Re: Misleading sense of security in Netscape

[smb () RESEARCH ATT COM (Steven M. Bellovin)]

In message <38A86A95.462F8468 () nis acs uci edu>, Dan Stromberg writes:
> "Steven M. Bellovin" wrote:
> > In message <387E245C.F279E367 () digsigtrust com>, Craig Ruefenacht writes:
> >
> > > It is well known throughout the Internet that the two most common
> > > protocols for reading email, POP3 (port 110) and IMAP (port 143), are
> > > sent in the clear over the network.
> >
> > It's worth noting that many POP3 servers and clients support APOP
> > authentication, which eliminates the problem of the plaintext password goin
> g
> > over the wire.  As best I can tell, Netscape's mail client doesn't give you
> > that choice.
> >
> >                 --Steve Bellovin
>
> Sadly, it appears that APOP has the drastic downside that the server
> must store all passwords in cleartext - so if the server is broken into,
> attackers don't even need to run crack; they just get a list of
> passwords.

Right.  Depending on the setup, that may or may not be a serious issue.  I
would never do that on a general-purpose host; for an ISP -- which often has
plaintext passwords lying around anyway, and which should have locked-down
mail servers -- the answer may be different.
>

                --Steve Bellovin