On Wed, 6 Feb 2002 [EMAIL PROTECTED] wrote:
>
> Thanks Darryl,
>
> so, may I sugest webmail access ? Is it possible to encript that traffic
> wiht some https ? How can I advice secure email download without using VPNs
> ? Is it necessaire to use digital certificates (I think it may be used but
> I've never done) or is there other forms ?
>
> Thanks in advance,
> Daniel Cen�culo
>
>
>
>
> Darryl Luff
> Sent by: To: [EMAIL PROTECTED]
> darryll cc:
> Subject: Re: pop3
>
> 06-02-2002
> 02:08
>
>
>
>
>
>
> Hi Daniel,
>
> POP3 authentication and message content is not encrypted in any way, so
> any third party in the data path between the server and the client can
> read both the emails and the account username/passwords.
>
> To decide whether that's OK or not, you have to consider what risk this
> involves for your company.
>
> Someone sniffing the POP3 traffic will be able to:
>
> 1. Read all the email. Is there any data there that you or your company
> would not want an unauthorised third party to read?
>
> 2. Capture the POP3 usernames and passwords. What can they do with
> these? eg. If the CEO checks his mail, you (or anyone else) will be able
> to get his username and password. Is that a worry?
>
> If your company is happy with these things, then they should be
> confident about allowing POP3 access.
>
>
> If the mail server is on the internal network, it means that when
> someone breaks into it from the internet, they are on your internal
> network and can do whatever they want. If they're on the DMZ, they
> should be at least partly contained. The level of containment depends on
> your firewall rules, and on what else is on the DMZ that they could get
> to.
>
This is not totally correct, it depends upon how much access to the server
supplying the pop3 accounts one has to. If one creates the user accounts
so they only have access to remotely read their e-mails <i.e. give a
shell of /dev/null>, unless they can also exploit the pop3 deamon, the
game of sniffed usernames and passowrds limits others to only reading
e-mails of those sniffed accounts. How exploitable the pop3 deamon is on
a particular OS is another subject altogether, they have had issues on the
past if I recall. Basically, it depends upon how much you trust others'
setup of their routers and switches, and perhaps the ISP's your users are
going to read from. It's those points that are going to be the primary
sniffing vectors between two sites.
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
