Allow me to be difficult for just one more moment.
otherwise, why claim that it is so grossly insecure when normal
e-mail is so grossly insecure anyway?
Note that passwords in the clear for email have become fairly
uncommon. Even SIMS supports CRAM-MD5 authentication for SMTP and
APOP for POP3.
Supporting such and configuring it that way OOTB are 2 different
things. You usually have a good pulse on e-mail trends. Given the
most common consumer level computers, ie, Windows XP running Outlook
Express, or business installations, ie, Windows XP running Outlook,
is password encryption turned on by default as installed? Or is it
turned off, instead relying on ISPs to enforce authentication
procedures? Put another way, do ISPs these days still spend a lot of
time educating their new users, or is APOP etc such a common default
that new users aren't even aware that they are implementing it?
Is there something *beyond* sending passwords in clear text that
makes poppassd so insecure?
1. It uses a TCP port which, while assigned to a totally different
protocol, is in fact only used on the open Internet for this
protocol. This makes sniffing the protocol very highly efficient.
Why could I not make the same argument for port 110? (aside from the
issue of assignment to another protocol, which I find neutral to the
point).
2. It provides a sniffer instant knowledge of how to use a sniffed
password to take over an account completely, i.e. how to change the
password himself.
This one I readily concede. Thanks for pointing it out.
Stefan Jeglinski
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[email protected]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
