Paul Krumviede wrote:
>
> there are POP3 authentication protocols, such as APOP and KPOP,
> that don't send a clear text password. i don't know how many mail
> systems, clients or servers, support them, and KPOP may be a bit
> cumbersome if you don't want to set up Kerberos.
Yes, let's forget about KPOP since his mail server
doesn't support it. Let alone worrying about getting a client
that supports it.
I thought about mentioning APOP in my reply, but decided
against it in the (futile?) hope that noone would remember
its existance. I guess I was wrong, so here goes...
Exchange supports APOP if my memory serves me.
APOP works this way:
* The server issues a random "challenge"
* The client takes this challenge, appends the password,
does a complete MD5 hash on this string, and sends all of
it back to the server
* The server does the same thing on its end, and compares
the result with what the client sent.
This ensures that
1) The password cannot be trivially retrieved
2) That the password hash cannot be reused, unless the
server issues the same challenge again (very unlikely,
if a proper pseudo-random number generator is used,
but in most cases, plain old dumb rand() is used,
so this sucks)
However, it does NOT do this:
* Ensure that someone masquerades as the mail server,
fools the client into connecting to him instead, passes
the challenge and hash both ways, drops the client
connection, and, as a result, gets a fully authenticated
and functional POP3 connection, ready for (ab)use.
* Protect the data that traverses. Anyone can still sniff
the data stream and read all e-mail that the user pops.
pop3s (or imaps for that matter) accomplishes all of
the above.
'nuff said.
Regards,
Mikael Olsson
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
