Mailing List SIMS@mail.stalker.com Message #15123
From: Stefan Jeglinski <jeglin@4pi.com>
Subject: Re: poppassd & Eudora
Date: Thu, 15 Sep 2005 13:47:16 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
Allow me to be difficult for just one more moment.

otherwise, why claim that it is so grossly insecure when normal e-mail is so grossly insecure anyway?

Note that passwords in the clear for email have become fairly uncommon. Even SIMS supports CRAM-MD5 authentication for SMTP and APOP for POP3.

Supporting such and configuring it that way OOTB are 2 different things. You usually have a good pulse on e-mail trends. Given the most common consumer level computers, ie, Windows XP running Outlook Express, or business installations, ie, Windows XP running Outlook, is password encryption turned on by default as installed? Or is it turned off, instead relying on ISPs to enforce authentication procedures? Put another way, do ISPs these days still spend a lot of time educating their new users, or is APOP etc such a common default that new users aren't even aware that they are implementing it?


 Is there something *beyond* sending passwords in clear text that makes poppassd so insecure?

1. It uses a TCP port which, while assigned to a totally different protocol, is in fact only used on the open Internet for this protocol. This makes sniffing the protocol very highly efficient.

Why could I not make the same argument for port 110? (aside from the issue of assignment to another protocol, which I find neutral to the point).


2. It provides a sniffer instant knowledge of how to use a sniffed password to take over an account completely, i.e. how to change the password himself.

This one I readily concede. Thanks for pointing it out.


Stefan Jeglinski

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster