[13830] in bugtraq
Re: Misleading sense of security in Netscape
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Feb 15 13:44:11 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000214205412.A2FCE41F16@SIGABA.research.att.com>
Date: Mon, 14 Feb 2000 15:54:07 -0500
Reply-To: smb@RESEARCH.ATT.COM
From: "Steven M. Bellovin" <smb@RESEARCH.ATT.COM>
X-To: Dan Stromberg <strombrg@nis.acs.uci.edu>
To: BUGTRAQ@SECURITYFOCUS.COM
In message <38A86A95.462F8468@nis.acs.uci.edu>, Dan Stromberg writes:
> "Steven M. Bellovin" wrote:
> >
> > In message <387E245C.F279E367@digsigtrust.com>, Craig Ruefenacht writes:
> >
> > >It is well known throughout the Internet that the two most common
> > >protocols for reading email, POP3 (port 110) and IMAP (port 143), are
> > >sent in the clear over the network.
> >
> > It's worth noting that many POP3 servers and clients support APOP
> > authentication, which eliminates the problem of the plaintext password goin
> g
> > over the wire. As best I can tell, Netscape's mail client doesn't give you
> > that choice.
> >
> > --Steve Bellovin
>
> Sadly, it appears that APOP has the drastic downside that the server
> must store all passwords in cleartext - so if the server is broken into,
> attackers don't even need to run crack; they just get a list of
> passwords.
Right. Depending on the setup, that may or may not be a serious issue. I
would never do that on a general-purpose host; for an ISP -- which often has
plaintext passwords lying around anyway, and which should have locked-down
mail servers -- the answer may be different.
>
--Steve Bellovin
