[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Is SSL on POP3 advantageous?

To: misc@openbsd.org
Subject: Is SSL on POP3 advantageous?
From: Ed Wandasiewicz <wanded@breathemail.net>
Date: Fri, 20 Feb 2004 13:24:47 +0000
Content-Disposition: inline
User-Agent: Mutt/1.4.1i

Is SSL on POP3 advantageous compared to not having SSL on POP3?

An ADSL provider doesn't think so. I received the following from them:

"Firstly, somone would have to be sniffing his connection to get his
password, this is unlikely (unless he's upset someone).  Secondly you
couldn't get everyones passwords without sniffing from our end of the
network, this is virtually impossible.  Thirdly APOP doesn't add much
security if any at all over normal pop, the only advantage is the password
doesn't travel clear text over the network.   The drawbacks are that if
someone could sniff your network, they can still intercept your email, also
the password then has to be stored clear text at both the client and the
server, instead of one way encrypted as it currently is."

--end of reply

When you download email from a non-SSL POP server, your username and password is sent in plain-text (see tcpdump or dsniff). Using SSL, this data is encrypted when downloaded.

For encrypting sent mail, see http://www.benzedrine.cx/starttls.html.

Does the same apply to IMAP?

Ed.

Follow-Ups:
- Re: Is SSL on POP3 advantageous?
  - From: Damien Miller <djm@mindrot.org>
- Re: Is SSL on POP3 advantageous?
  - From: "Dom De Vitto" <dom@DeVitto.com>
- Re: Is SSL on POP3 advantageous?
  - From: Damian Gerow <dgerow@afflictions.org>
- Re: Is SSL on POP3 advantageous?
  - From: "Hanford, Seth" <shanford@ckure.com>

Prev by Date: Re: Multiboot
Next by Date: Re: Is SSL on POP3 advantageous?
Prev by thread: Re: adding tun devices as interfaces
Next by thread: Re: Is SSL on POP3 advantageous?
Index(es):
- Date
- Thread