I think I was sniffed?

[mikebw at colossus.bilow.com (Mike Bilow)]

True, but there is an important piece missing here: APOP.  Instead of
sending a cleatext password as with regular POP3, the APOP-aware server
sends a ready prompt with a monotonically increasing timestamp string:

	+OK POP3 v7.59 server ready <6ca1.396d060f at colossus.bilow.com>

The APOP-aware client then appends its password to the timestamp string in
the corner brackets, computes a one-way cryptographic hash of the whole
thing, and sends it over the wire.  The server, since it knows what it
sent and what the client should be using for a password, makes the same
hash computation and checks that the two hashes match.

The important benefit of APOP is that it is very widely supported by
standard POP3 servers and clients.  It replaces the password on the wire
with what amounts to a one-time-use hash ticket, preventing replay attacks
since the server will never send the same challenge twice. Unlike SSL-POP,
the mail itself still moves entirely in the clear after APOP login, but
there are no concerns with SSL certificates and other complexities.

-- Mike


On 2000-07-10 at 14:46 -0400, Matthew J. Brodeur wrote:

> Normal POP3 uses cleartext passwords (read: BAD), and unless the
> ISP supports POP-SSL or the SSH workaround hack (see the "Secure POP/SSH
> HOWTO") that's just the way it is.  I'm not experienced with POP-SSL (or
> SSL-POP, I'm not sure) but it sounds like a good idea.


-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).