Re: POP3 risk over the internet
From: Alan J. Flavell (flavell@mail.cern.ch)Date: 12/15/01
- Previous message: Dr. Bob: "Re: Tiny Personal Firewall and ADSL"
- Maybe in reply to: wildernesscanoe: "POP3 risk over the internet"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Alan J. Flavell" <flavell@mail.cern.ch> Date: Sat, 15 Dec 2001 19:14:13 +0100
On Dec 15, Giles Coochey inscribed on the eternal scroll:
> The risk with POP3 is that the username and password of each user's mailbox
[..]
> passed in clear text over the Internet.
This risk is not exclusive to POP3, although POP sends the credentials
whenever it checks for new mail, which can be rather frequently.
However, POP can be SSL-wrapped (as can some of the other protocols
which exchange clear-text credentials).
And/or there are safer ways of exchanging credentials (but if that's
your only security measure, then sure, the mail itself would still be
sniffable in plain text).
> Anyone able to run a packet sniffer
> on the network between connecting end-nodes and your exchange server would
> be able to glean the username and password of users.
Which is true of all protocols which exchange plain-text credentials.
Like all security issues, I'd say the hon Usenaut needs to audit their
requirements and the feasible solutions, and make a selection which is
appropriate to their situation. There is no magic bullet that
represents the ideal solution for everyone's requirements,
unfortunately.
SSL-wrapped IMAP has a number of attractions, for sure.
- Previous message: Dr. Bob: "Re: Tiny Personal Firewall and ADSL"
- Maybe in reply to: wildernesscanoe: "POP3 risk over the internet"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
