In message <[EMAIL PROTECTED]>, Dan Stromberg writes:
> "Steven M. Bellovin" wrote:
> >
> > In message <[EMAIL PROTECTED]>, Craig Ruefenacht writes:
> >
> > >It is well known throughout the Internet that the two most common
> > >protocols for reading email, POP3 (port 110) and IMAP (port 143), are
> > >sent in the clear over the network.
> >
> > It's worth noting that many POP3 servers and clients support APOP
> > authentication, which eliminates the problem of the plaintext password goin
> g
> > over the wire. As best I can tell, Netscape's mail client doesn't give you
> > that choice.
> >
> > --Steve Bellovin
>
> Sadly, it appears that APOP has the drastic downside that the server
> must store all passwords in cleartext - so if the server is broken into,
> attackers don't even need to run crack; they just get a list of
> passwords.
Right. Depending on the setup, that may or may not be a serious issue. I
would never do that on a general-purpose host; for an ISP -- which often has
plaintext passwords lying around anyway, and which should have locked-down
mail servers -- the answer may be different.
>
--Steve Bellovin
