[plug] POP and SSL

[Christian]

Leon Brooks wrote:
> 
> Christian wrote:
> > Leon Brooks wrote:
> >> Subba Rao wrote:
> >>> What is the best way to protect my users passwords from being sniffed?
> 
> >> The simplest, least flexible way is to block access to the POP port
> >> except from your dialup lines.
> 
> > This won't really give much protection, will it?  Attackers can still
> > telnet/ssh/ftp in (assuming any of these services are enabled)
> 
> You'd be silly to leave Telnet enabled without _some_ protection, FTP
> (most, anyway) responds slowly to a bad password and so is of limited
> use for brute-forcing (and many FTP clients can be SSH-enabled), and ssh
> isn't susceptible to sniffing.

Ok, but that's not the issue that was raised.  Also, I'm not talking
about brute-forcing passwords over the network, I'm talking about
sniffing passwords and then using that to extend access beyond POP
email.

> > He said they were all using Fetchmail... (which doesn't support SSL
> > either from what I gather).
> 
> Doesn't it? Well, it shouldn't be too difficult to add if so. There are
> projects like stelnet around to provide working examples of the SSL
> interface.

It wouldn't be hard... but using SSH would be easier.  Plus, you'd have
to add support to Fetchmail AND to POP3 server.

> > As I suggested, APOP or a Kerberized POP
> > might be the best approach if SSH can't be used.
> 
> These are sniffer-proof, are they?

Pretty much (as much as SSL is, I would say).

Regards,

Christian.