
> > sent in the clear over the network.
>
> It's worth noting that many POP3 servers and clients support APOP
> authentication, which eliminates the problem of the plaintext password going
> over the wire.  As best I can tell, Netscape's mail client doesn't give you
> that choice.
>
>                 --Steve Bellovin

Sadly, it appears that APOP has the drastic downside that the server
must store all passwords in cleartext - so if the server is broken into,
attackers don't even need to run crack; they just get a list of
passwords.

It seems preferrable to use SSL/IMAP.  Netscape supports that (although
last I checked they didn't support it that well.  Then again, it's been
a while since I looked at it).