Liste de diffusion Message #15122
De: Bill Cole <>
Sujet: Re: poppassd & Eudora
Date: Thu, 15 Sep 2005 09:02:45 -0400
A: SIMS Discussions <>
At 9:32 PM -0400 9/14/05, Stefan Jeglinski  imposed structure on a stream of electrons, yielding:
I just assumed that all e-mail clients could do this since Eudora could, and SIMS can. I since found that a) the protocol was basically invented at Qualcomm, and that b) few (none?) other pop clients support it.

And c) it is so grossly insecure that support for it should be disabled in anything capable of it.

Please expand. I saw reference to a DOS attack that was patched, but otherwise, why claim that it is so grossly insecure when normal e-mail is so grossly insecure anyway?

Note that passwords in the clear for email have become fairly uncommon. Even SIMS supports CRAM-MD5 authentication for SMTP and APOP for POP3.

 Is there something *beyond* sending passwords in clear text that makes poppassd so insecure?

1. It uses a TCP port which, while assigned to a totally different protocol, is in fact only used on the open Internet for this protocol. This makes sniffing the protocol very highly efficient.

2. It provides a sniffer instant knowledge of how to use a sniffed password to take over an account completely, i.e. how to change the password himself.

Bill Cole                        

S'abonner aux messages S'abonner aux sommaires S'abonner aux indexes Se désabonner Ecrire un email au responsable de la liste