"Steven M. Bellovin" wrote:
>
> In message <[EMAIL PROTECTED]>, Craig Ruefenacht writes:
>
> >It is well known throughout the Internet that the two most common
> >protocols for reading email, POP3 (port 110) and IMAP (port 143), are
> >sent in the clear over the network.
>
> It's worth noting that many POP3 servers and clients support APOP
> authentication, which eliminates the problem of the plaintext password going
> over the wire. As best I can tell, Netscape's mail client doesn't give you
> that choice.
>
> --Steve Bellovin
Sadly, it appears that APOP has the drastic downside that the server
must store all passwords in cleartext - so if the server is broken into,
attackers don't even need to run crack; they just get a list of
passwords.
It seems preferrable to use SSL/IMAP. Netscape supports that (although
last I checked they didn't support it that well. Then again, it's been
a while since I looked at it).
