Quoting Daniel Senie ([EMAIL PROTECTED]): > At 03:10 AM 2/12/02, Kenneth Porter wrote: > >On Mon, 2002-02-11 at 23:26, Keith Smith wrote: > > > traffic. I tried using outlook and outlook express as clients and > > > still the same issue. > > > >Those two clients don't do APOP. > > Which is why so few people bother implementing it, most likely. Most > clients do implement TLS now. The TLS handshake happens before > username/password exchange. With it, not only are passwords hidden from > prying eyes, all user data is hidden. It is possible to configure qpopper > to only allow users to log in if they are using TLS.
APOP and TLS meet SOME of the same gaols, but they are not close to the same and have different uses. APOP users a safe password for authentication. The rest of the session is clear text. Computationally, it's light-weight and easy to scale. POP/TLS encodes the whole session using TLS (SSL v3.1). This is computationally expensive. You can only support so many sessions at a time with TLS. I'm not sure I'd want to offer TLS if I were an basic ISP. APOP, on the other hand, costs me almost nothing to offer. Outbreak and Outbreak Express and Netscape don't support APOP. Eudora does (tho it doesn't support the rampant number of viruses that Outbreak does). PROPERLY with TLS, I'd exepct to be able to do use SmartCards or basic CERTs for authentication and get S/MIME as well. chuck
