[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is SSL on POP3 advantageous?
- To: <misc@openbsd.org>
- Subject: Re: Is SSL on POP3 advantageous?
- From: "Dom De Vitto" <dom@DeVitto.com>
- Date: Fri, 20 Feb 2004 18:41:49 -0000
- Organization: Secure Technologies Ltd.
- Thread-Index: AcP3vk8iIQ8nbxkQTs+Xzyq9Qa3nMwAIig4g
Ask them if they are saying that it is easier to break into:
a) The POP3 server or
b) The Network layer (to sniff the wire).
Bearing in mind that if it's (a), that having unauthorised access to
the server may mean "end of game" anyway.
When a customer (a Virtual ISP :-) ) wanted to move to another mail
system I insisted that a VPN be setup to ensure that POP passwords
were never sent in the clear of the internet.
Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto Tel. 07855 805 271
http://www.devitto.com mailto:dom@devitto.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Where do you want to go today? Same as every day.... Windows Update.
-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] On Behalf Of Ed
Wandasiewicz
Sent: Friday, February 20, 2004 1:25 PM
To: misc@openbsd.org
Subject: Is SSL on POP3 advantageous?
Is SSL on POP3 advantageous compared to not having SSL on POP3?
An ADSL provider doesn't think so. I received the following from them:
"Firstly, somone would have to be sniffing his connection to get his
password, this is unlikely (unless he's upset someone). Secondly you
couldn't get everyones passwords without sniffing from our end of the
network, this is virtually impossible. Thirdly APOP doesn't add much
security if any at all over normal pop, the only advantage is the password
doesn't travel clear text over the network. The drawbacks are that if
someone could sniff your network, they can still intercept your email, also
the password then has to be stored clear text at both the client and the
server, instead of one way encrypted as it currently is."
--end of reply
When you download email from a non-SSL POP server, your username and
password is sent in plain-text (see tcpdump or dsniff). Using SSL, this data
is encrypted when downloaded.
For encrypting sent mail, see http://www.benzedrine.cx/starttls.html.
Does the same apply to IMAP?
Ed.