At 9:32 PM -0400 9/14/05, Stefan Jeglinski imposed structure on a
stream of electrons, yielding:
I just assumed that all e-mail clients could do this since Eudora
could, and SIMS can. I since found that a) the protocol was
basically invented at Qualcomm, and that b) few (none?) other pop
clients support it.
And c) it is so grossly insecure that support for it should be
disabled in anything capable of it.
Please expand. I saw reference to a DOS attack that was patched, but
otherwise, why claim that it is so grossly insecure when normal
e-mail is so grossly insecure anyway?
Note that passwords in the clear for email have become fairly
uncommon. Even SIMS supports CRAM-MD5 authentication for SMTP and
APOP for POP3.
Is there something *beyond* sending passwords in clear text that
makes poppassd so insecure?
1. It uses a TCP port which, while assigned to a totally different
protocol, is in fact only used on the open Internet for this
protocol. This makes sniffing the protocol very highly efficient.
2. It provides a sniffer instant knowledge of how to use a sniffed
password to take over an account completely, i.e. how to change the
password himself.
--
Bill Cole
[EMAIL PROTECTED]
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[email protected]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
