Bugtraq mailing list archives
Re: Misleading sense of security in Netscape
From: strombrg () NIS ACS UCI EDU (Dan Stromberg)
Date: Mon, 14 Feb 2000 12:50:29 -0800
"Steven M. Bellovin" wrote:
In message <387E245C.F279E367 () digsigtrust com>, Craig Ruefenacht writes:It is well known throughout the Internet that the two most common protocols for reading email, POP3 (port 110) and IMAP (port 143), are sent in the clear over the network.It's worth noting that many POP3 servers and clients support APOP authentication, which eliminates the problem of the plaintext password going over the wire. As best I can tell, Netscape's mail client doesn't give you that choice. --Steve Bellovin
Sadly, it appears that APOP has the drastic downside that the server must store all passwords in cleartext - so if the server is broken into, attackers don't even need to run crack; they just get a list of passwords. It seems preferrable to use SSL/IMAP. Netscape supports that (although last I checked they didn't support it that well. Then again, it's been a while since I looked at it).
Current thread:
- Re: Misleading sense of security in Netscape Dan Stromberg (Feb 14)
- <Possible follow-ups>
- Re: Misleading sense of security in Netscape Steven M. Bellovin (Feb 14)