[lug] ssl for imap and pop

Timothy Klein teece at silverklein.net
Sun Mar 4 13:38:35 MST 2001

I think the internet community as a whole should address the email plain
text issue.  Some day, we should make it a standard that all email
transfer transactions take place in an encyrpted tunnel.  Of course,
even with that, you are still relying on the file protections of any
transit servers to keep the email plain text-unread by prying eyes.  But
nonetheless, it would seem to be some increase in privacy.  Other
measures may need to be added.

But in the mean time, why don't more pop3 servers implement APOP?  It
allows for a challenge response mechanism, it is session specific, it
does not send any password in the clear.  Even better, you can make
those users that retrieve pop3 mail and are also allowed to login
to a shell account have an APOP passphrase different from the login password.
In this way, if the passphrase were ever compromised, you only have an
email privacy breach, rather than a shell account breach.

I recall once that I sent my ISP a message asking them if they supported
APOP (after being informed about it by fetchmailconf, if I remember
correctly).  They replied that they didn't, and that furthermore it was
pointless because it was plaintext equivalent.  From what I read, that
is just plain wrong.  Am I (and the pop3 RFC writer, too) missing some
gaping security problem with APOP?  Or were they confused?

Any way, I'm rambling. 


* Kirk Rafferty (kirk at fpcc.net) wrote:
> On Sun, Mar 04, 2001 at 08:19:14PM +0100, rm at mamma.varadinet.de wrote:
> > Yes, but at least your POP password won't be sent in cleartext.
> > iFor content PGP or GPG is much more usefull.
> Ah yes, I hadn't considered this.  It's a good point, especially considering
> your POP password is often the same as your account password.
> -k
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

== Timothy Klein         || And what rough beast                   ==
== teece at silverklein.net || Its hour come round at last            ==
== Aufwiedersehen!       || Slouches towards Bethlehem to be born? ==
== Aufwiedersehen!       || The beast of Redmond, nothing more.    ==

More information about the LUG mailing list