[13841] in bugtraq
Re: Misleading sense of security in Netscape
daemon@ATHENA.MIT.EDU (Dan Stromberg)
Tue Feb 15 16:10:23 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38A86A95.462F8468@nis.acs.uci.edu>
Date: Mon, 14 Feb 2000 12:50:29 -0800
Reply-To: strombrg@NIS.ACS.UCI.EDU
From: Dan Stromberg <strombrg@NIS.ACS.UCI.EDU>
X-To: smb@RESEARCH.ATT.COM
To: BUGTRAQ@SECURITYFOCUS.COM
"Steven M. Bellovin" wrote:
>
> In message <387E245C.F279E367@digsigtrust.com>, Craig Ruefenacht writes:
>
> >It is well known throughout the Internet that the two most common
> >protocols for reading email, POP3 (port 110) and IMAP (port 143), are
> >sent in the clear over the network.
>
> It's worth noting that many POP3 servers and clients support APOP
> authentication, which eliminates the problem of the plaintext password going
> over the wire. As best I can tell, Netscape's mail client doesn't give you
> that choice.
>
> --Steve Bellovin
Sadly, it appears that APOP has the drastic downside that the server
must store all passwords in cleartext - so if the server is broken into,
attackers don't even need to run crack; they just get a list of
passwords.
It seems preferrable to use SSL/IMAP. Netscape supports that (although
last I checked they didn't support it that well. Then again, it's been
a while since I looked at it).
