[plug] POP and SSL
christian at global.net.au
Sun Jan 9 18:24:27 WST 2000
Leon Brooks wrote:
> Christian wrote:
> > Leon Brooks wrote:
> >> Subba Rao wrote:
> >>> What is the best way to protect my users passwords from being sniffed?
> >> The simplest, least flexible way is to block access to the POP port
> >> except from your dialup lines.
> > This won't really give much protection, will it? Attackers can still
> > telnet/ssh/ftp in (assuming any of these services are enabled)
> You'd be silly to leave Telnet enabled without _some_ protection, FTP
> (most, anyway) responds slowly to a bad password and so is of limited
> use for brute-forcing (and many FTP clients can be SSH-enabled), and ssh
> isn't susceptible to sniffing.
Ok, but that's not the issue that was raised. Also, I'm not talking
about brute-forcing passwords over the network, I'm talking about
sniffing passwords and then using that to extend access beyond POP
> > He said they were all using Fetchmail... (which doesn't support SSL
> > either from what I gather).
> Doesn't it? Well, it shouldn't be too difficult to add if so. There are
> projects like stelnet around to provide working examples of the SSL
It wouldn't be hard... but using SSH would be easier. Plus, you'd have
to add support to Fetchmail AND to POP3 server.
> > As I suggested, APOP or a Kerberized POP
> > might be the best approach if SSH can't be used.
> These are sniffer-proof, are they?
Pretty much (as much as SSL is, I would say).
More information about the plug