Gabriel Ambuehl <[EMAIL PROTECTED]> writes:
> Hello Scott,
>
> Monday, July 03, 2000, 5:54:00 PM, you wrote:
> >> May anyone explain me what sense a SSL tunnel for POP3 does have (I've
> >> been wondering about that for long...)?
> > [ ... ]
> > To protect the POP password.
>
> But wouldn't it be way easier to just use APOP? Or does that one have
> its own security implications?
The only particularly nasty implication of using APOP are that it
requires that the server have the password stored in plaintext. The
security aspect of that is that if somebody can steal the password
file from a system, they have direct access to all accounts, compared
to storing one-way hashes of passwords, which would make them run
crack first and they still wouldn't get well-chosen passwords. The
maintainability aspect is that standard UNIX passwords aren't stored
in plaintext, so you can't use APOP to authenticate against a standard
UNIX passwd file.
POP over SSL solves both of these, by making no changes to the POP
protocol, but just encrypting the whole session.
I haven't looked at APOP in awhile, and if what I've said is wrong,
I know that nobody on the list will hesititate to correct me. :)
-----ScottG.
