[plug] POP mail security

Christian christian at global.net.au
Sun Jan 9 21:43:26 WST 2000 

skribe wrote:
> Are there any how-tos for APOP?  Which is `better'?  APOP or Kerberos?
> It's a pity that Eudora isn't SSH compat.

Not that I know of but I've never actually set up either. :)  It's
probably just a matter of ensuring the server supports APOP and
configuring your client to use it.  At the bottom of this emails I've
included URLs to some POP3 servers (I got these from 2 minutes of
searching on Freshmeat so I'm not necessarily recommending them! :-). 
Solid POP apparently supports APOP and I know Qpopper supports KPOP
(because Eudora does) but I'm not sure about APOP (I think it does but I
don't use it myself so I'm not sure). As for SSH, I'm not exactly
positive about this since I haven't tried it but can't some of the
Winblows SSH clients do SSH forwarding?  If so, would it work to point
your POP3 client to a port on your local machine where the SSH client is
listening and have forward the requests this way? (Perhaps someone else
who's actually tried it before can give more details or else there might
be a howto.)

As for which is better, overall I would say APOP for many reasons but
"better" is a very arbitrary thing.  My understanding of APOP is that it
uses a challenge-response system where the server issues a nonce and
authenticates based on the validity of an MD5 hash returned by the
client constructed through the concatentation of this with the
password.  (I've never actually read any of the formal documents about
APOP so I could be wrong about this.)  The security here would seem to
be pretty good and, as an added advantage, it uses no cryptography so
can be exported wherever.  The disadvantage here is that your email is
still in plaintext while in transit.

Kerberized POP just uses the Kerberos authentication mechanism which is
a variant of a Needham-Schroeder protocol.  Kerberos is awkward to set
up (particularly in finding both client and a server software which
support it and then establishing a *secure* key server), creates a major
weak link in terms of the security of the key server and has
well-documented security problems with both major versions (IV and V)
that are around.  The only real advantage of Kerberos over APOP in this
situation would be that Kerberos *can* encrypt session traffic so an
attacker wouldn't get your password and also wouldn't be able to read
your mail in transit.  Whether the KTH version of Kerberos supports this
or not I'm not sure and I imagine you might also need special client
support for this.  In the end, SSH (for all-round protection) or APOP
(for password protection) are probably better options IMHO.

BTW, if you're thinking about setting up a Kerberos key server, I
recommend you very seriously consider OpenBSD.  It comes with full
Kerberos IV client and server support (I believe Kerberos V support is
on it's way) and, given the central point of weakness that such a key
server represents, OpenBSD's high security makes ideal.

Regards,

Christian. 


Solid POP:
http://www.freshmeat.net/appindex/1999/11/12/942422548.html

QPopper:
http://www.eudora.com/freeware/qpop.html

More information about the plug mailing list