[mdlug] General questions on internet security
Dan Pritts
danno at umich.edu
Thu Aug 23 02:18:30 EDT 2007
> POP3 and SMTP are entirely in the clear. Neither the login nor content
> are protected. As session layer protocols, both SMTP and POP3 can be
> run over SSL Transport Layer Security. If SSL is used, all communications
> on the legs where it is used, including username, password, and content
> are encrypted. Even if SSL is used, the content is readable by
> every Mail Transport Agent between the sender and each recipient.
> See RFC 1734, RFC 1939, RFC 3207, and RFC 3461 for details.
This is not entirely true.
the POP3 standard specifies APOP authentication, which uses a
shared secret to authenticate securely over a clear channel.
Unfortunately:
it's optional so not all servers and clients support it
it is not compatible with using your unix password as the
pop password, since the server needs to be able to read the
password. So to do it you have to have a separate pop password
file, much like with samba.
Also, in addition to ssl-wrapped POP or SMTP, you can use these
protocols with STARTTLS, which starts out with a standard session
and allows encryption to start once the connection has initialized.
This is really just an implementation detail vs. ssl-wrapped versions
of the protocols - the biggest advantage is probably that they don't
require firewall changes since they use well-defined ports.
> To protect the body of the messages between sender and recipient,
> you need to use application layer security, OpenPGP with or without MIME.
Or perhaps S/MIME, but probably not.
danno
More information about the mdlug
mailing list