On Sun, Jul 02, 2000 at 08:44:23PM -0700, Brian D. Winters wrote:
> Initially I thought I saw your point, but I was wrong. You don't seem
> to be making any sense.
>
> On Sun, Jul 02, 2000 at 10:17:23PM -0400, Adam McKenna wrote:
> [this sentence originally came after the next quoted block]
> > If he can find a security hole that allows him to read files
> > that don't belong to him, he now has the entire list of passwords.
>
> Make the list readable only by root. Now a local user effectively
> needs root access to read the APOP secrets. Once that local user has
> rooted the box, I don't see why it matters that the secrets were
> cleartext.
There have been several exploits in the past that allowed a local user to
read files on the system without obtaining root. Granted, if someone found
a vulnerability like this he could read the shadow file, but at least the
passwords in the shadow file are encrypted (as opposed to the passwords in
the apop.secrets file).
> > That was entirely my point. IMO the "security cost" of saving cleartext
> > passwords on the server is not worth the "security gain" of having POP3
> > passwords encrypted when the user checks his mail. If someone is sniffing
> > pop3 passwords then he has the ability to (most likely) only obtain a small
> > number of passwords that way, as opposed to the attacker who has an account
> > on the server.
>
> So you don't care if anyone with network access has "a small number of
> passwords"? Why is one user password better than another? If there
> are local root vulnerabilities present on the system, any single user
> account should be good enough to exploit them. Allowing someone to
> sniff any number of passwords sounds like a Bad Thing(tm).
>
> I have yet to work in an environment where it is harder to run a
> packet sniffer than it is to find a local root vulnerability.
As you've pointed out, an attacker with sniffing ability can already read the
e-mail, which is the only thing that the password protects. If a sniffer can
read the e-mail, then who cares if he has the password? I'd rather make sure
that if he DOES get the password, it will be useless except for reading the
e-mail.
I guess the point I'm trying to make is that APOP is akin to putting all of
your eggs in one basket. I believe in the security practice that passwords
should _never_ be stored in cleartext, and I really don't see a reason to
go against that practice, especially when there are other, better methods of
securing e-mail.
Also, in the day of $150 500-MHz cpu's, I'm not really convinced by the
system resources argument.
> > If you're concerned about email security, APOP is not worth it. Go with SSL
> > or another security model (like having virtual POP3 accounts that aren't UNIX
> > users).
>
> I think the point you are missing is that APOP effectively creates
[...]
> overkill in a lot of situations.
You are entitled to your opinion, and I certainly won't stop you from using
APOP on any of your servers. I am merely stating that I'll never use it on
any of mine.
> Brian
>
> PS Somewhere else in this thread someone mentioned that the only APOP
> client they were aware of is Eudora. FWIW, fetchmail also supports
> APOP.
Heh. I'll leave my opinion of fetchmail out of this.
--Adam
