[mdlug] General questions on internet security
Robert Meier
eaglecoach at wwnet.com
Tue Aug 21 06:58:45 EDT 2007
Drew,
> ... [Are user/password/content encrypted on "secure" sites using] POP3
> and SMTP.
POP3 and SMTP are entirely in the clear. Neither the login nor content
are protected. As session layer protocols, both SMTP and POP3 can be
run over SSL Transport Layer Security. If SSL is used, all communications
on the legs where it is used, including username, password, and content
are encrypted. Even if SSL is used, the content is readable by
every Mail Transport Agent between the sender and each recipient.
See RFC 1734, RFC 1939, RFC 3207, and RFC 3461 for details.
To protect the body of the messages between sender and recipient,
you need to use application layer security, OpenPGP with or without MIME.
See RFC 2440 and RFC 3156 for details.
So far, I've only dealt with one ISP who uses SMTP/POP3 over SSL.
Hopefully helpful,
--
Robert Meier
"My private keys are mine alone,
My public keys to many shown.
My secret keys with some are shared,
But with only one message paird."
-- Dr. Robert Meier 2000, excerpt from Open-PGP Polka
More information about the mdlug
mailing list