On Sat, Oct 08, 2005 at 04:17:36PM -0700, walt wrote: > Background: I have free email accounts with myrealbox.com > and gmail.com. Both organizations provide TLS connection > to outgoing (SMTP) servers, and SSL connection to incoming > (POP/IMAP) servers. > > My questions: > > 1. Why use two different protocols instead of one?
TLS is effectively SSLv3, but without the name from Netscape. > 2. Does the use of secure connections make the 'secure > authentication' protocol irrelevant? (I notice that > my password never appears in the clear in either > direction, even though I don't use 'secure auth'.) Depends. You have two kinds of authentication mechanisms: clear text transmission and hash transmission. Both have advantages and disadvantages, e.g. for clear text transmission you normally don't have to store the password itself in clear text (but can use something like the md5 hash). For the hash transmission, the server has to store the password unencrypted, but the protocol itself is more resilient to replay attacks. Joerg
