[plug] POP and SSL
Leon Brooks
leonb at bounce.networx.net.au
Sat Jan 8 20:45:01 WST 2000
Christian wrote:
> Leon Brooks wrote:
>> Subba Rao wrote:
>>> What is the best way to protect my users passwords from being sniffed?
>> The simplest, least flexible way is to block access to the POP port
>> except from your dialup lines.
> This won't really give much protection, will it? Attackers can still
> telnet/ssh/ftp in (assuming any of these services are enabled)
You'd be silly to leave Telnet enabled without _some_ protection, FTP
(most, anyway) responds slowly to a bad password and so is of limited
use for brute-forcing (and many FTP clients can be SSH-enabled), and ssh
isn't susceptible to sniffing.
>> There are SSL versions of the POP3 protocol (my /etc/services file
>> mentions spop3 on port 995) but I suspect that Windows clients for same
>> would be limited.
> He said they were all using Fetchmail... (which doesn't support SSL
> either from what I gather).
Doesn't it? Well, it shouldn't be too difficult to add if so. There are
projects like stelnet around to provide working examples of the SSL
interface.
> As I suggested, APOP or a Kerberized POP
> might be the best approach if SSH can't be used.
These are sniffer-proof, are they?
--
Confidence is the feeling you have before you understand the situation.
If at first you don't succeed, try a shorter bungee. When in trouble,
when in doubt, run in circles, scream and shout. The two great secrets
of success are: don't tell anyone everything that you know.
More information about the plug
mailing list