At 1:47 PM -0400 9/15/05, Stefan Jeglinski imposed structure on a
stream of electrons, yielding:
Allow me to be difficult for just one more moment.
otherwise, why claim that it is so grossly insecure when normal
e-mail is so grossly insecure anyway?
Note that passwords in the clear for email have become fairly
uncommon. Even SIMS supports CRAM-MD5 authentication for SMTP and
APOP for POP3.
Supporting such and configuring it that way OOTB are 2 different
things. You usually have a good pulse on e-mail trends. Given the
most common consumer level computers, ie, Windows XP running Outlook
Express, or business installations, ie, Windows XP running Outlook,
is password encryption turned on by default as installed? Or is it
turned off, instead relying on ISPs to enforce authentication
procedures? Put another way, do ISPs these days still spend a lot of
time educating their new users, or is APOP etc such a common default
that new users aren't even aware that they are implementing it?
Every modern mailer provides APOP support and most provide SSL/TLS
support. Putting POP3 over SSL/TLS or at least requiring APOP are
more common than not with ISP's today. Virtually every SMTP AUTH
system supports CRAM-MD5 and clients that use SMTP AUTH will
generally use the strongest method available (i.e. most don't even
provide the user any visible means to pick which auth method is
used.) Some providers (in the US the most notable is Yahoo, which
runs the SBC POP3 servers) remain foolish and allow users to use
clear passwords if they choose, but I don't think any major ISP's
require clear passwords.
In contrast: there is no such thing as a poppassd that does not
require passwords in the clear.
Is there something *beyond* sending passwords in clear text that
makes poppassd so insecure?
1. It uses a TCP port which, while assigned to a totally different
protocol, is in fact only used on the open Internet for this
protocol. This makes sniffing the protocol very highly efficient.
Why could I not make the same argument for port 110? (aside from the
issue of assignment to another protocol, which I find neutral to the
point).
Virtually every packet with any content aimed at port 106 will
contain authentication information. Most port 110 traffic is not
authentication information, and there's so much more of it. This is
why I call sniffing poppassd more efficient: catch 5 packets with
payload aimed at port 106 on a poppassd host and you may have 3
accounts in hand.
I am more worried today about sniffable protocols than I was 5 years
ago for sound reasons. 5 years ago it would have been unusual to find
a home machine running trojan bots doing keystroke logging, packet
sniffing, and remote control service. Now it is a normal
circumstance. A Windows machine whose owner has not been very careful
is more likely than not to be running software designed to steal
their private information, and many of those programs include pieces
like keyloggers and packet sniffers. It no longer requires a router
crack to sniff traffic between end users and their ISP mail systems.
2. It provides a sniffer instant knowledge of how to use a sniffed
password to take over an account completely, i.e. how to change the
password himself.
This one I readily concede. Thanks for pointing it out.
--
Bill Cole
[EMAIL PROTECTED]
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[email protected]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
