Re: which pop3/imap secure method should I use?
> What's this MiTM attact means? Man in The Middle is when someone "between" you and the remote system modifies packets on their way to the remote system or back, IIRC -- Fredrik "Demonen" Vold /* - Do not meddle in the affairs of dragons, for you are crunchy and good with ketchup. */
Re: which pop3/imap secure method should I use?
2005. június 14. 07:57, Radu Spineanu <[EMAIL PROTECTED]> -> debian-security@lists.debian.org,: > Ian Eure wrote: > >> On Monday 13 June 2005 04:41 pm, LeVA wrote: > >> I don't see why it would be helpful, unless you're trying to keep > > your info > > >> secret from a determined/resourceful attacker. But an attacker like that > >> would probably get it anyways. > >> > >> I use TLS & PLAIN, and encrypt/sign my messages with GPG for my business > >> email, and I think that's plenty secure for my needs. > > That would maka it very easy for a sniffer running ettercap for example > to do a MiTM attack. > > And of course the certificate is changed a little, but 80% of users > ignore this change and click yes on whatever is shown just to read their > emails, not knowing what this could lead to. > > Also an attacker could alter that data the server sends so that it > doesn't advertise cram-md5 as an authentication method but this is more > advanced. > > Doing a simple MiTM in ettercap is script kiddie friendly. What's this MiTM attact means? Daniel -- LeVA
Re: which pop3/imap secure method should I use?
Ian Eure wrote: >> On Monday 13 June 2005 04:41 pm, LeVA wrote: >> I don't see why it would be helpful, unless you're trying to keep your info >> secret from a determined/resourceful attacker. But an attacker like that >> would probably get it anyways. >> >> I use TLS & PLAIN, and encrypt/sign my messages with GPG for my business >> email, and I think that's plenty secure for my needs. >> >> That would maka it very easy for a sniffer running ettercap for example to do a MiTM attack. And of course the certificate is changed a little, but 80% of users ignore this change and click yes on whatever is shown just to read their emails, not knowing what this could lead to. Also an attacker could alter that data the server sends so that it doesn't advertise cram-md5 as an authentication method but this is more advanced. Doing a simple MiTM in ettercap is script kiddie friendly. Radu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: which pop3/imap secure method should I use?
On Monday 13 June 2005 04:41 pm, LeVA wrote: > 2005. június 14. 01:36, > Ian Eure <[EMAIL PROTECTED]> > > > PLAIN is easier to set up. IIRC, CRAM-MD5 requires a seperate password > > file. Shouldn't be a risk if you're only using PLAIN over TLS. > > I understand that with TLS or SSL the clear text passwords are secured, so > do you think that an SSL + CRAM-MD5 combination is just a usesell > complication of the problem, and I should stay with the SSL(or TLS) + clear > text auth or with the no connection encryption + CRAM-MD5 auth? > I don't see why it would be helpful, unless you're trying to keep your info secret from a determined/resourceful attacker. But an attacker like that would probably get it anyways. I use TLS & PLAIN, and encrypt/sign my messages with GPG for my business email, and I think that's plenty secure for my needs.
Re: which pop3/imap secure method should I use?
2005. június 14. 01:36, Ian Eure <[EMAIL PROTECTED]> -> debian-security@lists.debian.org,: > On Monday 13 June 2005 04:23 pm, LeVA wrote: > > Hi! > > > > I've configured a courier-imap server with pop3(-ssl) and imap(-ssl) > > support. Now I can not decide which combination of methods is the most > > secure (first of all) and most usefull (lastly) for me. > > > > The courier server supports both SSL and TLS, and I can use PLAIN and > > CRAM-MD5 methods for authentication. > > > > My mail user agent supports all of the above, so I would really > > appreciate if someone could tell me which configuration is the most > > secure way. > > TLS and SSL are equally secure. TLS is easier on your system's resources; > Courier-IMAP runs a seperate daemon for SSL connections, which you don't > need if you use TLS. > > PLAIN is easier to set up. IIRC, CRAM-MD5 requires a seperate password > file. Shouldn't be a risk if you're only using PLAIN over TLS. I understand that with TLS or SSL the clear text passwords are secured, so do you think that an SSL + CRAM-MD5 combination is just a usesell complication of the problem, and I should stay with the SSL(or TLS) + clear text auth or with the no connection encryption + CRAM-MD5 auth? Daniel -- LeVA
Re: which pop3/imap secure method should I use?
On Monday 13 June 2005 04:23 pm, LeVA wrote: > Hi! > > I've configured a courier-imap server with pop3(-ssl) and imap(-ssl) > support. Now I can not decide which combination of methods is the most > secure (first of all) and most usefull (lastly) for me. > > The courier server supports both SSL and TLS, and I can use PLAIN and > CRAM-MD5 methods for authentication. > > My mail user agent supports all of the above, so I would really appreciate > if someone could tell me which configuration is the most secure way. > TLS and SSL are equally secure. TLS is easier on your system's resources; Courier-IMAP runs a seperate daemon for SSL connections, which you don't need if you use TLS. PLAIN is easier to set up. IIRC, CRAM-MD5 requires a seperate password file. Shouldn't be a risk if you're only using PLAIN over TLS. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
which pop3/imap secure method should I use?
Hi! I've configured a courier-imap server with pop3(-ssl) and imap(-ssl) support. Now I can not decide which combination of methods is the most secure (first of all) and most usefull (lastly) for me. The courier server supports both SSL and TLS, and I can use PLAIN and CRAM-MD5 methods for authentication. My mail user agent supports all of the above, so I would really appreciate if someone could tell me which configuration is the most secure way. Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
