On Thu, Feb 20, 2003 at 03:16:05PM +1300, Jason Haar wrote:
> On Wed, Feb 19, 2003 at 04:37:48PM -0800, Gordon Messmer wrote:
> > Doesn't matter *how* you do the hashing. If the client always sends the
> > same thing, then it's sending the plain text password.
>
> Absolutely - same problem with NT authentication (pre Kerberos).
>
> Anyway, that's why we have SSL :-)
>
> Hashed server-side + SSL = (vaguely) secure.
Absolutely. The security of SSL depends on public-key authentication to
prevent man-in-the-middle attacks, so you are in fact depending on
public-key in that model.
> All this is a bit academic. If the server is compromised, you're toast anyway.
> If you use CRAM-stuff, then they just steal the cleartext passwords. If you
> have hashed passwords, then they just rewrite your app to log the cleartext
> password before doing the hash-test.
Pretty much, although there is a way to mitigate that: let a different box
handle the SASL exchange for you.
In particular, I would very much like if Courier could do SASL
authentication by means of a proxy SASL bind to an LDAP server:
SASL SASL
user -------------> courier ---------> ldap server
<------------- <---------
Each part of the POP3 AUTH SASL exchange would simply be copied across to
the relevant part of the SASL bind exchange. If the bind is successful, then
the user is let in.
This gives you an extra layer of security, especially if your ldap server is
on a private backend network. Courier never sees the cleartext password;
your hacker would have to break into the courier server, AND then break into
the LDAP server itself, to get to a cleartext password.
Regards,
Brian.
-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
