On Sun, Jul 02, 2000 at 08:37:03AM -0400, [EMAIL PROTECTED] wrote:
> On Sun, Jul 02, 2000 at 01:23:20PM +1000, Brett Randall wrote:
> } Ok, here's the deal:
> }
> } qmail-pop3d is NOT secure, nor are most other standard POP3 daemons. POP
> } passwords are sent in cleartext and are not encrypted.
>
> Yes, but if you use APOP, the password goes out in the clear but is
> useless afterwards. Any client I can think of, including Eudora on my
> Newton (which can't use SSL), supports APOP, and so does qmail-pop3d
> with the appropriate checkpassword replacement.
The password does not go out in the clear at all. Your statement is based
on a misconception. APOP authentication is secure from sniffers, they won't
be able to learn anything from your APOP command, except by bruteforcing.
Bruteforcing sniffed non-cleartext data applies to any authentication
technique except one-time-pads.
Greetz, Peter.
--
[EMAIL PROTECTED] - Peter van Dijk [student:developer:ircoper]
