Mailing List SIMS@mail.stalker.com Message #15122
From: Bill Cole <listbill@scconsult.com>
Subject: Re: poppassd & Eudora
Date: Thu, 15 Sep 2005 09:02:45 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 9:32 PM -0400 9/14/05, Stefan Jeglinski  imposed structure on a stream of electrons, yielding:
I just assumed that all e-mail clients could do this since Eudora could, and SIMS can. I since found that a) the protocol was basically invented at Qualcomm, and that b) few (none?) other pop clients support it.

And c) it is so grossly insecure that support for it should be disabled in anything capable of it.

Please expand. I saw reference to a DOS attack that was patched, but otherwise, why claim that it is so grossly insecure when normal e-mail is so grossly insecure anyway?

Note that passwords in the clear for email have become fairly uncommon. Even SIMS supports CRAM-MD5 authentication for SMTP and APOP for POP3.

 Is there something *beyond* sending passwords in clear text that makes poppassd so insecure?

1. It uses a TCP port which, while assigned to a totally different protocol, is in fact only used on the open Internet for this protocol. This makes sniffing the protocol very highly efficient.

2. It provides a sniffer instant knowledge of how to use a sniffed password to take over an account completely, i.e. how to change the password himself.



--
Bill Cole                                  bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster