>On my personal system, the same usernames/passwords are used for both >pop3 and ssh- so while I agree with you in that the mail itself has no >reasonable expectation of privacy, the passwords do.
Another concern is that even with APOP/CRAM-MD5 _but_ without encryption the data stream is vulnerable to a bunch of different attacks (think: deleting/modifying messages in transit). >it might be better to use something like kerberos, where only the >password is encrypted, but few pop clients support kerberos. Well, that list _is_ increasing (e.g., Eudora, Mulberry, Mac OS X 10.2 Mail.app), but it's still got a ways to go. --Ken
