Re: POP3 Security Issues

[klynn () santacruz org]

There is always APOP. I believe Marcus had something to do with its
implementation into the Gauntlet firewall (since he wrote it).

It's a standard for secure popmail and is supported in more than one email
client now. Eudora for PC's being the most well known I believe.

Kevin Lynn

On Fri, 27 Nov 1998, Jason Axley wrote:

> There isn't any security in POP3.  Unless you are using POP3 over SSL to
> encrypt the data, you will be allowing people's unencrypted email, logins,
> passwords to traverse the Internet.  You probably shouldn't do that.  If
> you allow people to come across the Internet, connect to your proxy, log
> in to the POP3 proxy, to check their email, some attacker could grab the
> logins and passwords as they're typed in and use them to log in 
> themselves--perhaps gaining access to other resources on your network that
> accept the same logins and passwords.
>
> -Jason
>
> On Mon, 16 Nov 1998 mreiter () gwillness osd mil wrote:
>
> > Date: Mon, 16 Nov 1998 08:55:46 -0500
> > From: mreiter () gwillness osd mil
> > To: firewall-wizards () nfr net
> > Subject: POP3 Security Issues
> >
> >
> >
> >
> >
> > My users want to use POP3 over the internet to access their e-mail through
> > our firewall.  There is a POP3 proxy built in to the firewall (not
> > currently on), but I am leery of ANY access through the firewall over the
> > internet.  Does anyone know of security issues surrounding this?
>
>
> AT&T Wireless Services
> IT UNIX Security Operations Specialist