Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Misleading sense of security in Netscape
From: smb () RESEARCH ATT COM (Steven M. Bellovin)
Date: Mon, 14 Feb 2000 15:54:07 -0500


In message <38A86A95.462F8468 () nis acs uci edu>, Dan Stromberg writes:
"Steven M. Bellovin" wrote:

In message <387E245C.F279E367 () digsigtrust com>, Craig Ruefenacht writes:

It is well known throughout the Internet that the two most common
protocols for reading email, POP3 (port 110) and IMAP (port 143), are
sent in the clear over the network.

It's worth noting that many POP3 servers and clients support APOP
authentication, which eliminates the problem of the plaintext password goin
g
over the wire.  As best I can tell, Netscape's mail client doesn't give you
that choice.

                --Steve Bellovin

Sadly, it appears that APOP has the drastic downside that the server
must store all passwords in cleartext - so if the server is broken into,
attackers don't even need to run crack; they just get a list of
passwords.

Right.  Depending on the setup, that may or may not be a serious issue.  I
would never do that on a general-purpose host; for an ISP -- which often has
plaintext passwords lying around anyway, and which should have locked-down
mail servers -- the answer may be different.


                --Steve Bellovin


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]