[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: POP3 password in plaintext?
From: |
David Kastrup |
Subject: |
Re: POP3 password in plaintext? |
Date: |
Wed, 01 Oct 2014 07:33:54 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux) |
"Stephen J. Turnbull" <address@hidden> writes:
> Richard Stallman writes:
>
> > These points seem to conflict. First, there is no protection.
> > Second, there is protection: use TLS for this communication.
>
> Not at all. If the server provides TLS, there is protection, and both
> modern servers and Emacs (at least Gnus and probably RMail according
> to larsi, but I don't think VM does) are able to use STARTTLS to
> convert an unencrypted channel to an encrypted one, *before* the
> password is sent.
Transparent STARTTLS on demand would seem useless against
man-in-the-middle attacks. It's just good against eavesdropping on
unintercepted traffic. And you don't even need to be true
man-in-the-middle: you just need to be faster answering the STARTTLS
negotiation.
--
David Kastrup