If you are worried about sniffing, nothing that isn't fully encypted
is safe. POP, SMTP, telnet, etc. ad nauseum. Talk like "you can only
sniff if you are root" is silly. I don't know where these people
work, but everybody here has root for their machine, and certainly
all the techies at your ISP do for theirs... And about those routers
on the way...
If you want security, HARD ENCRYPT YOUR CONTENT. And public key
crypto is NOT hard. (comments from our distinguished author..?)
Jeesh, people expect MI5 level security from 20 year old public
protocols.
BTW, Cobain stole that quote. I'll leave it as an exercise for the
reader to figure out from who.
On Sat, 20 Nov 1999, dd wrote:
> [...]
> AFAIK one of the documents related to qmail mentioned the insecurity of
> POP3 protocol and said that in an insecure network the passwords could
> easily be stolen. today i tried one of the sniffers for linux and got the
> pass of my friend (of course, i told him that i did so). errm, if i can do
> this, any other user can do the same too.
And so more, you could even monitor a telnet connection ;)
Of course if you are a superuser (e.g. root) and users of your subnet are
too lazy to use ssh.
> hmm, does qmail-pop3d support
> any kind of encryption of the passwords ? so that i can guarantee the
> security of the accounts of my users?
There might be several posibilities for that.
The most common and portable way is propably to use SSL encryption wrapper
with actual POP, IMAP or any other protocol.
If you want to check this out, go directly to a stunnel web page at
http://mike.daewoo.com.pl/computer/stunnel, and don't forget to install
latest OpenSSL or SSLeay code.
Eventualy check my latest downloads at
ftp://hal.umcs.lublin.pl/pub/security.
> [...]
> thx, peace and the other good things like haribo,
> dd
Sincerely,
Marcin Jaskowiak
"It's better to burn out than to fade away..."
- Kurt Cobain
