<[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Date: Wed, 13 Feb 2002 09:50:38 -0800 Errors-To: List Administrator <[EMAIL PROTECTED]> Precedence: bulk List-Subscribe: <mailto:[EMAIL PROTECTED]?body=subscribe> List-Unsubscribe: <mailto:[EMAIL PROTECTED]?body=unsubscribe> List-Archive: <http://www.pensive.org/mailing_lists/archives/qpopper/> List-Post: <mailto:[EMAIL PROTECTED]> List-Owner: Pensive Mailing List Admin <[EMAIL PROTECTED]> List-Help: http://www.pensive.org/Mailing_Lists/ List-Id: <QPopper.lists.pensive.org> List-Software: AutoShare 4.2.3 by Mikael Hansen Message-Id: <[EMAIL PROTECTED]>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message <[EMAIL PROTECTED]>, Chuck Yerkes writes: >Well, by NOT offering that, getting passwords is as simple >as sniffing the net. And that's just easier to do. Depends on the net you're sniffing. Most networks are switched, which makes sniffing more difficult. Still pretty simple, but also more noticeable. >No, at this point a dedicated POP server can be made Secure >Enough (I'd never say Unbreakable). This means, of course, >only administrative access to the machine and doing security >Best Practices. Furthermore, the tokens should not be stored >in plain text by the program somewhere but rather encrypted >in a way that the popper server can get the plain text out of >it. Most of the SASL methods I've looked at do this. > >Evil hacker breaks onto the machine, gets a file of shared keys >that is a binary mush. S/he then must break that or find the >keys used from the crypto binary. If the popper server can get the plain text out of it, the person who has cracked your box can too. The passwords have to be in memory somewhere or in a config file somewhere, since the popper binary has to store them somewhere when the machine is off. This is just security through obscurity. Especially if you're using open-source SASL routines, finding or writing a cracker should be trivial. >Frankly, once on the machine, wiring in a sniffer is less effort. Yes, but with a sniffer, they get only those accounts that are used, which makes their intrusions more likely to be noticed. With the complete password list, they get access to every POP account you have, including those that haven't been used in years. When it comes down to it, storing passwords in clear-text worries me more than having passwords clear on the wire. IMHO, APOP just doesn't seem like a good solution. It introduces more problems than it solves. TLS/SSL is a better solution, especially with Moore's law making CPU cycles cheaper every year. - -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] "I have taken all knowledge to be my province." -F. Bacon [EMAIL PROTECTED] "Human kind cannot bear very much reality."-T.S.Eliot [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (OpenBSD) Comment: Exmh version 2.5 07/13/2001 iD8DBQE8aqduoayJfLoDSdIRAhscAJ91QQl1ZFJ7O3JEG7XT91yQ3DuelACeKlKf 8fLKwKXqxWFhzHfANxKQiQ0= =emOZ -----END PGP SIGNATURE-----
