Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Misleading sense of security in Netscape
From: strombrg () NIS ACS UCI EDU (Dan Stromberg)
Date: Mon, 14 Feb 2000 12:50:29 -0800

"Steven M. Bellovin" wrote:

In message <387E245C.F279E367 () digsigtrust com>, Craig Ruefenacht writes:

It is well known throughout the Internet that the two most common
protocols for reading email, POP3 (port 110) and IMAP (port 143), are
sent in the clear over the network.

It's worth noting that many POP3 servers and clients support APOP
authentication, which eliminates the problem of the plaintext password going
over the wire.  As best I can tell, Netscape's mail client doesn't give you
that choice.

                --Steve Bellovin

Sadly, it appears that APOP has the drastic downside that the server
must store all passwords in cleartext - so if the server is broken into,
attackers don't even need to run crack; they just get a list of

It seems preferrable to use SSL/IMAP.  Netscape supports that (although
last I checked they didn't support it that well.  Then again, it's been
a while since I looked at it).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]